Educause Security Discussion mailing list archives
Re: Windows Patch Management
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 7 Dec 2006 09:26:55 -0500
Rose, Ryan wrote:
Greetings, I'm curious how other institutions are conducting Windows Server Patch Management. Currently we are testing the patches in our test environment for the week following the release date. We then roll-out the updates to all productions servers over the following weekend within our maintenance windows. This takes an amazing amount of time, we believe it is best to stick to a monthly schedule but our sys admins are going crazy. Any suggestions or thoughts around this issue.
The IT Windows group purchased hfnetchk for IT systems that we administer. We run a WSUS server but don't recommend that critical severs subscribe to the service. We do not do a lot of testing and depend quite a bit on Microsoft's testing and field experience reports. WSUS updates are delayed while we monitor things like MS newsgroups for reports of problems. Those to which we have high exposure or which have a high risk of exploits are pushed first. Others may be significantly delayed particularly if there is any indication of problems. Hfnetchk updates to central servers are pushed pretty quickly with little testing. Sometimes we roll to less critical systems first. Sometimes we only roll updates for which there is a high exposure and/or high risk of exploitation and delay the others while field experience is monitored. While best practices would suggest stringent testing on parallel environments for all changes, we have neither the hardware/software resources nor manpower to do so even in IT. A little care in analyzing updates and monitoring field experience and, when possible, a little delay in their installation would seem to greatly decrease the risk of a wide-spread, irreversible, catastrophic event caused by a bad update. But that possibility still exists. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Windows Patch Management Rose, Ryan (Dec 06)
- <Possible follow-ups>
- Re: Windows Patch Management Tim Lane (Dec 06)
- Re: Windows Patch Management Bowden, Zeb (Dec 07)
- Re: Windows Patch Management Rose, Ryan (Dec 07)
- Re: Windows Patch Management Gary Flynn (Dec 07)
- Re: Windows Patch Management Beechey, Jim (Dec 07)