Patching Policy

WolfTech’s Windows Server Update Services (WSUS) provide a convenient way to automatically keep your computer up-to-date with the latest software updates from Microsoft. The prompt installation of security updates is critical to the security of the NC State University Network. The WSUS leads are responsible for the maintenance of the WSUS server, the timely approval of patches, and the communication of monthly patch releases to the community.

 For more info about WSUS, see: http://www.microsoft.com/windowsserversystem/updateservices/default.mspx
For documentation and technical support for WSUS on the WolfTech Domain: WSUS section of AD Documentation

Contents

Team

  • Lead: Vacant
  • Wade Cornett
  • Carol Hill
  • Joe Johnson
  • Gene Morse
  • Jonn Perry
  • Michael Underwood
  • Rob Blanke

Usage Policy

  • University-Owned Computers – All University-owned computers are automatically configured to use the Central WSUS to install updates. OU Administrators may edit the timing of when and how patches are applied, even point clients to another WSUS server, but all computers must talk to one.
  • Personal Machines – All personal machines used on the NC State University Network should be kept patched. These may be manually configured to use the WolfTech WSUS Service. See Active_Directory/Documentation/Personal_Computers_on_WSUS.
  • Home Machines – NCSU faculty and staff are encouraged to manually configure their home computers to use WolfTech WSUS. See Active_Directory/Documentation/Personal_Computers_on_WSUS.

Client Support

Patching supports the following client operating systems:

  • Windows 7 and later
  • Windows Server 2008 and later

Operating systems are no longer supported by Microsoft are not patched and should be upgraded immediately. Non-Windows operating systems are not supported.

Types of Patches

Automatically Approved Update Classifications

The WolfTech WSUS server has been configured to automatically download and approve for installation the following update classifications:

  • Definition Updates

Manually Approved Update Classifications

The following classification of updates are downloaded to the WolfTech WSUS server but are not approved for installation without minimal testing by IT support staff. Unless critical circumstances arise, these patches will not be approved until after each month’s “Patch Tuesday” and will be accompanied by an email to the OU Admins:

  • Service Packs
  • Updates
  • Feature Packs
  • Tools
  • Critical Updates
  • Security Updates
  • Update Rollups

Unapproved Update Classifications

Updates that are classified as ‘Drivers’ are not downloaded to the WolfTech WSUS server.

Target Groups

Beginning in April 2009, the Central WSUS Service began using a new tagging convention for its WSUS target groups: Early, Normal, Late.

The intention of these naming groups is to allow the WSUS Administrators to approve patches at specific time intervals to select groups of machines that the OU Administrators will subscribe their computers to. The timelines and approval processes are well known to all involved, and will allow for a flexibility not available in previous WSUS servers.

Naming conventions remain in place — an OU Administrator is still expected to place his computers into a target group starting with the name of his OU, but the addition of the tag is now also required. For example, within the ECE department, it would be expected to find “ECE-Normal” or “ECE-Early” as potential groups. Should a group be created without a timing tag, it is presumed to be “Normal” and will be approved as such. Groups wishing to include additional information in their target group are not barred from doing so (“ECE-Teaching Labs-Early”), but these most still contain both the OU name and the timing tag.

This setting is currently set in most <OU>-OU Policy GPO’s in Wolftech. The specific path to edit the setting is:

Early

Computers in groups with the “Early” tag will receive patches immediately. Once the WSUS admins see the patch is available, they push it to the “Early” groups.

OU Admins with “Early” groups are expected to join the activedirectory-patches@lists.ncsu.edu mailing list. Every patch the WSUS server downloads is sent to this list. Please note that you will likely receive hourly emails from this list — you’ll see not just security patches, but also definition updates which are automatically approved. However, this list will also be the only forewarning you will receive of patches that might cause your computer to reboot at night.

It is recommended that you limit the number of workstations you place in an “Early” group — perhaps only join those workstations (likely the desktops of your IT folks) which you wish to test patches on ahead of time. Any patches which cause issues should be brought to the attention of the WSUS Administrators, or announced on the Active Directory mailing list.

Notification: A notification to SysNews will not be made.

Normal

Computers within the “Normal” target groups will receive patches Thursday morning following Patch Tuesday. WSUS Administrators are expected to approve patches for these computers between 8:00 am and 9:30 am that morning. The “Personal” group used for personal or home machines will also be part of this group.

Notification: A notification to SysNews will be made once they have done so.

Late

Patches for this group will release the Tuesday following Patch Tuesday (3rd Tues of the Month). Once again, WSUS Administrators are expected to approve patches for these computers between 8:00 am and 9:30 am that morning.

Notification: A notification will be sent to the Active Directory mailing list to remind OU Admins of the patch release. A notification to SysNews will not be made.

A Google Calendar with “Patch Tuesdays” along with the WolfTech update schedule is available. Add ncsu.edu_e36inergvd0f31sl7dqq1afu2c@group.calendar.google.com to your  NCSU Google Calendar.

Out-of-Band Patching

Microsoft attempts to keep a regulated patch release schedule — the 2nd Tuesday of each month. However, there are situations when a vulnerability is found, deemed critical, and a patch is released outside of the normal timeline. A patch is typically issued outside the monthly release cycle due to an actively exploited vulnerability.

Types of Out-of-Band patches:

Emergency Patches

Definitions:

Out-of-band patch: any patch released by Microsoft outside of it’s normal patching schedule. This can include hotfixes, security updates, or definitions.

Emergency patch: Any patch, upgrade, or removal that occurs outside of our normal patch deployment schedule.

Procedure

Out-of-band security patches should be deployed as soon as possible(24-48 hours). These can include patches/updates from Microsoft or 3rd party software.

Notifications for Out-of-band patch deployment should utilize standard campus communication channels including a Sysnews post and an email to the Active Directory mailing list, activedirectory@list.ncsu.edu and NAG, nag@lists.ncsu.edu

The Sysnews Post should include the name of the patch, a link to the patch, a description of the the patch, and its impact to ends users (will a reboot be required to complete the installation).

Sysadmins can request patches, not just security, be considered an Emergency patch and be deployed out-of-band if said patches fixes a known or perceived threat. Request for patches to be considered Emergency should be sent to activedirectory_patching@help.ncsu.edu, and should include the name of the patch, a link to the patch, a description of the the patch, and its impact to ends users (will a reboot be required to complete the installation).

S&C should email the AD Policy and Tech chairs advising them of the need to deploy the patch. The notification should include the name of the patch, a link to the patch description, a description of the issue, and its impact to end users.  This process has been previously approved and does not require a vote for each instance.

The campus community can request to have a patch or update installed, removed, or marked as emergency.. Request should be sent to the Active Directory mailing list, activedirectory@lists.ncsu.edu, with the name of the patch, a link to the patch description, a description of the issue, and its impact to end users. If after discussion and investigation it is determine that a patch or upgrade is detrimentally affecting a large portion of campus, AD Policy can vote to have the patch removed or deployed as long as it follows RUL 08.00.14 – System and Software Security Patching Standard(https://policies.ncsu.edu/rule/rul-08-00-14/). These patch deployments should follow the Out-of-Band patching procedure.

Patch Revisions

Once a patch has been approved and release, revisions released under the same KB number are automatically approved.

Links

  • For further assistance email activedirectory_patching@help.ncsu.edu.