Re: Automated Patching and Updates? UT Austin

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

We also previously recommended "download automatically, update
manually."  But, we also are now recommending automatic, periodic
updates.  In fact, I am preparing to send email to 99,000 mailboxes with
that recommendation imbedded therein.

Most of our technicians are using Shavlik's HFNetChkPro.  We have a
university-wide license for that product.  They seem to be fairly happy
with that.

Let me also take this opportunity to say:  to identify hosts with the
RPCSS flaw (that is, not patched with MS03-039), we started using the
ISS scanner.  Then we tried the MS scanner.  Both of these resulted in
too many false-positives, and also listed W98 systems and systems that
had a non-MS operating systems but with a non-MS install of RPC/DCOM.
Then we started using the UCONN scanner, and the list is infinitely
cleaner.  Thx to our pals at UCONN.

M.

-- 
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Associate Director, Center for Applied Cybersecurity Research
(http://cacr.iu.edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Dan Updegrove [mailto:updegrove () MAIL UTEXAS EDU] 
Sent: Thursday, September 25, 2003 8:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Automated Patching and Updates? UT Austin


Connie & colleagues,

The UT Austin Information Security Office is now, for the first time,
advising all users to reconfigure their operating systems for automatic
installation of critical security patches. In the past we had advised
"automatic download, manual installation," so that users had more
control
of when and how their systems were being modified. Since our scans
showed
many users were not installing patches promptly -- with adverse effects
for
them, the campus network, and the Internet -- we have changed our
recommendation.

With 40,000 or so University-owned computers (well over half Windows of
various vintages), and an estimated 80,000 personally-owned systems (at
least 80% Windows) used for University academic or administrative work
--
in ResNet, on public wired and wireless ports, via our modem pool, and
via
the Internet -- we see patch management as an enormous challenge. No
single
university-managed "push" solution can possibly work, although we have
thousands of computers managed by IT professionals (i.e., users do not
have
the Admin password, and we are able to push updates). But since the
lion's
share of our 120,000 computers are not professionally managed, we're
doing
our best to educate users to be better administrators of systems they
use.

A complicating factor is that Microsoft's high-profile "Protect your PC"
campaign <http://www.microsoft.com/security/protect/default.asp>, is
mute
on the issue of users operating in Administrator mode. Over the years,
as a
security measure, we have advocated that systems be configured with an
Admin account and one or more end-user accounts, with the Admin account
used only for systems management and software updates. Microsoft's
website
makes the opposite assumption, implicitly, since those in end-user mode
are
not alerted about completed updates that may alter the operating
environment nor about updates for which complete installation requires a
reboot.

Stated another way, Microsoft appears to be suggesting that Windows
systems
with (1) personal firewalls, (2) antivirus with automatic update, and
(3)
Windows update with automatic installation of critical patches -- and
alerts to users logged on as Admin -- are as safe, or safer, than
systems
being run by users lacking Admin privileges. We'd welcome others's
perspective on this issue.

Cheers,
Dan


At 07:20 AM 9/25/2003, Sadler, Connie wrote:
> Given all of the recent worm activity, etc., it seems timely to gather
> some information from you folks regarding what you are already doing -
> or planning to do - in terms of pushing updates and patches out to your
> user communities in a way that is not too "intrusive". We all work in
> diverse environments where many of our users are also sensitive to
> having someone else "touch" their machines. Yet it seems a losing
battle
> to continue to manually update workstations in some areas when they are
> being automatically attacked in very sophisticated ways.
>
> Can you folks please share with us:
>
> 1)  What you are already doing now - in terms of pushing or automating
> patching or updates?
>
> 2)  What you are evaluating or looking at for doing this kind of thing
-
> and in what areas of your environment?
>
> 3)  What technologies you are familiar with and what platforms the
> solutions support?
>
> Thanks much! I am willing to summarize the input I receive if I get
> enough good feedback...
>
> Connie J. Sadler, CM, CISSP, CISM
> Director, IT Security, Brown University
> Box 1885, Providence, RI 02912
> Connie_Sadler () Brown edu
> PGP Fingerprint: 452A C178 1450 9CE1 3AC1  CC12 956F 2C55 DB94 A9C7
> Office: 401-863-7266
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.


VP  for Information Technology          Phone (512) 232-9610
The University of Texas at Austin       Fax (512) 232-9607
FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
P.O. Box 7407
http://wnt.utexas.edu/~danu/
Austin, TX 78713-7407

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.