Announcement

Collapse
No announcement yet.

How do you prefer to manage Windows Server patches?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do you prefer to manage Windows Server patches?

    Hello all!

    How does each of you prefer to handle patch Tuesday? I don't like the idea of installing patches willy-nilly so I usually wait until the Tuesday after patch Tuesday (incidentally, that's tomorrow... which is why I was reminded to start this thread ). I then simply Google each KB# to see if the patch has caused any problems and if so under what circumstances. Surely it's tedious, but better than the alternative (unemployment).

    Do any of you use a patch managment application other than the built in updates engine / WSUS (E.g. Patchlink)? Do any of you work in a large / critical enough environment where you have a test network to apply updates within?

    I'm mostly interested in smaller shops that don't have the luxory of a test network, but anecdotes that include them are certainly desired as well.

    Thanks for your input,
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

  • #2
    Re: How do you prefer to manage Windows Server patches?

    I use WSUS and go a month or two between patches.

    Comment


    • #3
      Re: How do you prefer to manage Windows Server patches?

      I usually wait until Wednesday because we in the real world are a day ahead of the US.
      1 1 was a racehorse.
      2 2 was 1 2.
      1 1 1 1 race 1 day,
      2 2 1 1 2

      Comment


      • #4
        Re: How do you prefer to manage Windows Server patches?

        I use WSUS3 and approve everything for immediate installation (I know I shouldn't).

        We have never experienced any problems. Been using it for about two years now. Mind you, we don't use any 'tailored' software - backup is Brightstor, mail server is Mercury/32 which operates within it's own environment, so as there are no unusual apps, we've not had problems. I have also configured it to install everyday.

        WSUS made my life so much easier
        A recent poll suggests that 6 out of 7 dwarfs are not happy

        Comment


        • #5
          Re: How do you prefer to manage Windows Server patches?

          WSUS with auto-approval for a lot of things.

          The clients have auto-install policy applied but I keep an eye on the upcoming patches and block them before they get to the WSUS if i think they'll be an issue.

          The servers are set to download only and we go round on a monthly basis to approve them manually after checking out if there's any known issues with the updates.
          This message represents the official view of the voices in my head

          Comment


          • #6
            Re: How do you prefer to manage Windows Server patches?

            WSUS generally with auto for all but I do like to stop service packs and IE updates and test them.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: How do you prefer to manage Windows Server patches?

              Manually update the servers after a week goes by, everything is in VMware ESX 3.5 so it's a lot faster to reboot if necessary.

              Comment


              • #8
                Re: How do you prefer to manage Windows Server patches?

                I'll address each response individually:

                Originally posted by Meekrobe View Post
                I use WSUS and go a month or two between patches.
                My but that's a long time to wait. I'm assuming that you don't have many (or any?) public facing Windows machines. Doesn't sounds like you're too worried with standards compliance so I'm also assuming you don't work in healthcare, finances, et alii.


                Originally posted by biggles77 View Post
                I usually wait until Wednesday because we in the real world are a day ahead of the US.
                And do you use WSUS for approvals or do you just manually download and install updates? And your method for determining the safety of a patch would be... ?

                The day does get here a bit later than the rest of the world. We in the States just want the world at large to test the day out and make sure it's safe before we get going.


                Originally posted by Blood View Post
                I use WSUS3 and approve everything for immediate installation (I know I shouldn't).

                We have never experienced any problems. [snip] I have also configured it to install everyday.

                WSUS made my life so much easier
                Is this a vast amount of servers or just a few? WSUS does seem to be a handy timesaver.


                Originally posted by graycat View Post
                WSUS with auto-approval for a lot of things.

                The clients have auto-install policy applied but I keep an eye on the upcoming patches and block them before they get to the WSUS if i think they'll be an issue.

                The servers are set to download only and we go round on a monthly basis to approve them manually after checking out if there's any known issues with the updates.
                Any tips on what makes you think certain patches will be an issue versus others? Concerning your servers, how do you determine if there's any known issues with the updates? Do you just use Google and read the attendant KB article? Must not be too many servers if you can do it all manually without much fuss.


                Originally posted by AndyJG247 View Post
                WSUS generally with auto for all but I do like to stop service packs and IE updates and test them.
                XP SP3 comes to my mind... Why are the IE updates of such interest to you?


                Originally posted by Server_Dude View Post
                Manually update the servers after a week goes by, everything is in VMware ESX 3.5 so it's a lot faster to reboot if necessary.
                Manually? I would think that a place using ESX would have quite a few running servers which would make manually updating things rather tedious. Hmmm... ::scratches head::


                Seems like WSUS and auto-approval is used quite a bit. It also seems like a manual installation of updates is a frequently chosen method. That must get impractical after 6 servers or so, no? It looks like folks typically wait at least a weak or so before taking the plunge. It makes me wonder, if everyone is so cautious who are the intrepid individuals that plunge into the darkness and find out which updates are lemons? I seem to recall software testers who tested alpha stage releases were called the "Lunatic Fringe". For good reason, apparently.

                At any rate, It doesn't seem like folks are too concerned with patching their Windows boxes immediately. Does anyone here represent the opinion of a high-availability (E.g. 24 hour production line) or high risk (E.g. financial institution) or high visibility (E.g. web site) situation? Thanks for putting up with my inquisitiveness.
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: How do you prefer to manage Windows Server patches?

                  I wait almost 3 months, this is because we only have a window for patching once every three months. Yes we do not have that many servers facing an external network.

                  A mixture of a script and WSUS, some machines cannot be done with WSUS so we do them manually.

                  We approve patches before the patch window only, nothing is auto approved.

                  We were burned once with a DNS patch that caused a huge problem because of a memory leak in the release (and we installed it almost 2 months after release date) so we prefer to be safe than sorry..
                  Maish
                  ----------------------------------------------------------
                  Technodrone|@maishsk|Author of VMware vSphere Design
                  VMware vExpert 2013-2010,VCAP5-DCA/DCD,VCP
                  MSCA 2000/2003, MCSE 2000/2003
                  A proud husband and father of 3 girls
                  ----------------------------------------------------------
                  If you find the information useful please don't forget to give reputation points sigpic.

                  Have a good one!!

                  Comment


                  • #10
                    Re: How do you prefer to manage Windows Server patches?

                    Originally posted by Nonapeptide View Post
                    I'll address each response individually:



                    My but that's a long time to wait. I'm assuming that you don't have many (or any?) public facing Windows machines. Doesn't sounds like you're too worried with standards compliance so I'm also assuming you don't work in healthcare, finances, et alii.


                    We're in finance and audited yearly by a major auditing firm. They visit our main office for a good two months out of the year and spend about one week on the IT portion. No we're not SOX or anything like that, they just audit us against our own Policies and Procedures. We always score 90%+

                    I have several internet facing servers including a DC but we run enterprise class firewalls.

                    Anybody know a website/source that documents hacks/intrusions because lack of a patch? Yes patches are important but I mostly see it as a CYA for the manufactorer which turns into a CYA for the network admins.

                    Comment


                    • #11
                      Re: How do you prefer to manage Windows Server patches?

                      Originally posted by Meekrobe View Post
                      We're in finance and audited yearly by a major auditing firm. They visit our main office for a good two months out of the year and spend about one week on the IT portion. No we're not SOX or anything like that, they just audit us against our own Policies and Procedures. We always score 90%+

                      I have several internet facing servers including a DC but we run enterprise class firewalls.

                      Anybody know a website/source that documents hacks/intrusions because lack of a patch? Yes patches are important but I mostly see it as a CYA for the manufactorer which turns into a CYA for the network admins.
                      My perspective stands corrected. Thanks.
                      Wesley David
                      LinkedIn | Careers 2.0
                      -------------------------------
                      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                      Vendor Neutral Certifications: CWNA
                      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                      Comment


                      • #12
                        Re: How do you prefer to manage Windows Server patches?

                        Because of the large number of PCs in the schools, WSUS is the most common way. If something screws up then we just Ghost a working image back over the mess and disapprove the update so it won't be deployed. Well that's the theory.
                        1 1 was a racehorse.
                        2 2 was 1 2.
                        1 1 1 1 race 1 day,
                        2 2 1 1 2

                        Comment


                        • #13
                          Re: How do you prefer to manage Windows Server patches?

                          Originally posted by Nonapeptide View Post
                          XP SP3 comes to my mind... Why are the IE updates of such interest to you?
                          I meant IE7 specifically, should have been clearer
                          cheers
                          Andy

                          Please read this before you post:


                          Quis custodiet ipsos custodes?

                          Comment

                          Working...
                          X