|
 |
|
|
| |
Information Assurance > Patch Management |
| |
To correct vulnerabilities, ReliaTrust uses Microsoft's Software Update Services (SUS). This system installs a service that can download all critical updates and security updates and service packs as they are posted to the Microsoft Windows® Update Web site. When administrators have approved these updates, SUS will automatically make them available to all preconfigured servers running Microsoft Windows Server™ 2003 and Windows 2000, as well as to desktops running Windows XP Professional and Windows 2000 Professional. SUS supports critical and security updates-including service packs-that apply to the operating system and components included with the operating system. All other software updates - applications - will need to be handled using a different mechanism.
ReliaTrust will use our configuration management process to approve the new updates on the SUS test server. After approval, the update will become immediately available to all SUS test clients. The SUS test clients will poll the SUS test server every 22 hours, minus up to 20 percent for randomization. This is to avoid having all SUS clients poll the server at the same time. After successful testing, the SUS administrator should approve that update on the SUS parent server. After the update is approved on the SUS parent server, SUS clients reporting in to that server begin downloading it, by default, within 22 hours. Installation starts according to the specified schedule, or when it is performed by the local administrator. Client computers reporting in to SUS child servers will start downloading the update up to 22 hours from the point at which the approval reaches the child server.
Using Active Directory and Group Policy Objects, ReliaTrust applies custom Automatic Update settings can be applied to the entire domain or to individual Organizational Units (OU). This allows an administrator to direct all computers in a specific OU to a designated child SUS server and set the preferences for controlling the method and time that a patch is installed. Workstations can be configured remove all user control of the Automatic Update environment, allowing the administrators to fully control the patch installation process. Servers in a separate OU can be configured to download the approved update but hold the installation until an administrator manually completes the install, controlling the timing of any required reboots.
|
|
|
|
