Re: Windows O/S Patching Question

[Ted Pham <telamon () CMU EDU>]

I think you're looking for a general rule of thumb when it really depends on your environment.

This is why auditors with checklists who don't know how to weigh the mitigating factors and overall risk only cause 
more headaches.

Consider factors like:

a) The nature of the vulnerability, is it denial of service or remote code execution for the server OSes in question
Sometimes patches are code execution for 2003 that are just DoS for 2008 R2

b) What's the scope of people who could exploit the vuln? 
If the exploit requires credentials and only a handful of people can get to the server thanks to network acls or 
firewalls, then the risk is lowered.  If it's remotely exploitable, doesn't require user credentials or any user 
interaction and the service is exposed to the Internet, then the risk is much higher and so the patch time should be 
now.

c) Have previous patches to the server caused issues for third party software that either runs on or depends on the 
server?
We've had issues with patches breaking third party software so we're more likely to test first before rolling out a 
patch for those specific servers.  We also tend to isolate those servers so that the scope of people who could attack 
them is lowered, see b).  And testing may include working with other departments who depend on the third party software 
and can take a while.

d) What business processes depend on the server and what mitigations are available for the vuln?
Sometimes adding more network isolation, making a small configuration change or increasing monitoring may be a better 
compensating control then rebooting a server outside of it's defined maintenance window and disrupting the business 
processes that need the server.


Ted Pham
Information Security Office
Carnegie Mellon University

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Sarazen, Daniel 
[dsarazen () UMASSP EDU]
Sent: Friday, March 23, 2012 2:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Windows O/S Patching Question

--_004_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_
Content-Type: multipart/alternative;
        boundary="_000_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_"

--_000_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi All,

Quick Question: If Windows were to release a critical patch for a server to=
day, how long should it take to install the patch before you'd consider it =
TOO long?

Thanks,

[cid:image001.gif@01CD08FD.E6C2DA10]

:: Daniel Sarazen, CISSP, CISA
:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558
:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01=
545 : www.massachusetts.edu<http://www.massachusetts.edu/>


Confidentiality Note:  This email is intended for the exclusive use of the =
addressee(s) and may contain proprietary, confidential or privileged inform=
ation.  If you are not the intended recipient(s), any dissemination, use, d=
istribution or copying is strictly prohibited.


--_000_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"Content-Type" CONTENT=
=3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
oft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#def=
ault#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal>Hi All,<o:p></o:=
p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>Quick =
Question: If Windows were to release a critical patch for a server today, h=
ow long should it take to install the patch before you&#8217;d consider it =
TOO long?<o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=
=3DMsoNormal>Thanks,&nbsp;<o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;</=
o:p></p><table class=3DMsoNormalTable border=3D0 cellpadding=3D0 width=3D64=
0 style=3D'width:480.0pt'><tr><td width=3D49 valign=3Dtop style=3D'width:36=
.75pt;padding:.75pt .75pt .75pt .75pt'><div><p class=3DMsoNormal><img width=
=3D47 height=3D37 id=3D"Picture_x0020_1" src=3D"cid:image001.gif@01CD08FD.E=
6C2DA10" alt=3D"Description: http://media.umassp.edu/pix/mail/umass.gif";><s=
pan style=3D'font-size:12.0pt'><o:p></o:p></span></p></div></td><td width=
=3D585 valign=3Dtop style=3D'width:438.75pt;padding:.75pt .75pt .75pt .75pt=
'><p class=3DMsoNormal><span style=3D'font-size:8.5pt;font-family:"Verdana"=
,"sans-serif";color:#5F5F5F'>:: <b>Daniel Sarazen</b>, CISSP, CISA<o:p></o:=
p></span></p><p class=3DMsoNormal><span style=3D'font-size:8.5pt;font-famil=
y:"Verdana","sans-serif";color:#5F5F5F'>:: Senior Information Technology Au=
ditor<br>:: University&nbsp;Internal Audit<br>:: University of Massachusett=
s President's Office</span><span style=3D'font-size:12.0pt'><o:p></o:p></sp=
an></p></td></tr><tr><td colspan=3D2 valign=3Dtop style=3D'padding:.75pt .7=
5pt .75pt .75pt'><div><p class=3DMsoNormal><span style=3D'font-size:8.5pt;f=
ont-family:"Verdana","sans-serif";color:#5F5F5F'>:: 774-455-7558</span><spa=
n style=3D'font-size:12.0pt'><o:p></o:p></span></p></div><div><p class=3DMs=
oNormal><span style=3D'font-size:8.5pt;font-family:"Verdana","sans-serif";c=
olor:#5F5F5F'>:: 781-724-3377 Cell<br>::&nbsp;774-455-7550 Fax<br>:: <a hre=
f=3D"mailto:Dsarazen () umassp edu"><span style=3D'color:blue'>Dsarazen@umassp=
.edu</span></a></span><o:p></o:p></p></div><div><p class=3DMsoNormal><span =
style=3D'font-size:8.5pt;font-family:"Verdana","sans-serif";color:#5F5F5F'>=
<br>University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, M=
A 01545 : <a href=3D"http://www.massachusetts.edu/"; title=3D"http://www.mas=
sachusetts.edu/"><span style=3D'color:#660000'>www.massachusetts.edu</span>=
</a></span><span style=3D'font-size:12.0pt'><o:p></o:p></span></p></div></t=
d></tr></table><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNorm=
al><span style=3D'font-size:10.0pt'>Confidentiality Note:&nbsp; This email =
is intended for the exclusive use of the addressee(s) and may contain propr=
ietary, confidential or privileged information.&nbsp; If you are not the in=
tended recipient(s), any dissemination, use, distribution or copying is str=
ictly prohibited</span>.<o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:=
p></p></div></body></html>=

--_000_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_--

--_004_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_
Content-Type: image/gif; name="image001.gif"
Content-Description: image001.gif
Content-Disposition: inline; filename="image001.gif"; size=1888;
        creation-date="Fri, 23 Mar 2012 14:04:45 GMT";
        modification-date="Fri, 23 Mar 2012 14:04:45 GMT"
Content-ID: <image001.gif@01CD08FD.E6C2DA10>
Content-Transfer-Encoding: base64

R0lGODlhLwAlAPcAAAAAAP///+fn95SlxpytxpytzqWlxqWtxv7+/s6cnNaUnM6UnM6cpc6MlOfn
56291gAAWgAhcwAYawAYcwAYYylChJxCSmsAAHMAAGMAAM6trb291gApewApcwAxe0pjlKVja3sA
EHsACNattbXG1gAQY2t7pb2UlHMAEHMACNatrbW91gAhawAQawAIWoyUtYQACNa1tQAIY1JznISU
xqW1zoycvTFSjOfOznuMtaWtzlprnDlalGNzpe/v96VKSs61tXuMvc7W3iE5hIwhKXsAGHsAAO/+
/u/39xg5eylKlKVSWpQ5QrVaa6Vrc7VzhJRCSr3G3ggpa5Scvefv94w5Off+92tzpa2tzrVrc7XG
3gAAUnOErefWzvfv75ylzlJjnNa1vdalrdbe70JajIQYIbV7e2uErTlSlJw5Qpw5Soylxq1ja4QQ
GCk5hJylxmt7rQgxe8acnPfv97VrazFChIScvc6lpd7W3v739969xta9xpxCUt7n7+fW1ufe3vf3
95wxOZQxOTFSlO/W3owpKaVjY4wpMbVzc4wIGL2MlPfn5/f+/sbO3t7GvefO1s6ttYwxMbXO76W9
zr2ElPfe5xg5hO/e3rVze72MjP7+99bn9xA5hN7OznsQEN7e53OMvWN7rXOMtXucvXOEte/n77V7
jL17jMaEjL2EjLW9zhgxe1p7pRAxc0JSlCE5ewAQWq21zlqErQghc63G3kJalGuEtZStxhhChISM
tdbe52NrpQgpexAxeylSjEJjlAAhYyFChGuMtQgpc+fn74SUvZStzt7W50JjnO/v73OMrYyUvef3
9wAAY9bn70prpd7n9wAxc0pzpVJrnCFKhHuUvaW1xufn1t7e3pSlvVp7rZScxoScxsbG3oSUtcbW
5+/n91pzpbW93s7W52OErYycxufv7wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAALwAlAAAI/wAFDCBQ
wEABggcOFhiAoKHDhwkUJFjAQCJFiQ0cIAjAsaPHBxAiSJhAQSRJkRIqPHxo4QIGDC5fxsSQQcNG
jzg3SIjAoYMHnj6BTviwEgEIDCFEJA3BVITSEBhG3MTZkUQJDz6zYt3aQYKJhycuoGi6NAWKFE4x
qJhKNcAKCUF7cuAZQSSLFi5eNNRwQQSMpSJQOP3LFEMMtlStcsUaQYaHGTRqPLBx4wGOC0kFA94s
Qi1inG+BcpAgIUdDHTt49PDR8EffpX+dBobhFAUGIJ89kqCAlUOJIAiEDClBoQOLCCUcEkFbJHAK
qBiMoE3quW3Htx06RDiCJEkJ7XM5sP9Q4nCJEadJOzNp4uQJlLS4rXOM8l0KgiktWCyO0IKKQyMo
0KYUBlU4ZAVmna0ln1slRIDAFS0A9dNcJWDhUBZIPYeWCA9JN6BUC2qxBQIEtKBVVhJw4VAXrykl
wgVeOMQEBs91BqJ8X5i2U08TdgXGQxgE5mIGYTgkRosp3JZbR2MgUMBVJ7JAxkNlAOjiBWY81Bd6
tt1oXUNnRBCXcWg8lAZSIQiGgRoPzbgUdfHJ19AaUGLFwg0PsYGgYCK08VAYCDbXXHVyNkRadiy4
8ZAZYrmY5EpBNiWYbXFaV8MbDcERRwRJPCTHnjCkcMEcD9GBZmwhGEGodStAUIcdb/D/4KBDdyDI
lKh4PJRHBi4CZuOSHGlRwmgRUPCQHrYqdcEeK/GBlBGZPbVqWzp1wIEMfTjkxwUbKpXBYQ/9gZSQ
b3ZWaVvCelCCDg4B0tdzf11Q5EqBbJiCIOMmdYGX1ErAwiBApvBcCKLO+xAhCL6IwLuFnUuVsBLk
4VAhkYog6h9FIWAItBaXgcAh6L2ooHwryPBjQ4hs+WIiGTeEAZ8YKILAdHACG4AWEDzQ0CLcpnoB
Iow0krEjPVuMwCOY1YgBJDZvIMMKKLt0QSR5SALBJBlTghRMlSAA4FJd2vzAFpY0dAkmmWiyCScQ
lFBDxp1ccIEnXswB00t4XzCydZ+A/3KGFg8VEIooo5DSZMulIOAFHaacgoopqUT+BMYLtmx5y0hc
brMqLhiLAAQQIEABBasgMMcWLrDSUCsluNKQVaCXjcArLmwhQRQNhfhdQ7BIgIAHLPhOwE5ffZKf
7wiQFossFOTARQs7PMBCB7nLt0ELszTUQnKzdNACLbV0FQoCtpQwgwy3INAVLrnoggApMnCwC9TV
W6cFLB40VILvvPTiywcR+IVXEACM/LUgGAgABA9cgBfTCOMuJRhG/drSiBb4jhgSaIH6OFAMCxpD
Bmc4RoSQQZpkKGMZJJJAKx6QC2aorxnOsNnsJECBFsjgGQhoDDQgEI1GNIML0nABD0WmQQ0X0KAC
zWABByBQDWu0jRNXuQY2KoeAbGjjCgVoyDa4gYA1dIMK3vjGNuzQEHDAyknhuII4GjIOcvSgHAgw
xxTlExAAOw==

--_004_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_--