Educause Security Discussion mailing list archives
Re: FW: MS Critical Updates and client management
From: Bill Frazier <frazier () IASTATE EDU>
Date: Fri, 16 Jul 2004 11:48:23 CDT
I believe that there is an element of perspective that needs to be considered and which, unfortunately, complicates matters. Exploits, once in the wild, are frequently rapidly and heavily used. I believe that closing holes as quickly as possible reduces user (and institution) grief. However, discussion of updates labeled critical which were issued based on a date on a calendar, in no particular relation to the publication of the vulnerability, is an oxymoron. __________________________________________________________________ On Fri, 16 Jul 2004 12:02:33 EDT, Chad McDonald wrote: This is a multi-part message in MIME format. ------=_NextPart_000_017D_01C46B2C.C737EA40 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit My thoughts are that if the potential for exploitation of a particular vulnerability are severe enough, then the 1-2 day lag that you discuss in item #2 is about 2 days to long. I am a big proponent of testing, but barring your enterprise servers, I think that the risk of someone taking advantage of a freshly advertised hole far outweighs the likelihood of a patch or update breaking a desktop application or causing data loss. I tend to agree with you on item #1, understanding that that this does not represent critical updates. Thanks, Chad McDonald, CISSP Director of Campus Computer Support Services Georgia College & State University Phone 478.445.4473 Fax 478.445.1202 Email chad.mcdonald () gcsu edu Home Page http://chadmcdonald.net <http://chadmcdonald.net/> _____ From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of O'Callaghan, Daniel Sent: Friday, July 16, 2004 9:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] MS Critical Updates and client management I've searched the archives and effective practices, but haven't found anything specific to this issue. I'm looking for input on effective practices for MS Critical Update deployment, specifically the timelines from MS release to client deployment. The majority of clients that authenticate to our domain are configured using standard "images" based on the systems' intended use. We recently began using SUS to update clients, and it appears effective, but there is disagreement over when the updates should be pushed. Simplified, there are two schools of thought: 1. All client updates/patches should be installed and vetted on all standard client image configurations in our test lab for 5-6 days prior to deployment as the risk and potential impact of a patch breaking something is greater than the risk of an exploit within this timeframe. 2. Critical updates should be installed and vetted on the most common client image configurations in our test lab for 1-2 days prior to deployment as the risk and potential impact of an exploit (as we approach the zero day) is greater than the patch breaking something. I realize this is an oversimplification of an industry-wide dilemma, but am looking for the groups' input as to the current risk balance for effective practice. Or have we become so polarized that we are missing something? (Abandoning MS is not a viable option) Daniel V. O'Callaghan, Jr., CISSP Information Security Officer Sinclair Community College 444 West Third Street, 14-002 Dayton, Ohio 45402-1460 937-512-2452 daniel.ocallaghan () sinclair edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group d iscussion list can be found at http://www.educause.edu/cg/. ------=_NextPart_000_017D_01C46B2C.C737EA40 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <title>Message</title> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"Street"/> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"PostalCode"/> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"State"/> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"City"/> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"PlaceType"/> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"PlaceName"/> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"address"/> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"place"/> <o:SmartTagType = namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" name=3D"country-region"/> <!--[if !mso]> <style> st1\:*{behavior:url(#default#ieooui) } </style> <![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-reply; font-family:Arial; color:navy;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>My thoughts are that if the = potential for exploitation of a particular vulnerability are severe enough, then the = 1-2 day lag that you discuss in item #2 is about 2 days to long. I am a = big proponent of testing, but barring your enterprise servers, I think that = the risk of someone taking advantage of a freshly advertised hole far = outweighs the likelihood of a patch or update breaking a desktop application or = causing data loss. I tend to agree with you on item #1, understanding that that = this does not represent critical updates.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <div> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Thanks, = <o:p></o:p></span></font></p> <p class=3DMsoNormal><st1:country-region w:st=3D"on"><st1:place = w:st=3D"on"><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial; color:navy'>Chad</span></font></st1:place></st1:country-region><font = size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial; color:navy'> McDonald, CISSP<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Director of Campus Computer Support Services<o:p></o:p></span></font></p> <p class=3DMsoNormal><st1:place w:st=3D"on"><st1:PlaceName = w:st=3D"on"><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial; color:navy'>Georgia</span></font></st1:PlaceName><font size=3D2 = color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial;color:navy'> <st1:PlaceName w:st=3D"on">College & State</st1:PlaceName> <st1:PlaceType = w:st=3D"on">University</st1:PlaceType></span></font></st1:place><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial; color:navy'><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Phone = 478.445.4473<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Fax &n b= sp; 478.445.1202<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Email <a href=3D"mailto:chad.mcdonald () gcsu edu">chad.mcdonald () gcsu edu</a><o:p> </o= :p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Home = Page <a href=3D"http://chadmcdonald.net/">http://chadmcdonald.net</a><o:p></o:p> <= /span></font></p> </div> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <div> <div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font = size=3D3 face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> <hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1> </span></font></div> <p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span = style=3D'font-size:10.0pt; font-family:Tahoma;font-weight:bold'>From:</span></font></b><font = size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> The = EDUCAUSE Security Discussion Group Listserv = [mailto:SECURITY () LISTSERV EDUCAUSE EDU] <b><span style=3D'font-weight:bold'>On Behalf Of </span></b>O'Callaghan, = Daniel<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Friday, July 16, = 2004 9:11 AM<br> <b><span style=3D'font-weight:bold'>To:</span></b> = SECURITY () LISTSERV EDUCAUSE EDU<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> [SECURITY] MS = Critical Updates and client management</span></font><o:p></o:p></p> </div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I've searched the archives and effective practices, = but haven't found anything specific to this = issue.</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I'm looking for input on effective practices = for MS Critical Update deployment, specifically the timelines from MS release = to client deployment.</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>The majority of clients that authenticate to our = domain are configured using standard "images" based on the systems' = intended use. We recently began using SUS to update clients, and it appears effective, but there is disagreement over when the updates = should be pushed.</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Simplified, there are two schools of thought: = </span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>1. All client updates/patches should = be installed and vetted on all standard client image configurations in our test lab for 5-6 days prior to deployment as the risk = and potential impact of a patch breaking something is greater than the = risk of an exploit within this = timeframe. </span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>2. Critical updates should be installed and vetted on = the most common client image configurations in our test lab for 1-2 days = prior to deployment as the risk and potential impact of an exploit (as we = approach the zero day) is greater than the patch breaking = something.</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I realize this is an oversimplification of an = industry-wide dilemma, but am looking for the groups' input as to = the current risk balance for effective practice. </span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Or have we become so polarized that we are = missing something? (Abandoning MS is not a viable = option) </span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Daniel V. O'Callaghan, Jr., = CISSP</span></font><o:p></o:p></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Information Security = Officer</span></font><o:p></o:p></p> <p class=3DMsoNormal><st1:place w:st=3D"on"><st1:PlaceName = w:st=3D"on"><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial'>Sinclair</span></font> </st1:= PlaceName><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial'> <st1:PlaceName w:st=3D"on">Community = College</st1:PlaceName></span></font></st1:place><o:p></o:p></p> <p class=3DMsoNormal><st1:Street w:st=3D"on"><st1:address = w:st=3D"on"><font size=3D2 face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>444 = West Third Street</span></font></st1:address></st1:Street><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>, = 14-002</span></font><o:p></o:p></p> <p class=3DMsoNormal><st1:place w:st=3D"on"><st1:City w:st=3D"on"><font = size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial'>Dayton</span></font> </st1:Ci= ty><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial'>, <st1:State w:st=3D"on">Ohio</st1:State> <st1:PostalCode = w:st=3D"on">45402-1460</st1:PostalCode></span></font></st1:place><o:p> </o= :p></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>937-512-2452</span></font><o:p></o:p></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>daniel.ocallaghan () sinclair edu</span></font><o:p> </o:p=
</p>
<div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> </div> </body> </html> ********** Participation and subscription information for this EDUCAUSE Discussion = Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group d iscussion list can be found at http://www.educause.edu/cg/. ------=_NextPart_000_017D_01C46B2C.C737EA40-- __________________________________________________________________ Bill Frazier frazier () iastate edu Assistant Director/Software Support voice: (515) 294-8620 Iowa State University fax: (515) 294-1717 Academic Information Technologies, 291 Durham, Ames, Iowa 50011 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- MS Critical Updates and client management O'Callaghan, Daniel (Jul 16)
- <Possible follow-ups>
- FW: MS Critical Updates and client management Chad McDonald (Jul 16)
- Re: FW: MS Critical Updates and client management Bill Frazier (Jul 16)
- Re: MS Critical Updates and client management David Dewire (Jul 19)