• Calendar
• A-Z Index

Find it

• About ITS
• Policies
• Feedback
• Search ITS
• ITS A-Z Index
• System Status

OS security updates and patch management

We request that you use a ITS recommended operating system (Macintosh/Windows/Unix) for any computer connecting to the Yale University network.

Overview

In the current environment of frequent operating system and application software vulnerabilities, as well as viruses and worms that exploit those vulnerabilities, we must all take a more proactive approach to security. Keeping both your campus and remote/home computer free from malicious activity requires a layered security approach. In addition to having current antivirus software and virus definitions, you must also keep your operating system software up to date. Keeping current with updates and patches will provides an added layer of security that helps to ensure the integrity, confidentiality and security of electronic information on computing devices and on the network.

ITS will provide automated solutions for clients to keep their operating systems up-to-date whenever feasible. If automated solutions are not available we will provide you with user-friendly mechanisms to update and patch both campus and remote/home computers. Our current recommendations for staying current with operating system updates are detailed below.

NOTE: These tools do NOT patch or update your application software (e.g., MS Word, MS SQL).

Windows

Software Update Services (SUS): for WINDOWS 2000/XP Campus Desktop Computers

ITS's implementation of Microsoft's Windows Software Update Services (SUS) will provide an automated mechanism designed to simplify the process of keeping Windows-based operating systems up-to-date with the latest critical updates and patches. It enables desktop computers running Windows 2000 or higher, to automatically connect to a local ITS SUS server and receive updates. SUS enables ITS to quickly and reliably deploy critical updates in an automated fashion to Windows computers on the YSM network. Be sure your computer is in the School of Medicine Active Directory, so that SUS can deploy patches and updates to your computer.

• When updates/patches have been downloaded to your computer, but have not yet been installed, you may see a flashing Windows Update icon appear in your Taskbar, and you can choose to install them immediately.
• If no action is taken the install will take place automatically at 5 AM.
• In order for SUS to function optimally, we recommend that you save your work at the end of the day, close your applications and log off your computer. (Press the ctrl-ald-delete key sequence and select Log Off). Leave the computer turned on. Do NOT shut down the computer.

(Supported OS: Windows 2000 and Windows XP)

Windows Automatic Update: for WINDOWS computers unable to use SUS

(e.g., remote/home computers, or campus servers and mobile laptops). If you have a home computer, or a campus computer that is not in the Active Directory and thus unable to get updates via the ITS SUS server, ITS recommends that you run Automatic Update. Automatic Update is a program from Microsoft that is built into the operating system and that will scan your computer and download updates for you automatically. You must be connected to the Internet for Automatic Update to function. If you are updating over a modem, this could take some time, but is worth it to insure your computer has the latest updates! (Supported OS: Windows XP/2000/ME/98).

How to configure and use Automatic Updates

Windows XP | Windows 2000 | Windows ME* | Windows 98*
*Win98 and WinME are not recommended.

Note: With all the above operating systems we recommend that desktop/laptop computers use the settings:

• Automatically download the updates, and install them on the schedule that I specify.
• In the area to choose a day and time, we recommend every day.
• Click OK.

Your computer will now automatically download the updates when needed. If the computer has not been updated in a long time, the first time Automatic Update runs, it may take a while to complete. We recommend that you install any Critical Updates and Service Packs.

If a computer is only intermittently connected to the Internet you can manually install updates and patches.

In response to complaints about the difficulty of staying on top of the weekly releases, Microsoft has shifted from weekly to monthly security bulletins. However, Microsoft reserves the right to release bulletins at any time if they feel clients are in imminent danger of being exploited by a known software vulnerability. More info ...

Manual Windows Update

Used for Windows computers unable to use SUS or Automatic Update. Windows Update will function with Windows XP/2000/2003/ME/98, but it is the ONLY patch/update option for WinNT and Win95. Automatic Update functionality is not available for WinNT or Win95. Microsoft is providing no new updates for NT or 95, but running Windows Update will bring your computer to the most current version of the OS. Patches (not updates) will be available for NT Workstation until 30 June 2004. Win95 is not not recommended.

Windows Update is also an option for a computer that is only intermittently connected to the Internet.

To run Windows Update:

• Open Internet Explorer (IE) as your browser
• Point your browser at windowsupdate.microsoft.com and follow the online instructions.

We recommend that you install any Critical Updates and Service Packs. Installing non-critical updates/patches is optional. Note: installing driver updates may cause conflicts with you application software, so be cautious.

In response to complaints about the difficulty of staying on top of the weekly releases, Microsoft has shifted from weekly to monthly security bulletins. However, Microsoft reserves the right to release bulletins at any time if they feel clients are in imminent danger of being exploited by a known software vulnerability. More info ...

Mac OS X Software Update (10.x)

(Campus or Remote/Home Computers)
Using the Macintosh OSX automatic Software Update feature from System Preferences, you can request updates (you must be connected to the Internet) at any time or schedule when Mac OS X checks for updates (daily/weekly/monthly). Online directions are available.

• Run Update Now and
• then configure Schedule and Update (ITS recommends daily).

(Supported OS: Macintosh 10.x [OS X], and higher)

RHEL (RedHat Enterprise Linux) & Fedora: RHN or APT- RPM

(Campus or Remote/Home Computers)

NOTE: Red Hat Linux (7.x, 8.x and 9.x) maintenance and errata support ended 30 April 2004 . ITS is currently recommending migration to RHEL ‘WS’ or Fedora for workstations and RHEL ‘AS’ for servers. Fedora Project operating system software is a free alternative to RHEL and Up2Date is supported by Fedora, however products from the Fedora distribution line should be considered beta releases only. Fedora is NOT recommended for production servers. Academic pricing is approximately $25/yr for WS and $50/yr for AS.

Options for OS updates:

1. RHEL: To get rpm updates for RHEL you will need to use Up2Date, the updating agent that is built into the OS software. YaleRPM does not work with Red Hat Enterprise Linux (RHEL) or Fedora.
2. Fedora: Your can visit the Fedora web site or use apt-rpm. Apt-RPM is a command line interface and a good solution for Fedora workstations users with technical expertise. apt-rpm also works under RedHat 7.3, 8.0 and 9.

SuSE

YaST (Yet Another Setup Tool) is an operating system setup and configuration tool that is featured in the SuSE Linux distribution. AutoYaST allows unattended and automated installation.

Sun/Solaris:

SunSolve Patch Support Portal Patch Management Tools

IRIX/SGI:

• Software Patches
• IRIX® patches