Hey Bruce,
I understand your frustration at the situation - if I was in your place
I would feel the same way.
Thank you for alerting your account team about the situation. Ultimately
there is a much better chance of anything changing if they are involved.
Thanks,
Nate
Osborne, Bruce W. (NS) wrote:
Nate,
As a large institution, Liberty University cannot upgrade very often and we
need stable, reliable code. At our last decision point, the best code was
4.1.2.1. This version requires our clients to use Cisco's preconfigured checks.
We cannot use the WSUS style requirements. Also, a majority of our machines are
owned my students, and not part of our domain.
Cisco's customers were not notified of your policy change to release
preconfigured checks monthly, regardless of Microsoft's patch release.
Due to the MS08-067 patch release & known exploit code and The BU's failure to
release a check, our network security is compromised unless we create our own
solution.
The BU needs to reconsider their decision to allow known exploits on Cisco's
customer networks. Their job may depend on it!
BTW, I have passed similar sentiments up to our account team & VAR.
Bruce Osborne
Liberty University
-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On
Behalf Of Nathaniel Austin
Sent: Tuesday, October 28, 2008 8:58 AM
To: [email protected]
Subject: Re: [CLEANACCESS] Microsoft Patch
Hey Timothy,
In my experiences you are one of the minority - most people want to
minimize user impact and just trust Microsoft if there is a discrepancy.
So if you like using our ruleset, then by all means don't change -
unfortunately that ruleset is not going to add in a check for this
hotfix until next month. I wish I could tell you otherwise, but thats
the situation right now.
Nate
Riegert, Timothy J. wrote:
We've been using the Cisco checks and have noticed some instances where Windows
Update reports no new updates to install, even though they are missing updates.
Sometimes running a Windows Update fix script (re-registers .dlls, installs
latest version of Windows Update client, etc.) fixes these computers and
they'll be able to download the patches through Windows Update, but sometimes
it doesn't help and they must manually install the updates. We are happy that
the Cisco checks are helping to identify these discrepancies.
Would I be accurate in stating the WSUS method assumes the Windows Update
client is always working correctly?
-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On
Behalf Of Nathaniel Austin
Sent: Monday, October 27, 2008 9:45 PM
To: [email protected]
Subject: Re: Microsoft Patch
Hey Mike,
Word from the BU is that they will only update from Microsoft once a
month, so this one will not go into the checks and rule set until next
months Patch Tuesday release.
So a preemptive apology to everyone out there who wants this now. I
think there are some good custom checks that some of you have created to
at least get it checked for in your environments in the meantime.
I know this isn't really a consolation, but I think this again proves
that the WSUS style requirement that checks against Microsoft's WU
servers instead of our checks and rules is a much better option.
Nate
Mike Diggins wrote:
On Mon, 27 Oct 2008, Osborne, Bruce W. (NS) wrote:
When I last checked this afternoon, Cisco still did not have their
check published. What happened to the commitment to publish within 48
hours of patch release??
I was wondering that myself. I checked a few times today to see if it
had been published. I normally only update my CCA servers once a
month, so as not to annoy my clients too much, but this one seems like
it needs special attention.
-Mike
