Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Source Location:
Document Reference:
Acknowledgements:
Document Control
This document is subject to change control and any amendments will be recorded below.
Change History
Version Date Circulation Changes
1.0 05/05/05 http://campus.leeds.ac.uk/isms First formal issue
1.1 22/05/06 http://campus.leeds.ac.uk/isms New University logo and
removal of common
information in Section 1
1.2 02/01/08 http://campus.leeds.ac.uk/isms
Version Awareness
The audience of this document should be aware that a physical copy may not be the latest available
version. The latest version, which supersedes all previous versions, is available at
http://campus.leeds.ac.uk/isms. Those to whom this Policy applies are responsible for familiarising
themselves periodically with the latest version and for complying with Policy requirements at all times.
Contents
1. Introduction .........................................................................................................................................................4
1.1. Background .................................................................................................................................................4
1.2. Applicability..................................................................................................................................................4
2. Security Maintenance and Management ..........................................................................................................5
2.1. Security Patching Policy ..............................................................................................................................5
2.2. Microsoft Operating System Machines .......................................................................................................5
2.3. Non-Microsoft Operating Systems ..............................................................................................................7
3. Annexes ...............................................................................................................................................................9
3.1. Annex A Patching and Service Pack Deployment Procedures for Compatible Microsoft Operating
System Computers .......................................................................................................................................................9
3.2. Annex B Guidelines for the Security Maintenance of Non-Microsoft Operating System Platforms .......10
1. Introduction
1.1. Background
The ever increasing use of digitised and networked information at the University intensifies the
risk of data being copied, modified, hidden or encrypted, accessed by unauthorised persons,
stolen or destroyed. Furthermore, unless systems are appropriately secured, there is an
increased risk that they will be used to mount attacks against other organisations, potentially
damaging the reputation of the University.
In addition, it is essential for the protection of those who administer and manage IT/IS facilities to
do so within the framework of the numerous laws that concern data and information, so that
individuals do not find themselves liable to criminal proceedings as a result of their activities.
The technical controls that are used within the University provide an essential element of the
required protection. However, these only deliver part of the solution, the most effective defence
being achieved through awareness and good working practices.
This document forms the Universitys Security Patching Policy in support of its Information
Security Policy. Compliance with this Policy will ensure that consistent controls are applied
throughout the University to minimise exposure to security breach. The Universitys Information
Security Policy and a full list of Supporting Policies within the Information Security Management
System (ISMS) framework can be found at http://campus.leeds.ac.uk/isms.
1.2. Applicability
This Policy is primarily aimed at systems administrators and technical support staff (including ISS
staff) who are responsible for the development and maintenance of IT/IS facilities. Applicability
naturally extends to anyone else who is subjected to the Policy framework who undertakes
activities governed by this Policy.
It is the personal responsibility of each person to whom this Policy applies to adhere fully with its
requirements. However, Deans and Heads of Schools/Services1 are responsible for
implementing this Policy within their respective faculty/department and for overseeing compliance
by staff under their direction or supervision.
1
Also generically infers Heads of Centres & Institutes throughout.
2
This policy is not applicable to application software or printers at the time of writing although it will be revised to
include these aspects in the future should this be considered necessary.
Patches may also be released early during periods when the University is about to close, so that
systems are not exposed should an exploit to a vulnerability become available during staff
absence.
Computer support staff will be notified by ISS when a decision has been taken to release patches
early via an e-mail to nets-list@lists.leeds.ac.uk and iss-tech-reps@lists.ac.uk.
Members of faculties, schools and departments that do not subscribe to the ISS centrally
provided patching service must be able to patch their systems in the same time frame as ISS in
any early-release circumstances.
3. Annexes
3.1. Annex A Patching and Service Pack Deployment Procedures for
Compatible Microsoft Operating System Computers
3.1.1 Desktop Patching & Compliance Reporting
ISS are currently using the Microsoft Windows Software Update Service* (WSUS) to deliver
patches to compatible Microsoft operating system machines that are in the DS Domain.
Computer support staff whose systems are in the DS Domain and who wish to utilise the service
will have to configure their clients to point at the WSUS server.
To reduce the probability of error, all updates on the ISS WSUS server will be approved in the
presence of two members of PC Desktop Support staff.
Compliance reports to establish the effectiveness of patch deployment will be produced by the
Microsoft Systems Management Server (SMS2003). These reports will be available to computer
support staff that have machines in the DS Domain who have subscribed to the SMS 2003
Report facility.
*
This technology is correct at the time of writing, although Windows Update Service (WUS) and other technology may
be used when it becomes available.
When Microsoft releases an update outside of their normal schedule in respect of a severe
vulnerability, the ISS PC Desktop Support team will:
Review it on the day of release, make an initial judgment of the severity of the issue and
inform the IT Security Co-ordinator;
Draw up a revised approval schedule;
approve the specific update(s) relating to the accelerated deployment on WSUS test
server (DPM-TEST) on the day of release;
inform Nets-list, ISS-Tech-Reps and System-SIG mailing lists members informing them of
the revised schedule for the updates concerned;
monitor the test machines to ensure there are no side-effects, or unwanted issues
associated with the update;
approve the specific update(s) relating to the emergency according to the schedule.
Linux distributions routinely include large numbers of software packages but support them for
less time than do Microsoft or vendors of traditional Unix systems such as Solaris and IRIX.
Some Linux distributions operate a paid-for subscription service for updates but all the major
ones make security patches available for free.
Redhat:
Security updates for the official RedHat releases can be found at
http://www.redhat.com/security/updates. Only versions 2.1 and upwards are supported.
Updates from the freely-distributable `Fedora' releases can be found at
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/.
Fixes for older Redhat versions may be available from http://fedoralegacy.org/
Users with subscriptions can install security fixes via the up2date.
Novell/SuSE:
Novell updates can be downloaded from http://support.novell.com/patches.html. Versions 8.2
and higher are supported. Updates can be installed automatically via `Red Carpet'.
Security announcements are sent to by the suse-security-announce mailing list which can be
joined via the web page at http://www.suse.com/us/private/support/online_help/mailinglists/.
Debian:
Debian provides security support for the `stable' distribution. The recommended way to install
security fixes is via `apt' as described at http://www.debian.org/security.
Security announcements are sent to the debian-security-announce list, which is available via
http://lists.debian.org/debian-security-announce/.
Mandrake
Security announcements are sent to security-announce@linux.com.
Linux security patches are available at http://www.linux-sec.net/Patches/
Mandrake Linux recommend using the MandrakeUpdate utility to apply security fixes. Only
versions 10.0 and newer are actively supported.
BSD Unix
Security information on the two FreeBSD distributions, NetBSD and OpenBSD, can be found at
http://www.netbsd.org/Security/ and http://www.openbsd.org/security.html
FreeBSD distribute security patches through CVS over the Internet. A FreeBSD server can
configure a periodic task, a cron job once a week for example, to synchronise the OS source with
the security branch of its release version. For example if your FreeBSD is release 4.8, the CVS
tag for the security branch of FreeBSD is 'RELENG_4_8'.
Upon receiving a security notification from FreeBSD security advisory, follow the instructions for
source level patch. It is usually as simple as navigate to directory of the said source and do a
'make install'. If the security vulnerability is to do with the kernel, then a reboot after the patching
is required.
Macintoshes
The Apple security page is currently at http://www.apple.com/support/security and the relevant
email list is "Security-announce".
Subscribe at http://lists.apple.com/mailman/listinfo/security-announce.