Educause Security Discussion mailing list archives
Re: Vulnerability Assessment Requirements
From: Michael Grinnell <grinnell () AMERICAN EDU>
Date: Thu, 21 Jul 2005 13:43:22 -0400
We chose to go with the following: XP: CCA Agent IE6 (Needed for MSAS) MS AntiSpyware (to prevent spyware and help clean the machine some in prep for SP2) SP2 Builtin firewall enabled, allow ping (Planning to support others as time permits) Automatic Updates enabled, using "Automatic" setting Antivirus installed (one of CCA supported) AV up to date (AV_ANY rule) 2000: CA Agent IE6 (Needed for MSAS) MS AntiSpyware (to prevent spyware and help clean the machine some in prep for SP2) SP4 Automatic Updates enabled, using "Automatic" setting Antivirus installed (one of CCA supported) AV up to date (AV_ANY rule) 98/Me: CA Agent IE6 (Needed for MSAS) 98/Me Hotfixes (CCA built-in rule) Antivirus installed (one of CCA supported) AV up to date (AV_ANY rule) Linux/Mac/Etc. Nothing Our philosophy on XP/2000 was that if they had autoupdates turned on, then it was unnecessary to check for individual patches, as long as they had SP2. We may make exceptions for individual high-exposure vulnerabilities though, and check for them specifically. Michael Grinnell Network Security Administrator The American University e-mail: grinnell () american edu On Jul 21, 2005, at 11:31 AM, Brown, Christopher wrote:
Greetings, I am throwing this question out there to schools who have implemented a vulnerability assessment solution such as CCA, Impulse Point, or Campus Manager. (Note, I am not trying to start a debate on one versus the other.) We are working to get CCA ready for our students this fall and I was wondering what other schools have decided upon regarding the requirements they are imposing on their student's PCs. With CCA you can check for a lot of things: service packs, Microsoft updates, existence of anti-virus software, the age of antivirus definition, installed programs, a missing installed program, etc. I am curious to find out what requirements other schools have used? Do you allow a grace period or do you require that new updates and virus definitions are necessary as soon as they become available? Thanks in advance, Chris Brown Information Technology Services Network/Telecom Administrator Regis University, Denver CO
Current thread:
- Vulnerability Assessment Requirements Brown, Christopher (Jul 21)
- <Possible follow-ups>
- Re: Vulnerability Assessment Requirements George (Jul 21)
- Re: Vulnerability Assessment Requirements Michael Grinnell (Jul 21)
- Re: Vulnerability Assessment Requirements Hall, Rand (Jul 21)
- Re: Vulnerability Assessment Requirements George (Jul 21)
- Re: Vulnerability Assessment Requirements Mike Wiseman (Jul 22)
- Re: Vulnerability Assessment Requirements Franklin, Elliott (Jul 25)