UC Berkeley security policy mandates that all devices connected to the UCB network comply with Minimum Security Standard for Networked Devices. The recommendations below are provided as optional guidance to assist with achieving the Software Patch Update requirement.
Campus networked devices must run software for which security patches are made available. All currently available security patches must be applied on a schedule appropriate to the severity of the risk they mitigate.
Description of Risk
Security exploits in software are uncovered on a daily basis. Vulnerabilities in software may be exploited to compromise systems resulting in data theft or the use of compromised systems to launch attacks.
Effective patch management requires a process to identify vulnerable software, evaluate available patches, test and deploy those patches, and confirm their successful installation. Most operating system (OS) vendors include a solution for patching, but such solutions typically cover only the OS itself. It is critical to supplement these solutions with application patching.
Some patching options include:
Microsoft Windows Server Update Service
IST offers a Microsoft Windows Server Update Service at http://update.berkeley.edu. For users of the CalNet Active Directory service, Group Policy Objects (GPOs) may be used to configure the use of the IST managed WSUS server. Use GPO “Campus – WSUS” to configure updates to be automatically installed every day at 3:00am.
Enterprise Patch Management Suites
Some campus units use an enterprise approach to system management with tools such as Microsoft System Center, Shavlik NetChk Protect, or the BigFix Enterprise Suite. These tools provide functionality that can be utilized to patch both operating systems and applications.
Additional Enterprise Patch Management Resources
http://patchmanagement.org (link is external) hosts a mailing list dedicated to patch management with an excellent dialog about current trends.