Educause Security Discussion mailing list archives
Re: Windows O/S Patching Question
From: Ted Pham <telamon () CMU EDU>
Date: Fri, 23 Mar 2012 18:31:41 +0000
I think you're looking for a general rule of thumb when it really depends on your environment. This is why auditors with checklists who don't know how to weigh the mitigating factors and overall risk only cause more headaches. Consider factors like: a) The nature of the vulnerability, is it denial of service or remote code execution for the server OSes in question Sometimes patches are code execution for 2003 that are just DoS for 2008 R2 b) What's the scope of people who could exploit the vuln? If the exploit requires credentials and only a handful of people can get to the server thanks to network acls or firewalls, then the risk is lowered. If it's remotely exploitable, doesn't require user credentials or any user interaction and the service is exposed to the Internet, then the risk is much higher and so the patch time should be now. c) Have previous patches to the server caused issues for third party software that either runs on or depends on the server? We've had issues with patches breaking third party software so we're more likely to test first before rolling out a patch for those specific servers. We also tend to isolate those servers so that the scope of people who could attack them is lowered, see b). And testing may include working with other departments who depend on the third party software and can take a while. d) What business processes depend on the server and what mitigations are available for the vuln? Sometimes adding more network isolation, making a small configuration change or increasing monitoring may be a better compensating control then rebooting a server outside of it's defined maintenance window and disrupting the business processes that need the server. Ted Pham Information Security Office Carnegie Mellon University ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Sarazen, Daniel [dsarazen () UMASSP EDU] Sent: Friday, March 23, 2012 2:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Windows O/S Patching Question --_004_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_ Content-Type: multipart/alternative; boundary="_000_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_" --_000_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi All, Quick Question: If Windows were to release a critical patch for a server to= day, how long should it take to install the patch before you'd consider it = TOO long? Thanks, [cid:image001.gif@01CD08FD.E6C2DA10] :: Daniel Sarazen, CISSP, CISA :: Senior Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 774-455-7558 :: 781-724-3377 Cell :: 774-455-7550 Fax :: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu> University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01= 545 : www.massachusetts.edu<http://www.massachusetts.edu/> Confidentiality Note: This email is intended for the exclusive use of the = addressee(s) and may contain proprietary, confidential or privileged inform= ation. If you are not the intended recipient(s), any dissemination, use, d= istribution or copying is strictly prohibited. --_000_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr= osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:= //www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"Content-Type" CONTENT= =3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros= oft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#def= ault#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style><![endif]--><style><!-- /* Font Definitions */ @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} @font-face {font-family:Verdana; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p.MsoAcetate, li.MsoAcetate, div.MsoAcetate {mso-style-priority:99; mso-style-link:"Balloon Text Char"; margin:0in; margin-bottom:.0001pt; font-size:8.0pt; font-family:"Tahoma","sans-serif";} span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Calibri","sans-serif"; color:windowtext;} span.BalloonTextChar {mso-style-name:"Balloon Text Char"; mso-style-priority:99; mso-style-link:"Balloon Text"; font-family:"Tahoma","sans-serif";} .MsoChpDefault {mso-style-type:export-only; font-family:"Calibri","sans-serif";} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} --></style><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli= nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal>Hi All,<o:p></o:= p></p><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>Quick = Question: If Windows were to release a critical patch for a server today, h= ow long should it take to install the patch before you’d consider it = TOO long?<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p class= =3DMsoNormal>Thanks, <o:p></o:p></p><p class=3DMsoNormal><o:p> </= o:p></p><table class=3DMsoNormalTable border=3D0 cellpadding=3D0 width=3D64= 0 style=3D'width:480.0pt'><tr><td width=3D49 valign=3Dtop style=3D'width:36= .75pt;padding:.75pt .75pt .75pt .75pt'><div><p class=3DMsoNormal><img width= =3D47 height=3D37 id=3D"Picture_x0020_1" src=3D"cid:image001.gif@01CD08FD.E= 6C2DA10" alt=3D"Description: http://media.umassp.edu/pix/mail/umass.gif"><s= pan style=3D'font-size:12.0pt'><o:p></o:p></span></p></div></td><td width= =3D585 valign=3Dtop style=3D'width:438.75pt;padding:.75pt .75pt .75pt .75pt= '><p class=3DMsoNormal><span style=3D'font-size:8.5pt;font-family:"Verdana"= ,"sans-serif";color:#5F5F5F'>:: <b>Daniel Sarazen</b>, CISSP, CISA<o:p></o:= p></span></p><p class=3DMsoNormal><span style=3D'font-size:8.5pt;font-famil= y:"Verdana","sans-serif";color:#5F5F5F'>:: Senior Information Technology Au= ditor<br>:: University Internal Audit<br>:: University of Massachusett= s President's Office</span><span style=3D'font-size:12.0pt'><o:p></o:p></sp= an></p></td></tr><tr><td colspan=3D2 valign=3Dtop style=3D'padding:.75pt .7= 5pt .75pt .75pt'><div><p class=3DMsoNormal><span style=3D'font-size:8.5pt;f= ont-family:"Verdana","sans-serif";color:#5F5F5F'>:: 774-455-7558</span><spa= n style=3D'font-size:12.0pt'><o:p></o:p></span></p></div><div><p class=3DMs= oNormal><span style=3D'font-size:8.5pt;font-family:"Verdana","sans-serif";c= olor:#5F5F5F'>:: 781-724-3377 Cell<br>:: 774-455-7550 Fax<br>:: <a hre= f=3D"mailto:Dsarazen () umassp edu"><span style=3D'color:blue'>Dsarazen@umassp= .edu</span></a></span><o:p></o:p></p></div><div><p class=3DMsoNormal><span = style=3D'font-size:8.5pt;font-family:"Verdana","sans-serif";color:#5F5F5F'>= <br>University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, M= A 01545 : <a href=3D"http://www.massachusetts.edu/" title=3D"http://www.mas= sachusetts.edu/"><span style=3D'color:#660000'>www.massachusetts.edu</span>= </a></span><span style=3D'font-size:12.0pt'><o:p></o:p></span></p></div></t= d></tr></table><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNorm= al><span style=3D'font-size:10.0pt'>Confidentiality Note: This email = is intended for the exclusive use of the addressee(s) and may contain propr= ietary, confidential or privileged information. If you are not the in= tended recipient(s), any dissemination, use, distribution or copying is str= ictly prohibited</span>.<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:= p></p></div></body></html>= --_000_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_-- --_004_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_ Content-Type: image/gif; name="image001.gif" Content-Description: image001.gif Content-Disposition: inline; filename="image001.gif"; size=1888; creation-date="Fri, 23 Mar 2012 14:04:45 GMT"; modification-date="Fri, 23 Mar 2012 14:04:45 GMT" Content-ID: <image001.gif@01CD08FD.E6C2DA10> Content-Transfer-Encoding: base64 R0lGODlhLwAlAPcAAAAAAP///+fn95SlxpytxpytzqWlxqWtxv7+/s6cnNaUnM6UnM6cpc6MlOfn 56291gAAWgAhcwAYawAYcwAYYylChJxCSmsAAHMAAGMAAM6trb291gApewApcwAxe0pjlKVja3sA EHsACNattbXG1gAQY2t7pb2UlHMAEHMACNatrbW91gAhawAQawAIWoyUtYQACNa1tQAIY1JznISU xqW1zoycvTFSjOfOznuMtaWtzlprnDlalGNzpe/v96VKSs61tXuMvc7W3iE5hIwhKXsAGHsAAO/+ /u/39xg5eylKlKVSWpQ5QrVaa6Vrc7VzhJRCSr3G3ggpa5Scvefv94w5Off+92tzpa2tzrVrc7XG 3gAAUnOErefWzvfv75ylzlJjnNa1vdalrdbe70JajIQYIbV7e2uErTlSlJw5Qpw5Soylxq1ja4QQ GCk5hJylxmt7rQgxe8acnPfv97VrazFChIScvc6lpd7W3v739969xta9xpxCUt7n7+fW1ufe3vf3 95wxOZQxOTFSlO/W3owpKaVjY4wpMbVzc4wIGL2MlPfn5/f+/sbO3t7GvefO1s6ttYwxMbXO76W9 zr2ElPfe5xg5hO/e3rVze72MjP7+99bn9xA5hN7OznsQEN7e53OMvWN7rXOMtXucvXOEte/n77V7 jL17jMaEjL2EjLW9zhgxe1p7pRAxc0JSlCE5ewAQWq21zlqErQghc63G3kJalGuEtZStxhhChISM tdbe52NrpQgpexAxeylSjEJjlAAhYyFChGuMtQgpc+fn74SUvZStzt7W50JjnO/v73OMrYyUvef3 9wAAY9bn70prpd7n9wAxc0pzpVJrnCFKhHuUvaW1xufn1t7e3pSlvVp7rZScxoScxsbG3oSUtcbW 5+/n91pzpbW93s7W52OErYycxufv7wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAALwAlAAAI/wAFDCBQ wEABggcOFhiAoKHDhwkUJFjAQCJFiQ0cIAjAsaPHBxAiSJhAQSRJkRIqPHxo4QIGDC5fxsSQQcNG jzg3SIjAoYMHnj6BTviwEgEIDCFEJA3BVITSEBhG3MTZkUQJDz6zYt3aQYKJhycuoGi6NAWKFE4x qJhKNcAKCUF7cuAZQSSLFi5eNNRwQQSMpSJQOP3LFEMMtlStcsUaQYaHGTRqPLBx4wGOC0kFA94s Qi1inG+BcpAgIUdDHTt49PDR8EffpX+dBobhFAUGIJ89kqCAlUOJIAiEDClBoQOLCCUcEkFbJHAK qBiMoE3quW3Htx06RDiCJEkJ7XM5sP9Q4nCJEadJOzNp4uQJlLS4rXOM8l0KgiktWCyO0IKKQyMo 0KYUBlU4ZAVmna0ln1slRIDAFS0A9dNcJWDhUBZIPYeWCA9JN6BUC2qxBQIEtKBVVhJw4VAXrykl wgVeOMQEBs91BqJ8X5i2U08TdgXGQxgE5mIGYTgkRosp3JZbR2MgUMBVJ7JAxkNlAOjiBWY81Bd6 tt1oXUNnRBCXcWg8lAZSIQiGgRoPzbgUdfHJ19AaUGLFwg0PsYGgYCK08VAYCDbXXHVyNkRadiy4 8ZAZYrmY5EpBNiWYbXFaV8MbDcERRwRJPCTHnjCkcMEcD9GBZmwhGEGodStAUIcdb/D/4KBDdyDI lKh4PJRHBi4CZuOSHGlRwmgRUPCQHrYqdcEeK/GBlBGZPbVqWzp1wIEMfTjkxwUbKpXBYQ/9gZSQ b3ZWaVvCelCCDg4B0tdzf11Q5EqBbJiCIOMmdYGX1ErAwiBApvBcCKLO+xAhCL6IwLuFnUuVsBLk 4VAhkYog6h9FIWAItBaXgcAh6L2ooHwryPBjQ4hs+WIiGTeEAZ8YKILAdHACG4AWEDzQ0CLcpnoB Iow0krEjPVuMwCOY1YgBJDZvIMMKKLt0QSR5SALBJBlTghRMlSAA4FJd2vzAFpY0dAkmmWiyCScQ lFBDxp1ccIEnXswB00t4XzCydZ+A/3KGFg8VEIooo5DSZMulIOAFHaacgoopqUT+BMYLtmx5y0hc brMqLhiLAAQQIEABBasgMMcWLrDSUCsluNKQVaCXjcArLmwhQRQNhfhdQ7BIgIAHLPhOwE5ffZKf 7wiQFossFOTARQs7PMBCB7nLt0ELszTUQnKzdNACLbV0FQoCtpQwgwy3INAVLrnoggApMnCwC9TV W6cFLB40VILvvPTiywcR+IVXEACM/LUgGAgABA9cgBfTCOMuJRhG/drSiBb4jhgSaIH6OFAMCxpD Bmc4RoSQQZpkKGMZJJJAKx6QC2aorxnOsNnsJECBFsjgGQhoDDQgEI1GNIML0nABD0WmQQ0X0KAC zWABByBQDWu0jRNXuQY2KoeAbGjjCgVoyDa4gYA1dIMK3vjGNuzQEHDAyknhuII4GjIOcvSgHAgw xxTlExAAOw== --_004_BF662A4EE06D844081EA3B2DB8CCF22B200AF65E22SSUMPEXCLUS01_--
Current thread:
- Re: Windows O/S Patching Question, (continued)
- Re: Windows O/S Patching Question Pratt, Benjamin E. (Mar 23)
- Re: Windows O/S Patching Question Joel Rosenblatt (Mar 23)
- Re: Windows O/S Patching Question David Gillett (Mar 26)
- Re: Windows O/S Patching Question Joel Rosenblatt (Mar 27)
- Re: Windows O/S Patching Question Brian Helman (Mar 27)
- Re: Windows O/S Patching Question Valdis Kletnieks (Mar 27)
- Re: Windows O/S Patching Question Brian Helman (Mar 27)
- Re: Windows O/S Patching Question Sarazen, Daniel (Mar 27)
- Re: Windows O/S Patching Question David Gillett (Mar 26)
- Re: Windows O/S Patching Question Sarazen, Daniel (Mar 23)
- Re: Windows O/S Patching Question Valdis Kletnieks (Mar 23)
- Re: Windows O/S Patching Question Basgen, Brian (Mar 23)