CPPM uses a commercial software package and service that will improve our ability to keep desktops and laptops patched with the latest security updates, in order to reduce security attacks and keep critical data on campus safe from intrusion. CPPM also provides a power management function that enables policies to save power for the campus community where appropriate.
In November 2007, in close cooperation with several University organizations, ITS deployed CPPM to 120 desktops and servers as part of a pilot project. In April 2008, CSUEB acquired a 3-year 3,500-seat license, centrally funded, in order to install the CPPM software on as many Windows computers as appropriate. Today there are
1900 computers that are being patched centrally on campus..
Providing a patch management system for CSUEB is part of a larger effort to reduce the individual responsibility that ordinary computer users must accept to maintain their systems securely, and to protect the open CSUEB network from the steadily increasing threats found on the Internet.
If a PC is attached to the CSUEB network, or is used to transact University business, the goal is to ensure that it receives all required security updates quickly and reliably. The CPPM service at CSUEB can help meet that goal.
Do note that CPPM cannot handle all aspects of maintaining your computer securely, and only functions as an important element of good security practices
Internet-based attacks on individual desktop and laptop computers are a worldwide problem that is continuing to grow exponentially. It's, therefore, critical to keep operating systems up-to-date by installing security patches as soon as they become available.
Until now it has been each desktop or laptop computer user's individual responsibility to install critical patches. Even people who are doing a good job of keeping their PCs updated sometimes miss important patches. Failures to keep all systems patched can place everyone on the shared network at risk. CPPM helps ITS provide this service in a more reliable and efficient way to the campus community.
CPPM 's main purpose is to provide a very robust computer operating system patch management service to the University community. It will also be used to distribute updates to McAfee AntiVirus, the antivirus software licensed for use at CSUEB. It collects inventory information to help patch computers appropriately. In addition, CPPM provides CSUEB power management capabilities so that we can be a model sustainable university and save power where appropriate for the campus.
This month we have deployed the following updates:
Microsoft Updates (MS12-001 - MS12-007) for the month of January.
Apple Software Updates (Itunes 10.5.1, Quicktime 7.7, Safari 5.1.12) for the month of January.
McAffee Antivirus (Dat file updated) released on (01-10-2012).
There can be no single, complete solution for problems of computer security. CPPM will help to ensure that operating systems are securely patched, but there are additional essential security practices that are beyond the scope of CPPM.
Such practices include having a minimum number of user accounts on your computer, choosing strong passwords, protecting passwords from theft, using up-to-date and properly configured antivirus software, enabling firewall when appropriate, configuring file sharing properly and securely if you need to share files, shutting down your computer when it's not in use, logging off your computer every night, not double-clicking suspicious e-mail attachments, correctly configuring operating system security settings, disabling unnecessary services, and so on.
Installing the CPPM client on your computer doesn't mean that you're safe: it means that you're safer.
For more information about how to secure Windows PCs, please see the Secure Computing web site.
CPPM has two distinct software components, a client and a server. The client software is installed on computers that are to be managed, while the server allows system administrators to monitor those computers and enables the deployment of patches to them.
With respect to patching the machine it's installed on, the CPPM client provides extremely reliable information about the machine’s status. This accurate information is conveyed to the CPPM server, allowing system administrators charged with managing CPPM clients to patch computers appropriately and as needed.
Whenever Microsoft, for example, releases a critical security patch for Windows, it is tested and packaged by BigFix , Inc., and delivered to their customers generally within a matter of hours. The patch is then tested at CSUEB by the CPPM site administrators. After testing, under normal circumstances, tested and approved patches will then be deployed centrally to any computers still in need of them. The testing and approval process may be hastened under extraordinary circumstances.
No. At this time, CPPM will only be installed on University-owned computers. It will not be installed on the privately owned computers of students, guests or visitors.
When critical security patches have been released by Microsoft, and tested at CSUEB, they will be deployed. If necessary, you will be prompted to restart your computer. Please note that all computers may be rebooted Tuesdays after 6 PM to ensure proper patching.
Your work will not be disrupted. You will always be able to save open files and quit gracefully out of any running applications before you choose to restart.
Note that, under extraordinary circumstances, such as an immediate and dangerous attack on an operating system vulnerability, the patch approval and testing process may be curtailed to some degree. In every case, the CPPM site administrators will provide as much advance notice as possible that an emergency patch will be deployed.
The CPPM agent doesn't cause any problems and you won't even notice it's running on your PC. It's sometime the case, however, that the installation of operating system patches causes problems. Be aware that patches will be tested before they are released, in order to ensure that they won't cause widespread problems in the CSUEB environment. Also not that your computer will be rebooted every Tuesday after 6 PM.
The CPPM client software will run on all Windows platforms currently supported by Microsoft. The CPPM central administrators will test new operating system patches, when Microsoft releases them and before deploying them to client PCs, on English versions Windows XP Professional SP3 and Windows 7 Enterprise, all at the latest Service Pack level.
Certain computers can be excluded from automatic patching if appropriate.
If you have concerns about your computer and patching please contact the CPPM administrator (CPPM@csueastbay.edu). If you’d like to request an excpetion from central patching please fill out an ESARF.
CPPM is more reliable than the Windows Automatic Updates service, which is easy to use incorrectly under the best of circumstances. The CPPM system can also detect whether an installed operating system patch is corrupt, since it makes a much more thorough check of patch file versions and Windows registry entries than Automatic Updates.
If run on a schedule, Windows Automatic Updates will also force restarts for users without administrator rights, which CPPM will not do: it will gently prompt you to restart, and you'll have time to finish your work, whether or not you're logged in to Windows. All computers are rebooted Tuesdays after 6 PM weekly to make sure patches are completely installed.
CPPM may also be used in conjunction with Automatic Updates. All that matters is that your PC is patched. If CPPM is installed on a computer that's not always connected to the CSUEB network, it's advisable to use Automatic Updates as well as CPPM.
The answer is yes: you should be worried that hackers might seize control of your computer and gain access to all of your files.
More and more often computer viruses are appearing that attempt to steal confidential information, such as credit card numbers, PayPal passwords, and so forth.
CPPM will help to protect you from such threats.
CPPM will permit authorized staff to collect certain data about your computer, but there are very tight controls on the nature of that data, and very tight controls on how that data may be used. CPPM does not collect data files from your computer.
See the next two questions for more information.
The CPPM site administrator will have access to retrieved properties for all CPPM client computers. Any additional people who want access to the information must be authorized by the appropriate managers within their organizations and by Information Security Office.
CSUEB does not intend to make any use of the information that CPPM retrieves except to help ensure the security of the University's network. You should know, however, that this information - like all information on or about our network - is subject to University policies and relevant laws.
Power Managment is the ability for your desktop to save energy while it its not in use. As a whole, the more desktops that are not in use and remain powered off, the less consumtion there is for electrical demand.
If you have questions about using CPPM at CSUEB that aren't covered in the FAQ, please send e-mail to the CPPM team at CPPM@csueastbay.edu.
The tool we are using for the CPPM project is called BigFix. For additional information about this product, visit http://www.bigfix.com.
These FAQs were based on the FAQs developed by Stanford University's CPPM Team. We'd like to thank them for sharing their experiences and contributions to this project and the FAQs.