Educause Security Discussion mailing list archives

Re: Windows O/S Patching Question

From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Tue, 27 Mar 2012 13:22:52 -0400

Hi All,

I really didn't mean to start a holy war over patching, but I've found the responses very helpful in coming to a 
reasonable conclusion for the testing I'm trying to complete. 

What I'd say, as an auditor, to anyone who'd listen, is that first you need to have some sort of formal process that 
addresses patching. If your formal process says that you wait a week after patches come out to make sure they don't 
break payroll, then I'd look to see if your patches were applied about a week later. By that same token, if you don't 
have a formal process and your servers haven't been patch in months...well, for an auditor, that's shooting fish in a 
barrel. 

I've also learned to request a report showing what applications the server is running, so that I can compare the 
available critical patches to see if the patch needed to be applied. However, if I see that you've installed the patch 
for Window's Media player on your server, you'd probably get dinged for having THAT app (or Google Toolbar, or iTunes) 
on the server in the first place.

Again, it's a complicated and I was looking for a rule of thumb and, as has been pointed out to me, a good one doesn't 
really exist.

Thanks for all the feedback

Dan

PS: I've given my notice and will be leaving UMass (But staying in higher-education) next week. Thanks for everybody's 
help these past four years. I'm sure I'll still be asking these annoying questions on this list serve with my new post.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis 
Kletnieks
Sent: Tuesday, March 27, 2012 1:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows O/S Patching Question

On Tue, 27 Mar 2012 16:07:25 -0000, Brian Helman said:

I guess the question is, do you want to be the guy who was responsible because a vulnerability,


Or you can be the guy who installed the patch that broke Payroll... :)

It's often not as cut-n-dried as one would hope.   Which is worse, getting pwned or
not getting paid?

Current thread:

Re: Windows O/S Patching Question, (continued)
- Re: Windows O/S Patching Question Basgen, Brian (Mar 23)
- Re: Windows O/S Patching Question Charlie Derr (Mar 23)
  - Re: Windows O/S Patching Question Sarazen, Daniel (Mar 23)
    - Re: Windows O/S Patching Question Pratt, Benjamin E. (Mar 23)
- Re: Windows O/S Patching Question Joel Rosenblatt (Mar 23)
  - Re: Windows O/S Patching Question David Gillett (Mar 26)
    - Re: Windows O/S Patching Question Joel Rosenblatt (Mar 27)
    - Re: Windows O/S Patching Question Brian Helman (Mar 27)
    - Re: Windows O/S Patching Question Valdis Kletnieks (Mar 27)
    - Re: Windows O/S Patching Question Brian Helman (Mar 27)
    - Re: Windows O/S Patching Question Sarazen, Daniel (Mar 27)
- Re: Windows O/S Patching Question Roger A Safian (Mar 23)
- Re: Windows O/S Patching Question Barron Hulver (Mar 23)
- Re: Windows O/S Patching Question Ted Pham (Mar 23)
  - Re: Windows O/S Patching Question Sarazen, Daniel (Mar 23)
    - Re: Windows O/S Patching Question Valdis Kletnieks (Mar 23)
    - Re: Windows O/S Patching Question Basgen, Brian (Mar 23)
- Re: Windows O/S Patching Question Sarazen, Daniel (Mar 23)