Patching Policy

WolfTech’s Windows Server Update Services (WSUS) provide a convenient way to automatically keep your computer up-to-date with the latest software updates from Microsoft. The prompt installation of security updates is critical to the security of the NC State University Network. The WSUS leads are responsible for the maintenance of the WSUS server, the timely approval of patches, and the communication of monthly patch releases to the community.

 For more info about WSUS, see: http://www.microsoft.com/windowsserversystem/updateservices/default.mspx
For documentation and technical support for WSUS on the WolfTech Domain: WSUS section of AD Documentation

Contents

Team

  • Lead: Vacant
  • Wade Cornett
  • Carol Hill
  • Joe Johnson
  • Gene Morse
  • Jonn Perry
  • Michael Underwood
  • Rob Blanke

Usage Policy

  • University-Owned Computers – All University-owned computers are automatically configured to use the Central WSUS to install updates. OU Administrators may edit the timing of when and how patches are applied, even point clients to another WSUS server, but all computers must talk to one.
  • Personal Machines – All personal machines used on the NC State University Network should be kept patched. These may be manually configured to use the WolfTech WSUS Service. See Active_Directory/Documentation/Personal_Computers_on_WSUS.
  • Home Machines – NCSU faculty and staff are encouraged to manually configure their home computers to use WolfTech WSUS. See Active_Directory/Documentation/Personal_Computers_on_WSUS.

Client Support

Patching supports the following client operating systems:

  • Windows 2000 SP3 or later
  • Windows XP, Vista, 7 & 8
  • Windows Server 2003, 2008, 2008-R2, 2012 & 2012-R2

Earlier operating systems, such as Windows 95, Windows 98, and Windows ME are not supported. These operating systems are no longer supported by Microsoft and should be upgraded immediately. Non-Windows operating systems are not supported.

Types of Patches

Automatically Approved Update Classifications

The WolfTech WSUS server has been configured to automatically download and approve for installation the following update classifications:

  • Definition Updates

Manually Approved Update Classifications

The following classification of updates are downloaded to the WolfTech WSUS server but are not approved for installation without minimal testing by IT support staff. Unless critical circumstances arise, these patches will not be approved until after each month’s “Patch Tuesday” and will be accompanied by an email to the OU Admins:

  • Service Packs
  • Updates
  • Feature Packs
  • Tools
  • Critical Updates
  • Security Updates
  • Update Rollups

Unapproved Update Classifications

Updates that are classified as ‘Drivers’ are not downloaded to the WolfTech WSUS server.

Target Groups

Beginning in April 2009, the Central WSUS Service began using a new tagging convention for its WSUS target groups: Early, Normal, Late.

The intention of these naming groups is to allow the WSUS Administrators to approve patches at specific time intervals to select groups of machines that the OU Administrators will subscribe their computers to. The timelines and approval processes are well known to all involved, and will allow for a flexibility not available in previous WSUS servers.

Naming conventions remain in place — an OU Administrator is still expected to place his computers into a target group starting with the name of his OU, but the addition of the tag is now also required. For example, within the ECE department, it would be expected to find “ECE-Normal” or “ECE-Early” as potential groups. Should a group be created without a timing tag, it is presumed to be “Normal” and will be approved as such. Groups wishing to include additional information in their target group are not barred from doing so (“ECE-Teaching Labs-Early”), but these most still contain both the OU name and the timing tag.

This setting is currently set in most <OU>-OU Policy GPO’s in Wolftech. The specific path to edit the setting is:

Early

Computers in groups with the “Early” tag will receive patches immediately. Once the WSUS admins see the patch is available, they push it to the “Early” groups.

OU Admins with “Early” groups are expected to join the activedirectory-patches@lists.ncsu.edu mailing list. Every patch the WSUS server downloads is sent to this list. Please note that you will likely receive hourly emails from this list — you’ll see not just security patches, but also definition updates which are automatically approved. However, this list will also be the only forewarning you will receive of patches that might cause your computer to reboot at night.

It is recommended that you limit the number of workstations you place in an “Early” group — perhaps only join those workstations (likely the desktops of your IT folks) which you wish to test patches on ahead of time. Any patches which cause issues should be brought to the attention of the WSUS Administrators, or announced on the Active Directory mailing list.

Notification: A notification to SysNews will not be made.

Normal

Computers within the “Normal” target groups will receive patches Thursday morning following Patch Tuesday. WSUS Administrators are expected to approve patches for these computers between 8:00 am and 9:30 am that morning. The “Personal” group used for personal or home machines will also be part of this group.

Notification: A notification to SysNews will be made once they have done so.

Late

Patches for this group will release the Tuesday following Patch Tuesday (3rd Tues of the Month). Once again, WSUS Administrators are expected to approve patches for these computers between 8:00 am and 9:30 am that morning.

Notification: A notification will be sent to the Active Directory mailing list to remind OU Admins of the patch release. A notification to SysNews will not be made.

A Google Calendar with “Patch Tuesdays” along with the WolfTech update schedule is available. Add ncsu.edu_e36inergvd0f31sl7dqq1afu2c@group.calendar.google.com to your  NCSU Google Calendar.

Out-of-Band Patching

Microsoft attempts to keep a regulated patch release schedule — the 2nd Tuesday of each month. However, there are situations when a vulnerability is found, deemed critical, and a patch is released outside of the normal timeline. A patch is typically issued outside the monthly release cycle due to an actively exploited vulnerability.

Types of Out-of-Band patches:

Emergency Patches

Emergency “out-of-band” security patches will be approved immediately for all (early, normal, late) once available to do so. All computers on the WolfTech domain, without exception, will receive the patch.

An announcement shall be made to SysNews warning of this upcoming patch. SysNews will be updated once the patch has been approved. OU Admins will be encouraged to communicate these to their end-users promptly.

 Patch Revoke

When patches are revoked, they will no longer be pushed.

Patch Revisions

Once a patch has been approved and release, revisions released under the same KB number are automatically approved.

Links

  • For further assistance email activedirectory_patching@help.ncsu.edu.