Re: Automated Patching and Updates? UT Austin

[Dan Updegrove <updegrove () MAIL UTEXAS EDU>]

Connie & colleagues,

The UT Austin Information Security Office is now, for the first time,
advising all users to reconfigure their operating systems for automatic
installation of critical security patches. In the past we had advised
"automatic download, manual installation," so that users had more control
of when and how their systems were being modified. Since our scans showed
many users were not installing patches promptly -- with adverse effects for
them, the campus network, and the Internet -- we have changed our
recommendation.

With 40,000 or so University-owned computers (well over half Windows of
various vintages), and an estimated 80,000 personally-owned systems (at
least 80% Windows) used for University academic or administrative work --
in ResNet, on public wired and wireless ports, via our modem pool, and via
the Internet -- we see patch management as an enormous challenge. No single
university-managed "push" solution can possibly work, although we have
thousands of computers managed by IT professionals (i.e., users do not have
the Admin password, and we are able to push updates). But since the lion's
share of our 120,000 computers are not professionally managed, we're doing
our best to educate users to be better administrators of systems they use.

A complicating factor is that Microsoft's high-profile "Protect your PC"
campaign <http://www.microsoft.com/security/protect/default.asp>, is mute
on the issue of users operating in Administrator mode. Over the years, as a
security measure, we have advocated that systems be configured with an
Admin account and one or more end-user accounts, with the Admin account
used only for systems management and software updates. Microsoft's website
makes the opposite assumption, implicitly, since those in end-user mode are
not alerted about completed updates that may alter the operating
environment nor about updates for which complete installation requires a
reboot.

Stated another way, Microsoft appears to be suggesting that Windows systems
with (1) personal firewalls, (2) antivirus with automatic update, and (3)
Windows update with automatic installation of critical patches -- and
alerts to users logged on as Admin -- are as safe, or safer, than systems
being run by users lacking Admin privileges. We'd welcome others's
perspective on this issue.

Cheers,
Dan


At 07:20 AM 9/25/2003, Sadler, Connie wrote:
> Given all of the recent worm activity, etc., it seems timely to gather
> some information from you folks regarding what you are already doing -
> or planning to do - in terms of pushing updates and patches out to your
> user communities in a way that is not too "intrusive". We all work in
> diverse environments where many of our users are also sensitive to
> having someone else "touch" their machines. Yet it seems a losing battle
> to continue to manually update workstations in some areas when they are
> being automatically attacked in very sophisticated ways.
>
> Can you folks please share with us:
>
> 1)  What you are already doing now - in terms of pushing or automating
> patching or updates?
>
> 2)  What you are evaluating or looking at for doing this kind of thing -
> and in what areas of your environment?
>
> 3)  What technologies you are familiar with and what platforms the
> solutions support?
>
> Thanks much! I am willing to summarize the input I receive if I get
> enough good feedback...
>
> Connie J. Sadler, CM, CISSP, CISM
> Director, IT Security, Brown University
> Box 1885, Providence, RI 02912
> Connie_Sadler () Brown edu
> PGP Fingerprint: 452A C178 1450 9CE1 3AC1  CC12 956F 2C55 DB94 A9C7
> Office: 401-863-7266
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.


VP  for Information Technology          Phone (512) 232-9610
The University of Texas at Austin       Fax (512) 232-9607
FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
P.O. Box 7407                                   http://wnt.utexas.edu/~danu/
Austin, TX 78713-7407

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.