|
|
Computing & Technology
Faculty / Staff Support:
Phone: 212-678-3300
Email:
Student Support:
Phone: (212) 678-3302
Email:
WINDOWS UPDATES & PATCHES
Dorm residence computers, personal laptops, and home computers: see links at bottom of this page on configuring Windows AutoUpdate or doing manual Windows Updates yourself.
Office computers @ TC
Because Microsoft Windows is especially targeted by hackers, and in order to make it more convenient for users to keep PCs up-to-date, CIS has changed the configuration of all office computers on the TC network so that they automatically download and install critical Windows updates as they are released. Over 1,400 computers have been reconfigured as of April, 2004.
Checking for and downloading new patches will occur in the background when your computer is on, with no impact on your computer's performance. If a patch has been downloaded, installation will take place at 3 am. We continue to recommend that you shut down your computer at the end of each day--if your computer is off at 3 am, the installation will occur the next time you turn the computer on. It typically takes one or two minutes.
After a patch is installed, a reboot is required before future patches can be applied. Most patches will also not be 'active' until the reboot. You will be prompted to reboot; (if nobody is logged on, then reboot is automatic). If you power down at the end of the day, that is the same as a reboot and is sufficient. Again, if you don't reboot or power down at some point after a patch is installed, then future patches won't be installed and your computer will not be secure!!
How often will patches be applied? Microsoft generally issues one (1) set of patches for Windows a month, though urgent critical updates will continue to be released in addition. Note that if your computer hasn't been kept current with Windows Updates, in the first few days after the configuration is changed on your computer the patches that are missing will be applied.
We will start implementing the change March 1; over 1,200 Windows desktops at TC should be configured for Automatic Updates by mid-April. The configuration change is being done using Microsoft's Active Directory technology, meaning we don't need to visit each desktop.
Only Windows 2000 and Windows XP computers are affected. Computers with older versions of Windows (95, 98, ME, NT) are no longer supported by Microsoft nor by our anti-virus product and need to be retired, upgraded, or replaced; please contact the Help Desk for a consultation.
Opt out: If your computer is providing a specialized service (for example, it is an application server or it is controlling experimental equipment,) we can exclude that computer from automatic patch installation -- typically, we will configure it to automatically download updates but to wait for a manual command for installation. You will have to commit to ensuring that the patches get installed and the computer is rebooted after critical patches. Send email to helpdesk@tc.columbia.edu if you have computers that fall into these categories
More details . . .Microsoft does extensive testing of security patches, and the risks are far greater if we don't apply them and keep up-to-date! When new critical patches are released, CIS tests them on its own computers first. Patches are for Windows 2000 and XP and their components (which includes Internet Explorer.) Patches for Microsoft Office (Word, Excel, etc.) and other applications are not yet provided by the Microsoft Automatic Update service.Patch installation at 3 am: If patches have been downloaded and your computer is left on overnight, they will be installed at a randomized time around 3 am. If you are logged off (in which case there are no open applications or documents), the computer will reboot automatically after a patch is installed. If you are logged in (i.e., you forgot to logout at the end of the day), when the installation is done a Reboot Prompt' will appear, and reboot won't occur until someone clicks OK, presumably the next morning; please make sure to do so!
Patch installation at startup: If patches have been downloaded and your computer is off at 3 am, patch installation will start about 15 minutes after the computer is turned on. You may not even notice the installation, and you typically will be able to continue working normally during the installation, which typically takes just a few minutes. If you are logged on, when the installation is done you will be prompted to reboot. If you are logged off (in which case there are no open applications or documents), the computer will reboot automatically.
Patch installation requires administrator privileges. If an error message is displayed indicating that patches could not be installed because you are logged in with an account with insufficient priviliges, please contact the Help Desk.
If your Windows 2000/XP computer is logging on to the TC or TC-ACS domain, we will be able to configure it as described in this document. For those computers, once we set the Automatic Updates configuration, those options will be "grayed out" and can only be modified by CIS.
We continue to strongly recommend that computers be turned off at night; this reduces the 'window of vulnerabilty' for hacker activity.
Configuring Windows AutoUpdate or doing manual Windows Update yourself
Dorm residence computers, personal laptops, and home computers: You are responsible for applying Windows security patches yourself. Here are links to instructions:
Instructions for configuring Automatic Updates for Windows XP
http://www.microsoft.com/security/protect/windowsxp/updates.aspInstructions for configuring Automatic Updates for Windows 2000
http://www.microsoft.com/security/protect/windows2000/updates.aspInstructions for applying Manual Updates (applies to all versions of Windows)
http://www.tc.columbia.edu/cis/security/winupdates.htmNote: wireless users at TC need to contact the Help Desk to register your computer.
For more information or questions, faculty & staff please contact the CIS Help Desk.
Student computer support info: click here