In
August 2003, the MS Blaster worm got through a known security
loophole in Microsoft Windows and attacked millions of computers
around the world, resulting in an enormous economic loss.
Actually, this disaster could have been avoided if users had
applied the security patch MS03-026 released a few months
before the attack. However, many users might be too busy to
perform Windows Update on time, or hoped that they
could luckily survive in the attack.
The damage
of the MS Blaster worm was minimal on campus as we only received
a few infected cases. However, this did not mean that our
users had applied the required security patch beforehand.
Actually, the protection came from the virus management system,
the Mcafee
ePolicy Orchestrator (ePO), which was implemented in year
2002. What will be the consequence if a new worm makes use
of the same security loophole to launch an attack later? Obviously,
the ultimate solution to this problem is to fix the security
loophole by applying Microsoft's security patch. That is why
we frequently remind users to perform Windows Update
through network announcements. This important operation is
simple and usually takes only a few minutes to complete. Unfortunately,
according to our collected information, the machines connected
to the staff LAN have missed almost 10,000 Microsoft patches
and this figure will increase significantly with newly discovered
bugs. How bad is the situation? To be pessimistic, more than
1,000 machines are doomed to be attacked by hacker, viruses,
and so on. As a result, our campus network is in danger. Therefore,
the CSC sees the urgent need to perform Windows Update compulsorily
and automatically to reduce the risk of attack and virus infection.
After
studying Microsoft's Software Update Service (SUS) product
for some time and inviting some departments to participate
in the pilot run, we decided to deploy SUS in delivering critical
patches to our staff LAN machines (PCs belonging to the CITYUMD
domain). Starting from 1 March 2004, all staff LAN machines
will automatically download and install newly released or
missing critical Windows Updates from our central SUS server.
The downloading process will start within a specified time
frame, depending on the PC and network conditions. The installation
process will be initiated at 1 p.m. everyday. For those PCs
which have missed the previous schedule, the installation
process will be initiated within 15 minutes after their reboot.
When it is done, users may be asked to reboot the machines
to make the patch effective. They may decide the most convenient
time to reboot their machines, though immediate reboot is
recommended.
By the
time of publishing this article, the number of missing patches
has been greatly reduced by around 90%. The condition will
be improved further if machines with outdated Service Packs
can be upgraded to the latest versions and machines running
Windows 2000 can be upgraded to Windows XP SP1.
Nevertheless,
both the ePO and SUS are supplementary tools to help users
protect their PCs. It still relies on the users to employ
these tools, for example, by following the recommended security
practice and ensuring that the patches have been successfully
installed. They should note that:
