Yes, WSUS does allow you to have unique approvals on a per-group basis
within the same WSUS server.
This is new functionality that did not exist in SUS.
This provides an excellent opportunity for segregating desktop and
server systems, as Richard has alluded to. By configuring the desktops
to download and install updates at a scheduled time, you can effectively
update all desktops within 24 hours of approving the update without any
further action. Having a small test group that are configured to
"Auto-Approve" all critical and security updates might also be a good
component of such a strategy. As Richard noted, if those updates
installed immediately upon release do not affect the machines of
knowledgable, competent desktop users (e.g. the IT Department), then
approve them for general distribution 24-48 hours later -- or perhaps
over the weekend following Patch Tuesday.
Of course, that does then touch on the original question of the thread
which is relative to "how fast" to apply the updates. Really that's a
question that needs to be decided on a case-by-case basis. Some updates,
while desirable to be installed, won't actually involve risk to your
desktops, because the vulnerability isn't likely to penetrate perimeter
firewalls to begin with. Others, those that involve exploits distributed
via email, for example, have immediate risk to all email-enabled systems
within your network. In such cases, be also aware of the availability of
deadlines, which can be configured on a per-update, per-group basis, and
can be used to force a guaranteed installation of the update (within 22
hours) if the deadline configured is a date/time in the past.
-----Original Message-----
From: Tom Milliner [mailto:tom.milliner@verizon.net]
Sent: Saturday, August 20, 2005 1:11 AM
To: 'Richard Whitworth'; 'Murad Talukdar'; focus-ms@securityfocus.com
Subject: RE: exploit to vulnerability
Does WSUS let you have one server give different approved updates to
different groups? I don't think SUS did that.
Tom Milliner, CPA, MCSE
2404 Summer Place Dr.
Irving, TX 75062
(214) 540-2741
tom.milliner@verizon.net
-----Original Message-----
From: Richard Whitworth [mailto:Richard.Whitworth@hsbp.co.uk]
Sent: Friday, August 19, 2005 9:18 AM
To: Murad Talukdar; focus-ms@securityfocus.com
Subject: RE: exploit to vulnerability
Hi,
I use WSUS for dektops - I have one computer group configured for myself
and my technician. As patches appear the are approved for us, if they
don't cause any issues they are then approved for the rest of the
desktops. Turn around can be as little as a day.
Servers are a different matter, I tend to install the patches at planned
maintenance intervals so I have to take a view as to whether the issue
is serious enough for me to reboot the servers or if other layers of
protection such as AV software would mitigate any potential threat til
the next planned maintenance interval.
Richard
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: 19 August 2005 07:11
To: focus-ms@securityfocus.com
Subject: exploit to vulnerability
With all the issues highlighting the speed that exploits are now being
written (eg http://www.securityfocus.com/news/11285 ) The window between
exploit/vuln, appears on average, to be getting tighter.
We have an SME network and I used to have a week or so to test patches
before rolling them out.
This all begs the question now, with limited resources, do I just patch
and not worry about testing? I definitely have fewer resources than some
of the companies that were hit (CNN et al) and less time to dedicate to
patching.
Should I just use auto updates/GP to patch everything regardless?
What do other SME admins do?
Kind Regards
Murad Talukdar
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
------------------------------------
Disclaimer: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or entity
to whom they are addressed.
If you have received this email in error please notify the originator of
the message. This footer also confirms that this email message has been
scanned for the presence of computer viruses and Henshaws Society for
Blind People will not accept any responsibility for any loss of data or
financial loss caused directly or indirectly by opening or processing
this email and any accompanying attachments.
Any views expressed in this message are those of the individual sender,
except where the sender specifies and with authority, states them to be
the views of Henshaws Society for Blind People.
Please Note: Recipients of this message should be aware that Henshaws
Society for Blind People reserves the right to monitor all email sent to
and from the hsbp.co.uk domain or any other domain that may be
administered by the said organisation.
Head office telephone number: 0161 872 1234 Head office fax number: 0161
848 9889
website: http://www.hsbp.co.uk
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
