Educause Security Discussion mailing list archives
Re: Automated Patching and Updates? UT Austin
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Thu, 25 Sep 2003 09:05:11 -0500
We also previously recommended "download automatically, update manually." But, we also are now recommending automatic, periodic updates. In fact, I am preparing to send email to 99,000 mailboxes with that recommendation imbedded therein. Most of our technicians are using Shavlik's HFNetChkPro. We have a university-wide license for that product. They seem to be fairly happy with that. Let me also take this opportunity to say: to identify hosts with the RPCSS flaw (that is, not patched with MS03-039), we started using the ISS scanner. Then we tried the MS scanner. Both of these resulted in too many false-positives, and also listed W98 systems and systems that had a non-MS operating systems but with a non-MS install of RPC/DCOM. Then we started using the UCONN scanner, and the list is infinitely cleaner. Thx to our pals at UCONN. M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Associate Director, Center for Applied Cybersecurity Research (http://cacr.iu.edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Dan Updegrove [mailto:updegrove () MAIL UTEXAS EDU] Sent: Thursday, September 25, 2003 8:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Automated Patching and Updates? UT Austin Connie & colleagues, The UT Austin Information Security Office is now, for the first time, advising all users to reconfigure their operating systems for automatic installation of critical security patches. In the past we had advised "automatic download, manual installation," so that users had more control of when and how their systems were being modified. Since our scans showed many users were not installing patches promptly -- with adverse effects for them, the campus network, and the Internet -- we have changed our recommendation. With 40,000 or so University-owned computers (well over half Windows of various vintages), and an estimated 80,000 personally-owned systems (at least 80% Windows) used for University academic or administrative work -- in ResNet, on public wired and wireless ports, via our modem pool, and via the Internet -- we see patch management as an enormous challenge. No single university-managed "push" solution can possibly work, although we have thousands of computers managed by IT professionals (i.e., users do not have the Admin password, and we are able to push updates). But since the lion's share of our 120,000 computers are not professionally managed, we're doing our best to educate users to be better administrators of systems they use. A complicating factor is that Microsoft's high-profile "Protect your PC" campaign <http://www.microsoft.com/security/protect/default.asp>, is mute on the issue of users operating in Administrator mode. Over the years, as a security measure, we have advocated that systems be configured with an Admin account and one or more end-user accounts, with the Admin account used only for systems management and software updates. Microsoft's website makes the opposite assumption, implicitly, since those in end-user mode are not alerted about completed updates that may alter the operating environment nor about updates for which complete installation requires a reboot. Stated another way, Microsoft appears to be suggesting that Windows systems with (1) personal firewalls, (2) antivirus with automatic update, and (3) Windows update with automatic installation of critical patches -- and alerts to users logged on as Admin -- are as safe, or safer, than systems being run by users lacking Admin privileges. We'd welcome others's perspective on this issue. Cheers, Dan At 07:20 AM 9/25/2003, Sadler, Connie wrote:
Given all of the recent worm activity, etc., it seems timely to gather some information from you folks regarding what you are already doing - or planning to do - in terms of pushing updates and patches out to your user communities in a way that is not too "intrusive". We all work in diverse environments where many of our users are also sensitive to having someone else "touch" their machines. Yet it seems a losing
battle
to continue to manually update workstations in some areas when they are being automatically attacked in very sophisticated ways. Can you folks please share with us: 1) What you are already doing now - in terms of pushing or automating patching or updates? 2) What you are evaluating or looking at for doing this kind of thing
-
and in what areas of your environment? 3) What technologies you are familiar with and what platforms the solutions support? Thanks much! I am willing to summarize the input I receive if I get enough good feedback... Connie J. Sadler, CM, CISSP, CISM Director, IT Security, Brown University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu PGP Fingerprint: 452A C178 1450 9CE1 3AC1 CC12 956F 2C55 DB94 A9C7 Office: 401-863-7266 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
VP for Information Technology Phone (512) 232-9610 The University of Texas at Austin Fax (512) 232-9607 FAC 248 (Mail code: G9800) d.updegrove () its utexas edu P.O. Box 7407 http://wnt.utexas.edu/~danu/ Austin, TX 78713-7407 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Automated Patching and Updates? UT Austin Dan Updegrove (Sep 25)
- <Possible follow-ups>
- Re: Automated Patching and Updates? UT Austin Bruhn, Mark S. (Sep 25)