[unisog] executable for setting windows updates?

Jim Dillon Jim.Dillon at cusys.edu
Tue Jun 22 21:18:12 GMT 2004

I fail to see anything Orwellian or Big Brotherish about the original responses.

The welfare of the whole (a SHARED resource) is certainly a higher level risk than the welfare of the unit (i.e. individual desktop or server.)  Unit optimization as an approach generally equals anarchy and highest cost solution that often fails to protect the most important assets adequately.

With proper care in the design, approvals for the risk acceptance and impacts (managerial - those with enough signature authority to accept the risk for the sake of the whole), this (patch before connecting) is a viable approach, and it has been used by many.

I don't know which answer is better in the original poster's situation, layers of firewalls, auto-updates, or both, but in any case it is actually a socially responsible and appropriate managerial decision to control risk, even at the real costs indicated, if the risks are significantly greater than the end cost of mitigation.  Given that total destruction is seconds away these days (think of the Witty worm on a large scale) such precaution is commonly justifiable, not an imposition.

There is some due process responsibility, no doubt - good development, change mgt., communication practices as a prerequisite.  Still, probably the better side of valor to not accept the open/unpatched system risk on a shared infrastructure, too many other "lives" at stake.

Generically, I'd like to see both used, along with different backbones/infrastructures that segregate sensitive, confidential, and proprietary data/systems and products from the Internet entirely, while allowing some pain on a more open sand lot that disallows such valuable data resources - with judicious warnings of course.  However, reality says most cannot afford that level of risk avoidance in the short term.

Jim Dillon, CISA
IT Audit Manager
University of Colorado
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of PaulFM
Sent: Tuesday, June 22, 2004 8:33 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] executable for setting windows updates?

I hope you are ready to deal with all the problems you may cause.

By forcing people to use your scripts before they can even connect to the 
network, you may become responsible for any problems that may cause
(including those caused by windows update breaking things).  This may be a 
greater support cost than chasing down the viruses of those who don't follow 

We just tell people they should wipe there machines if they get a virus (we 
don't let them re-connect until they can assure us they have removed the 
virus) and re-iterate that they should keep the machine up to date and turn 
the built in firewall on (even the little protection it provides is helpful).
Of course - we only run the network in 3 buildings (including wireless).

Also, you should be careful about playing BIG BROTHER - I would object to 
running any scripts on my machine just on the grounds of privacy (do you 
supply a guarantee that the script will not send any private information to 

I think you would be better off to segregate your networks and put in 
firewalls - even if you force people to run scripts that turn things on, they 
can still turn things back off.

Sippel, Jeremy wrote:

> Why not use SUS or WUS (whenever it's released) to localize the traffic?
> A simple .reg file will do the trick to point it to the appropriate
> server(s)...  One can always wrap it in a pretty installer if necessary.
> If you don't want to maintain your own, simply configure as you want to...
> -jjs
>>-----Original Message-----
>>From: Matt Ashfield (UNB) [mailto:mda at unb.ca]
>>Sent: Monday, June 21, 2004 12:23 PM
>>To: UNIversity Security Operations Group
>>Subject: [unisog] executable for setting windows updates?
>>We are looking into developing a program that would setup a
>>Windows computer to be configured to automatically download
>>and install patches via windows update.

More information about the unisog mailing list