[unisog] executable for setting windows updates?

Matt Ashfield (UNB) mda at unb.ca
Wed Jun 23 12:03:29 GMT 2004


We certainly block many of the problematic ports at our router, the problem
is, when students arrive with their personal computers and plug in our
network. At that point, they're bringing a potentially infected inside this
layer of protection and can then begin infecting other unpatched machines on
campus. It really only takes one machine to start an outbreak, and with
thousands of non-standard (ie, student-owned) computers arriving each year
the likelihood of an outbreak is significant, hence the need to at least
*try* to get them patched automatically, rather than simply suggesting it.

Cheers

Matthew Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of PaulFM
Sent: Tuesday, June 22, 2004 7:23 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] executable for setting windows updates?


If you want to stop viruses - BAN Internet Explorer and Outlook/Outlook
Express.

If you have properly blocked ports at your router, the viruses that get in
only are an issue for machines that have failed to follow any
RECOMMENDATIONS
you may have for setting the machine up (not for the ones that were set up
correctly).

We suggest machines be up to date and we even point people at an anti-virus
program they can use for free (we have a site license that allows this).
We
cut off the Windows ports in and out of our network except as needed.  And
we
go out of our way to discourage the use of Internet Explorer and Outlook
Express (and IIS).  We have very little problems with viri within our
network
(our router logs show them outside our section of the our University's
network trying to break in - at least 2 or 3 a day).   We don't force
security settings or scripts on people.  But we do cut off any machine that
seems to have a virus infection.  Our office machines are fully managed and
locked down to prevent tampering (and virus infection).

Getting a virus is one way some people finally learn to read the policies
and
rules (when they get cut off and we are telling them the best course of
action is to wipe the machine).


Jim Dillon wrote:

> I fail to see anything Orwellian or Big Brotherish about the original
responses.
>
> The welfare of the whole (a SHARED resource) is certainly a higher level
risk than the welfare of the unit (i.e. individual desktop or server.)  Unit
optimization as an approach generally equals anarchy and highest cost
solution that often fails to protect the most important assets adequately.
>
> With proper care in the design, approvals for the risk acceptance and
impacts (managerial - those with enough signature authority to accept the
risk for the sake of the whole), this (patch before connecting) is a viable
approach, and it has been used by many.
>
> I don't know which answer is better in the original poster's situation,
layers of firewalls, auto-updates, or both, but in any case it is actually a
socially responsible and appropriate managerial decision to control risk,
even at the real costs indicated, if the risks are significantly greater
than the end cost of mitigation.  Given that total destruction is seconds
away these days (think of the Witty worm on a large scale) such precaution
is commonly justifiable, not an imposition.
>
> There is some due process responsibility, no doubt - good development,
change mgt., communication practices as a prerequisite.  Still, probably the
better side of valor to not accept the open/unpatched system risk on a
shared infrastructure, too many other "lives" at stake.
>
> Generically, I'd like to see both used, along with different
backbones/infrastructures that segregate sensitive, confidential, and
proprietary data/systems and products from the Internet entirely, while
allowing some pain on a more open sand lot that disallows such valuable data
resources - with judicious warnings of course.  However, reality says most
cannot afford that level of risk avoidance in the short term.
>
> Jim
> ======================================
> Jim Dillon, CISA
> IT Audit Manager
> University of Colorado
> jim.dillon at cusys.edu
> Phone: 303-492-9734
> Dept. Phone: 303-492-9730
> Fax: 303-492-9737
> ======================================
>
>
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org]On Behalf Of PaulFM
> Sent: Tuesday, June 22, 2004 8:33 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] executable for setting windows updates?
>
>
> I hope you are ready to deal with all the problems you may cause.
>
> By forcing people to use your scripts before they can even connect to the
> network, you may become responsible for any problems that may cause
> (including those caused by windows update breaking things).  This may be a
> greater support cost than chasing down the viruses of those who don't
follow
> instructions.
>
> We just tell people they should wipe there machines if they get a virus
(we
> don't let them re-connect until they can assure us they have removed the
> virus) and re-iterate that they should keep the machine up to date and
turn
> the built in firewall on (even the little protection it provides is
helpful).
> Of course - we only run the network in 3 buildings (including wireless).
>
> Also, you should be careful about playing BIG BROTHER - I would object to
> running any scripts on my machine just on the grounds of privacy (do you
> supply a guarantee that the script will not send any private information
to
> anyone?).
>
> I think you would be better off to segregate your networks and put in
> firewalls - even if you force people to run scripts that turn things on,
they
> can still turn things back off.
>
>
> Sippel, Jeremy wrote:
>
>
>>Why not use SUS or WUS (whenever it's released) to localize the traffic?
>>A simple .reg file will do the trick to point it to the appropriate
>>server(s)...  One can always wrap it in a pretty installer if necessary.
>>If you don't want to maintain your own, simply configure as you want to...
>>-jjs
>>
>>
>>
>>>-----Original Message-----
>>>From: Matt Ashfield (UNB) [mailto:mda at unb.ca]
>>>Sent: Monday, June 21, 2004 12:23 PM
>>>To: UNIversity Security Operations Group
>>>Subject: [unisog] executable for setting windows updates?
>>>
>>>
>>>Hi
>>>
>>>We are looking into developing a program that would setup a
>>>Windows computer to be configured to automatically download
>>>and install patches via windows update.
>
> ...clip
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

--
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort               Email: paulfm at me.umn.edu
- SysAdmin -                   (Information Technology Professional)
MEnet, Rm# 152
Mechanical Engineering         Web: http://www.menet.umn.edu/~paulfm
University of Minnesota         Main Phone: (612) 626-9800 (No VM)
111 Church Street                Alt Phone: (612) 625-1916 (No VM)
Minneapolis, MN 55455-0150      Home Phone: (651) 774-2136
---------------------------------------------------------------------
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog




More information about the unisog mailing list