[unisog] executable for setting windows updates?
paulfm at me.umn.edu
Tue Jun 22 22:22:32 GMT 2004
If you want to stop viruses - BAN Internet Explorer and Outlook/Outlook Express.
If you have properly blocked ports at your router, the viruses that get in
only are an issue for machines that have failed to follow any RECOMMENDATIONS
you may have for setting the machine up (not for the ones that were set up
We suggest machines be up to date and we even point people at an anti-virus
program they can use for free (we have a site license that allows this). We
cut off the Windows ports in and out of our network except as needed. And we
go out of our way to discourage the use of Internet Explorer and Outlook
Express (and IIS). We have very little problems with viri within our network
(our router logs show them outside our section of the our University's
network trying to break in - at least 2 or 3 a day). We don't force
security settings or scripts on people. But we do cut off any machine that
seems to have a virus infection. Our office machines are fully managed and
locked down to prevent tampering (and virus infection).
Getting a virus is one way some people finally learn to read the policies and
rules (when they get cut off and we are telling them the best course of
action is to wipe the machine).
Jim Dillon wrote:
> I fail to see anything Orwellian or Big Brotherish about the original responses.
> The welfare of the whole (a SHARED resource) is certainly a higher level risk than the welfare of the unit (i.e. individual desktop or server.) Unit optimization as an approach generally equals anarchy and highest cost solution that often fails to protect the most important assets adequately.
> With proper care in the design, approvals for the risk acceptance and impacts (managerial - those with enough signature authority to accept the risk for the sake of the whole), this (patch before connecting) is a viable approach, and it has been used by many.
> I don't know which answer is better in the original poster's situation, layers of firewalls, auto-updates, or both, but in any case it is actually a socially responsible and appropriate managerial decision to control risk, even at the real costs indicated, if the risks are significantly greater than the end cost of mitigation. Given that total destruction is seconds away these days (think of the Witty worm on a large scale) such precaution is commonly justifiable, not an imposition.
> There is some due process responsibility, no doubt - good development, change mgt., communication practices as a prerequisite. Still, probably the better side of valor to not accept the open/unpatched system risk on a shared infrastructure, too many other "lives" at stake.
> Generically, I'd like to see both used, along with different backbones/infrastructures that segregate sensitive, confidential, and proprietary data/systems and products from the Internet entirely, while allowing some pain on a more open sand lot that disallows such valuable data resources - with judicious warnings of course. However, reality says most cannot afford that level of risk avoidance in the short term.
> Jim Dillon, CISA
> IT Audit Manager
> University of Colorado
> jim.dillon at cusys.edu
> Phone: 303-492-9734
> Dept. Phone: 303-492-9730
> Fax: 303-492-9737
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org]On Behalf Of PaulFM
> Sent: Tuesday, June 22, 2004 8:33 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] executable for setting windows updates?
> I hope you are ready to deal with all the problems you may cause.
> By forcing people to use your scripts before they can even connect to the
> network, you may become responsible for any problems that may cause
> (including those caused by windows update breaking things). This may be a
> greater support cost than chasing down the viruses of those who don't follow
> We just tell people they should wipe there machines if they get a virus (we
> don't let them re-connect until they can assure us they have removed the
> virus) and re-iterate that they should keep the machine up to date and turn
> the built in firewall on (even the little protection it provides is helpful).
> Of course - we only run the network in 3 buildings (including wireless).
> Also, you should be careful about playing BIG BROTHER - I would object to
> running any scripts on my machine just on the grounds of privacy (do you
> supply a guarantee that the script will not send any private information to
> I think you would be better off to segregate your networks and put in
> firewalls - even if you force people to run scripts that turn things on, they
> can still turn things back off.
> Sippel, Jeremy wrote:
>>Why not use SUS or WUS (whenever it's released) to localize the traffic?
>>A simple .reg file will do the trick to point it to the appropriate
>>server(s)... One can always wrap it in a pretty installer if necessary.
>>If you don't want to maintain your own, simply configure as you want to...
>>>From: Matt Ashfield (UNB) [mailto:mda at unb.ca]
>>>Sent: Monday, June 21, 2004 12:23 PM
>>>To: UNIversity Security Operations Group
>>>Subject: [unisog] executable for setting windows updates?
>>>We are looking into developing a program that would setup a
>>>Windows computer to be configured to automatically download
>>>and install patches via windows update.
> unisog mailing list
> unisog at lists.sans.org
The views and opinions expressed above are strictly
those of the author(s). The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort Email: paulfm at me.umn.edu
- SysAdmin - (Information Technology Professional)
MEnet, Rm# 152
Mechanical Engineering Web: http://www.menet.umn.edu/~paulfm
University of Minnesota Main Phone: (612) 626-9800 (No VM)
111 Church Street Alt Phone: (612) 625-1916 (No VM)
Minneapolis, MN 55455-0150 Home Phone: (651) 774-2136
More information about the unisog