Está en la página 1de 11

Information Security Management

Security Patching Policy


Version 1.2
02 January 2008

University of Leeds 2008


The intellectual property contained within this publication is the property of the University of Leeds.
This publication (including its text and illustrations) is protected by copyright. Any unauthorised
projection, editing, copying, reselling, rental or distribution of the whole or part of this publication in
whatever form (including electronic and magnetic forms) is prohibited. [Any breach of this prohibition
may render you liable to both civil proceedings and criminal penalties].
Security Patching Policy

Owner: Kevin Darley,


IT Security Co-ordinator,
Information Systems Services, University of Leeds

Source Location:

Document Reference:

Other Documents Information Security Policy, Systems Security & Network


Referenced: Access & Management Policy.

Related Documents: Information Security Policy, Systems Security & Network


Access & Management Policy, Security Patching Policy,
Use of Computer Systems Policy

Acknowledgements:

Document Control
This document is subject to change control and any amendments will be recorded below.

Change History
Version Date Circulation Changes
1.0 05/05/05 http://campus.leeds.ac.uk/isms First formal issue
1.1 22/05/06 http://campus.leeds.ac.uk/isms New University logo and
removal of common
information in Section 1
1.2 02/01/08 http://campus.leeds.ac.uk/isms

Version Awareness
The audience of this document should be aware that a physical copy may not be the latest available
version. The latest version, which supersedes all previous versions, is available at
http://campus.leeds.ac.uk/isms. Those to whom this Policy applies are responsible for familiarising
themselves periodically with the latest version and for complying with Policy requirements at all times.

Information Security Management 1.2 (02/01/08) Page 2 of 11


Security Patching Policy

Contents
1. Introduction .........................................................................................................................................................4
1.1. Background .................................................................................................................................................4
1.2. Applicability..................................................................................................................................................4
2. Security Maintenance and Management ..........................................................................................................5
2.1. Security Patching Policy ..............................................................................................................................5
2.2. Microsoft Operating System Machines .......................................................................................................5
2.3. Non-Microsoft Operating Systems ..............................................................................................................7
3. Annexes ...............................................................................................................................................................9
3.1. Annex A Patching and Service Pack Deployment Procedures for Compatible Microsoft Operating
System Computers .......................................................................................................................................................9
3.2. Annex B Guidelines for the Security Maintenance of Non-Microsoft Operating System Platforms .......10

Information Security Management 1.2 (02/01/08) Page 3 of 11


Security Patching Policy

1. Introduction
1.1. Background
The ever increasing use of digitised and networked information at the University intensifies the
risk of data being copied, modified, hidden or encrypted, accessed by unauthorised persons,
stolen or destroyed. Furthermore, unless systems are appropriately secured, there is an
increased risk that they will be used to mount attacks against other organisations, potentially
damaging the reputation of the University.
In addition, it is essential for the protection of those who administer and manage IT/IS facilities to
do so within the framework of the numerous laws that concern data and information, so that
individuals do not find themselves liable to criminal proceedings as a result of their activities.
The technical controls that are used within the University provide an essential element of the
required protection. However, these only deliver part of the solution, the most effective defence
being achieved through awareness and good working practices.
This document forms the Universitys Security Patching Policy in support of its Information
Security Policy. Compliance with this Policy will ensure that consistent controls are applied
throughout the University to minimise exposure to security breach. The Universitys Information
Security Policy and a full list of Supporting Policies within the Information Security Management
System (ISMS) framework can be found at http://campus.leeds.ac.uk/isms.
1.2. Applicability
This Policy is primarily aimed at systems administrators and technical support staff (including ISS
staff) who are responsible for the development and maintenance of IT/IS facilities. Applicability
naturally extends to anyone else who is subjected to the Policy framework who undertakes
activities governed by this Policy.
It is the personal responsibility of each person to whom this Policy applies to adhere fully with its
requirements. However, Deans and Heads of Schools/Services1 are responsible for
implementing this Policy within their respective faculty/department and for overseeing compliance
by staff under their direction or supervision.

1
Also generically infers Heads of Centres & Institutes throughout.

Information Security Management 1.2 (02/01/08) Page 4 of 11


Security Patching Policy

2. Security Maintenance and Management


2.1. Security Patching Policy2
All University computer systems that connect to the Universitys network, regardless of operating
system, including routers and switches, are to be protected both from malicious code and
hacking attacks which exploit software vulnerabilities, through the deployment and installation of
operating system security patches.
Critical security patches must be installed universally across applicable University computers,
when they become available, in accordance with this Policy.
2.2. Microsoft Operating System Machines
2.2.1 Desktop Patching Options
All desktop computers that are accessible from the University network must be fully patched up to
date.
ISS offer a centrally provided patching service for recent versions of Windows. Faculty, school or
department computer support staff must either use this service or patch their machines under
their own arrangements (see Annex A).
Those who prefer to apply patches under their own arrangements must choose a mechanism that
will complete their delivery in the same time frame as patches deployed by the ISS centrally
provided patching service.
Any faculty, school or department that chooses not to subscribe to the ISS centrally provided
patching service must be able to demonstrate that they have an effective alternative facility in
place.

2.2.2 Patch Testing, Release and Problem Reporting


ISS will commence testing the latest Microsoft patches on the second Wednesday of every
month and release them via the centrally provided patching service on the last Wednesday of
each month.
If problems are discovered with the patches during the testing period and e-mail will be sent to
the membership of nets-list@lists.leeds.ac.uk and iss-tech-reps@lists.ac.uk highlighting the
problem and providing advice where applicable.
Members of faculties, schools and departments that do not subscribe to the ISS centrally
provided patching service are responsible for adhering to this schedule and for conducting their
own patch testing. Anyone who falls into this category who discovers a problem with a patch
during testing is required to alert other computer support staff of the problem by e-mailing details
to the membership of nets-list@lists.leeds.ac.uk and iss-tech-reps@lists.ac.uk.

2.2.3 Accelerated Patch Release


When an exploit to a vulnerability is published prior to the roll-out of a patch, an assessment will
be carried out by ISS, if necessary in conjunction with the Universitys Virus Management
Working Group, to determine whether a reduced testing period and early deployment is
considered necessary.
Where the risk of system compromise is considered to be greater than deployment of a partially
tested patch a decision will be taken to release the patch early.

2
This policy is not applicable to application software or printers at the time of writing although it will be revised to
include these aspects in the future should this be considered necessary.

Information Security Management 1.2 (02/01/08) Page 5 of 11


Security Patching Policy

Patches may also be released early during periods when the University is about to close, so that
systems are not exposed should an exploit to a vulnerability become available during staff
absence.
Computer support staff will be notified by ISS when a decision has been taken to release patches
early via an e-mail to nets-list@lists.leeds.ac.uk and iss-tech-reps@lists.ac.uk.
Members of faculties, schools and departments that do not subscribe to the ISS centrally
provided patching service must be able to patch their systems in the same time frame as ISS in
any early-release circumstances.

2.2.4 Compliance Reporting and Monitoring


Systems must be monitored to ensure that the patches have been applied. ISS will use an
automated mechanism for reporting the patching compliance of PCs that are in the DS Domain.
Computer support staff who participate in the reporting mechanism are responsible for confirming
the patch compliance of their systems and taking prompt remedial action where systems are
found to be not fully up to date.
Computer support staff who do not have systems in the DS Domain and those who do, but who
choose not use the reporting facility offered by ISS, are to implement their own process to
monitor patch compliance. Action must be promptly taken to update the patching of any machine
that is found to be out of date.

2.2.5 Portable and Occasional Network Attached Computers


Portable computers are to be subscribed to the ISS centrally provided patching service, or utilise
the respective local faculty, school or department system of patch deployment, or have
administrator rights with their custodian instructed to regularly update patches from
http://windowsupdate.microsoft.com.
Other computers that are not connected to the Campus network for lengthy periods are to be
subscribed to the ISS centrally provided patching service, or utilise the respective local faculty,
school or department system of patch deployment.
ISS Network and Systems Administration team (NaSA) will e-mail an alert to all members of staff
who have registered their portable computer with ISS, in accordance with the Use of Computer
Systems Policy, when critical patches become available. The custodian of each portable
computer is then responsible for ensuring that it is patched as soon as possible using whatever
means are in place for that specific device.

2.2.6 Patching of Servers


Servers running Microsoft Operating systems are to have security patches applied within two
working weeks of the patches being released. An automated means of patch deployment may
be used to fulfil this requirement although time schedules are to be chosen by the respective
administrator rather than being fully automated.
Computer support staff in faculties, schools and departments that do not have a Facilities
Management Agreement (FMA) with ISS for server support are to make their own arrangements
for patching their servers, although this can be done through the ISS centrally provided patching
service by those who wish to use that service.
Those who prefer to apply patches under their own arrangements must choose a mechanism that
will fulfil delivery in a timely manner so that deployment is completed in conjunction with the
WSUS roll-out. In addition, the effectiveness of the patch deployment must be demonstrable.
An e-mail is to be sent to nets-list@lists.leeds.ac.uk and iss-tech-reps@lists.ac.uk reporting any
issues that need to be raised concerning the deployment of server patches.

Information Security Management 1.2 (02/01/08) Page 6 of 11


Security Patching Policy

2.2.7 Service Pack Testing, Deployment and Compliance Reporting


Faculty, school or department computer support staff must either use the service pack
deployment mechanisms provided by ISS, for operating system compatible versions of desktop
machines (see Annex A) or implement their own means of service pack distribution. ISS will
manually apply service packs to its own and FMA faculty, school and department servers.
Where it is decided not to use the ISS service pack deployment facility, any local arrangements
must fulfil delivery in a timely manner so that deployment is completed in conjunction with the ISS
centrally provided service.
Service packs are to be tested prior to deployment, although the testing of them will vary
depending upon their complexity. Anyone identifying or experiencing a problem during service
pack testing is required to share details with computer support staff throughout campus by e-
mailing details to nets-list@lists.ac.uk and iss-tech-reps@lists.ac.uk.
The release of service packs may be accelerated where security risks justify such action and in
such cases ISS will notify computer support staff by e-mail via nets-list@lists.ac.uk and iss-tech-
reps@lists.ac.uk.
ISS will use an automated mechanism for reporting service pack compliance of machines that
are in the DS Domain. Computer support staff who utilise the reporting facility are responsible for
confirming the service pack compliance of their systems and taking prompt remedial action where
systems are found to be not fully up to date.
Computer support staff who do not have systems in the DS Domain and those who do, but who
choose not use the reporting facility offered by ISS, are to implement their own process to
monitor service pack compliance. Action must be promptly taken to update the service pack of
any machine that is found to be out of date.
2.3. Non-Microsoft Operating Systems
2.3.1 Patch Sourcing
Staff who are responsible for the maintenance of desktop machines and servers than run
operating systems other than those that are Microsoft based, are required to subscribe to the
appropriate security mailing services of their respective technology providers, so that they are
kept up to date with details of vulnerabilities, exploits and patches associated with their particular
platform.

2.3.2 Classification, Testing and Deployment of patches and Patch Sets


Security patches that are designed to fix vulnerabilities that are (or may be) exploitable either
remotely or without the use of a user account are to be classed as critical.
Patches are to be applied to less important machines first, where possible, in order to test them
before they are rolled out to more critical systems. However, priority must always be given to
patching machines that are visible from off campus.
Anyone who experiences problems during or following the deployment of a patch is required to
raise the awareness of other administrators who operate the same type of system via the
appropriate mailing list i.e. unix-managers@lists.leeds.ac.uk, or mac-sig@lists.leeds.ac.uk.
Guidelines for the security maintenance of non-Microsoft operating system platforms can be
found at Annex B.

Information Security Management 1.2 (02/01/08) Page 7 of 11


Security Patching Policy

2.3.3 Patching of Routers and Switches


ISS Network Management staff will subscribe to appropriate security alert e-mailing lists and
proactively monitor appropriate web sites for notification of any vulnerabilities affecting routers
and switches.
Where vulnerabilities are found to apply to University network devices, advice will be sought from
the Universitys third party network support contractor to determine whether it is feasible to use a
work-around solution rather than apply a patch immediately. Where possible the application of
patches will be deferred until the next available scheduled maintenance slot. However, where
deferment is not advisable, a risk assessment will be carried out and remedial action will be
taken, following local procedures which are designed to minimise disruption.
Faculty, school and departmental computer support staff who operate their own network devices
are required to operate their own patch monitoring and deployment.

2.3.4 Network Blocking of Non-Updated Computers


When the perceived risk warrants such action, computers that are not kept fully up to date with
patches and service packs may have their network access blocked in accordance with the
Systems Security & Network Access & Management Policy, prior to them becoming
compromised. This action may also be extended across faculty, school or department sub-nets
where justified.
Computers that are blocked from the network as a result of being out of date with their patches or
service packs will only be reconnected when it can be demonstrated that they have been brought
up to date and are secure.

Information Security Management 1.2 (02/01/08) Page 8 of 11


Security Patching Policy

3. Annexes
3.1. Annex A Patching and Service Pack Deployment Procedures for
Compatible Microsoft Operating System Computers
3.1.1 Desktop Patching & Compliance Reporting
ISS are currently using the Microsoft Windows Software Update Service* (WSUS) to deliver
patches to compatible Microsoft operating system machines that are in the DS Domain.
Computer support staff whose systems are in the DS Domain and who wish to utilise the service
will have to configure their clients to point at the WSUS server.
To reduce the probability of error, all updates on the ISS WSUS server will be approved in the
presence of two members of PC Desktop Support staff.
Compliance reports to establish the effectiveness of patch deployment will be produced by the
Microsoft Systems Management Server (SMS2003). These reports will be available to computer
support staff that have machines in the DS Domain who have subscribed to the SMS 2003
Report facility.

3.1.2 Server Patching


ISS will patch its own and FMA faculty, school and departmental servers using WSUS.
Where there is no FMA with ISS for server support, faculty, school and departmental computer
support staff can patch their servers in the DS Domain using the WSUS patch deployment should
they so wish.

3.1.3 Patch Sourcing, Testing and Release


ISS will normally receive Microsoft security patches each month (usually on the second Tuesday)
accompanied by e-mail notification, which is sent to the Microsoft Update email alert and the
Microsoft Security Notification Service mailing lists. The procedure for deploying these patches is
described below. You can subscribe to these mailing lists by going to
http://www.microsoft.com/security/bulletins/alerts.mspx.
On receipt of an update ISS will:
Assess each patch early on the day of release and decide whether it is appropriate to
escalate the assessment to the IT Security Co-ordinator with a view to seeking authority
for an early release;
approve the updates on WSUS for PCs that are members of the Test PCs group on the
WSUS Server;
monitor test machines to ensure there are no side-effects, or unwanted issues associated
with the update;
On the last Wednesday of each month approve the updates on the WSUS server for all
PCs which connect to the server.
When ISS PC Desktop Support staff escalate the assessment of a patch to the IT Security Co-
ordinator with a view to seeking authority for an early release, the IT security Co-ordinator will
consult either relevant ISS managers, the Virus Management Working Group members or the
Information Security Group members as appropriate.

*
This technology is correct at the time of writing, although Windows Update Service (WUS) and other technology may
be used when it becomes available.

Information Security Management 1.2 (02/01/08) Page 9 of 11


Security Patching Policy

When Microsoft releases an update outside of their normal schedule in respect of a severe
vulnerability, the ISS PC Desktop Support team will:
Review it on the day of release, make an initial judgment of the severity of the issue and
inform the IT Security Co-ordinator;
Draw up a revised approval schedule;
approve the specific update(s) relating to the accelerated deployment on WSUS test
server (DPM-TEST) on the day of release;
inform Nets-list, ISS-Tech-Reps and System-SIG mailing lists members informing them of
the revised schedule for the updates concerned;
monitor the test machines to ensure there are no side-effects, or unwanted issues
associated with the update;
approve the specific update(s) relating to the emergency according to the schedule.

3.1.4 Service Packs


ISS will use a combination of SMS and WSUS to deploy service packs in the DS Domain. The
effectiveness of the deployment to all systems may be measured using SMS2003 Report by
those who have their machines in the DS Domain and who choose to participate in the Report
service.
ISS will manually apply service packs to its own and FMA faculty, school and department
servers.

3.1.5 Other Patch Deployment Technology


IT support staff whose systems are not in the DS Domain may wish to use an alternative
technology for patch deployment, such as St Bernard Update Expert or Quest. One advantage of
using such technology is that it can also be used for the patching of UNIX systems.
In addition, St Bernard Update Expert can be used to automatically check laptops when they are
net connected to the network and update these with the patches that they missed whilst
disconnected.
3.2. Annex B Guidelines for the Security Maintenance of Non-Microsoft
Operating System Platforms
All administrators should subscribe to a security mailing list relevant to their operating system and
any addition software that they run.
They should also regularly review security alerts and advisories on associated web sites.
Relevant lists and web sites include:
Solaris
Patches are available from http://sunsolve.sun.com.
Sun provide a recommended set of patches for all versions of Solaris but only those for Solaris
2.5.1 and newer are actively maintained.
IRIX
Patches and mailing lists are available from http://www.sgi.com/security Only IRIX 6.5 and newer
is actively supported.
Linux

Information Security Management 1.2 (02/01/08) Page 10 of 11


Security Patching Policy

Linux distributions routinely include large numbers of software packages but support them for
less time than do Microsoft or vendors of traditional Unix systems such as Solaris and IRIX.
Some Linux distributions operate a paid-for subscription service for updates but all the major
ones make security patches available for free.
Redhat:
Security updates for the official RedHat releases can be found at
http://www.redhat.com/security/updates. Only versions 2.1 and upwards are supported.
Updates from the freely-distributable `Fedora' releases can be found at
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/.
Fixes for older Redhat versions may be available from http://fedoralegacy.org/
Users with subscriptions can install security fixes via the up2date.
Novell/SuSE:
Novell updates can be downloaded from http://support.novell.com/patches.html. Versions 8.2
and higher are supported. Updates can be installed automatically via `Red Carpet'.
Security announcements are sent to by the suse-security-announce mailing list which can be
joined via the web page at http://www.suse.com/us/private/support/online_help/mailinglists/.
Debian:
Debian provides security support for the `stable' distribution. The recommended way to install
security fixes is via `apt' as described at http://www.debian.org/security.
Security announcements are sent to the debian-security-announce list, which is available via
http://lists.debian.org/debian-security-announce/.
Mandrake
Security announcements are sent to security-announce@linux.com.
Linux security patches are available at http://www.linux-sec.net/Patches/
Mandrake Linux recommend using the MandrakeUpdate utility to apply security fixes. Only
versions 10.0 and newer are actively supported.
BSD Unix
Security information on the two FreeBSD distributions, NetBSD and OpenBSD, can be found at
http://www.netbsd.org/Security/ and http://www.openbsd.org/security.html
FreeBSD distribute security patches through CVS over the Internet. A FreeBSD server can
configure a periodic task, a cron job once a week for example, to synchronise the OS source with
the security branch of its release version. For example if your FreeBSD is release 4.8, the CVS
tag for the security branch of FreeBSD is 'RELENG_4_8'.
Upon receiving a security notification from FreeBSD security advisory, follow the instructions for
source level patch. It is usually as simple as navigate to directory of the said source and do a
'make install'. If the security vulnerability is to do with the kernel, then a reboot after the patching
is required.
Macintoshes
The Apple security page is currently at http://www.apple.com/support/security and the relevant
email list is "Security-announce".
Subscribe at http://lists.apple.com/mailman/listinfo/security-announce.

Information Security Management 1.2 (02/01/08) Page 11 of 11

También podría gustarte