• Resources
• Academic Resources
• Jobs & Announcements
• Policies
• Computing
• Facilities
• On-Line Services
• Help Pages
• Knowledge Base

Resources

CS Automatic Security Patch Distribution

Automatic patch distribution policy

The Computing Committee approved this policy on September 10, 2003.

Rationale

Due to the recent well-publicized vulnerabilities in the Windows operating system, and given the difficulty involved in manually keeping each and every Windows machine in the department up to date with security patches, the Lab staff has investigated various methods for maintaining security within the CSC domain. Windows 2000 and Windows XP have a built-in Automatic Update facility. The CS Computing Committee has approved the use of this type of patch management process on Windows and Linux machines in the department.

Under Windows it is necessary to be logged on to a machine with an administrative account in order to manually install patches. Most CS users do not have administrative accounts and cannot install patches themselves. This will not be necessary for automatic updates.

Scope

This policy applies to all departmentally owned machines running Linux or Windows in the CSC domain.

Automatic updates

Each machine in the CS Windows domain will be set up to automatically download and install patches that Microsoft deems critical (in other words, security related). As patches become available they will be downloaded by each machine.  Every Thursday morning at approximately 3:00 am, each computer running Windows will install any new patches that have been downloaded. If any of the patches requires a reboot, the machine will reboot when the installation is completed.

Each machine in the CS department that is running Ubuntu Linux will be set to download and install patches that Ubuntu deems critical (in other words, security related), as well as other upgrades to the OS or patches for other programs that Lab staff deem important. Patches will be downloaded as they become available, and every Monday morning at approximately 7:30 am, each computer running Ubuntu will install any new patches that have been downloaded.

We suggest that each user log off their machine before leaving the office on Wednesdays (for Windows) or the weekend (for Linux). If you have Windows running on VMware installed on a Linux machine, please leave it running on Wednesday nights to enable Windows patches to be installed.

When patches are installed that require a reboot under windows

If your machine is a Windows-only machine and you have logged off, you will not notice anything.

If your machine is a Windows-only machine and you have not logged off, you will find that you are logged off when you return. If you left open applications with unsaved work, that work will be lost.

If your machine is a Linux/Windows machine and you leave it running Linux, you will not notice anything.

If your machine is a Linux/Windows machine that defaults to Linux, and it is running Windows, you will find it booted into Linux.

If you are logged on to Windows and physically present, you will be notified of a pending reboot and given time to save your work.

When patches are installed that require a reboot under Linux

If your machine is a Linux-only machine and you have logged off, you will not notice anything.

If your machine is a Linux-only machine and you have NOT logged off, you will find that you are logged off when you return. If you left open applications with unsaved work, that work will be lost.

If your machine is a Linux/Windows machine and you leave it running Windows, you will not notice anything.

If your machine is a Linux/Windows machine that defaults to Windows, and it is running Linux, you will find it booted into Windows.

If you are logged on to Linux and physically present, you will be notified of a pending reboot and given time to save your work.

When a scheduled patch is missed

The next time a machine is booted into Windows or Linux, it will install any missed patches. Under Windows, this will happen approximately one minute after the machine is booted. Under Linux, this will happen during the boot process. If the patches require a reboot, the machine will reboot when the installation has completed. This could take some time, so keep this in mind. If the machine was patched at the scheduled time no patches should need to be installed on a subsequent reboot, except in emergency situations.

Emergency patch installations

There may still be instances of security patches that are so important that it is required that they be installed immediately. In this case, lab staff will require immediate access to your machine to install the patches.

Non-mandatory updates

In order to maintain consistency across all department machines, non-security related patches as well as updates requested by users will be reviewed by lab staff. If approved, the patches will be installed on all machines in the department. If the decision is contested, the department head will make the final decision.

Laptops and home machines

Under Windows, this policy applies to all machines that are part of the CSC Windows domain. Users of laptops and home machines that are part of the CSC domain should verify that the policy has been applied and that patches are being installed regularly. Laptops and home machines that are not part of the CSC Windows domain should have patches installed manually by the owner.  Laptops not up-to-date wrt the latest security patches will not be allowed to connect to the CS network.

Under Linux, the apt-get program and a script that can be run via cron, at boot time, or manually by the user, needs to be installed. This will be done for machines that are part of the department and that are connected to the network. For machines that cannot be accessed by the Lab staff, this will have to be done by the user.

Because laptops and home machines are generally out of the control of the Lab staff, it is the responsibility of the user to ensure that they are patched regularly. Lab staff can instruct you on the simple process under Windows and Linux.

See Automatic Security Patches for Windows for the procedure required to install patches under Windows.

See Automatic Security Patches for Linux for a copy of the script and a description of the process for installing patches under Linux.

Last updated April 29, 2011, by John Luiten
Send questions about this page to

© 2014 The Arizona Board of Regents.