Patch Management query.

[Lanz]

We have a new security guy started here. He's a pain in the arse.

Before we used to only patch servers if a real critical update came out or SP.

Now he wants them all done, all the time, whenever any critical or security patches comes out...

Shall I have a word? Or is he correct?

What do others do?

 

[janesssssy]

Id say he was correct, Although I research all the updates as to whether they can cause problems.

 

[ethos]

He is correct...

Depending on how many servers you have (i'll assume you're on a MS AD setup) you could setup a test OU with a handful of servers in- roll the updates out to them first for say a week and if there are no problems schedule the server ou to perform the updates.

Generally you want your servers as patched as possible security wise, even if you think it won't effect you.

 

[Little_Crow]

Yep, as much as you may hate it (I hate it too), he is right.

We do much the same as ethos, test for a week and then patch production. It can be a close thing to get all the servers patched before the next one comes around, but it's a necessary evil, especially in a Windows environment.
If it overruns then we just ensure that the missed servers get done first, so you're never too far out of date on any one server.

It doesn't sound like you have a time agreed for each server (either monthly or weekly) for maintenance. If it's out of the question to do stuff during the day, then you'll have to do it out of hours and charge overtime.
It's amazing how quickly a system that must never, ever, be down suddenly isn't so important when overtime comes up.

Do you already have WSUS or similar in place? if not you really need to download and install it soon.

I suggest you do the following:
1. Identify or create some test servers - A good mix of your apps is essential exchange,sql etc.
2. Identify servers that have clear times when they have light/no usage.
3. Contact Server users where usage is not so clear cut and find light/no usage times.
(For Steps 2 and 3 you can't let everyone choose Friday afternoon, unless you want to be in till Saturday).
4. Draw up your monthly plan for server updates, a week from patch Tuesday should be out of bounds.
5. Give plan to boss, highlighting areas where overtime is required.
6. ????
7. ????
8. Profit!

Or alternatively migrate everything to Netware, and then only have to infrequently patch, which is nice.

Honestly I completely empathise, we're still going through the pain of arranging scheduled maintenance every month.
It's been quite funny really. The System Managers that genuinely have the most important systems have been extremely co-operative, and understand the importance of patching.

It's the system managers of the minor systems who have a massivey inflated sense of importance, and tell us their systems can never be down for any reason ever.
For those we just take the stance that if the system is in use all the time, then no time is any worse than any other, and we'll dictate when we'll do it. You'll soon get a more realistic response.