Announcement

Collapse
No announcement yet.

Automatic updates enabled or disabled on Windows 2003 Server?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Automatic updates enabled or disabled on Windows 2003 Server?

    Hi,

    I was hoping I could get some recommendations on whether automatic updates should be enabled or disabled on Servers in a large enterprise environment? I personally would have it disabled on servers but would like to get other opinions and the risks and benefits of having it disabled and enabled on servers. (I'm not worried about workstations).

    There is no software distribution server in the environment and automatic updates is anebled in the whole domain.

    Thanks

  • #2
    Re: Automatic updates enabled or disabled on Windows 2003 Server?

    IMO it would be best to implement a WSUS solution, very easy to setup and maintain. It doesn't even need to be on its own server just some space for updates is necessary. The benefits being you can choose what to download (critical updates, optional etc, etc) and test them before unleashing on your production environment. Windows update as far as i am concerned is more for a SOHO environment not enterprise. You don't really want you production servers wandering off to Microsoft on their own accord and downloading updates.

    just my opinion.

    Comment


    • #3
      Re: Automatic updates enabled or disabled on Windows 2003 Server?

      Originally posted by hazey View Post
      IMO it would be best to implement a WSUS solution, very easy to setup and maintain. It doesnt even need to be on its own server just some space for updates is necessary. The benefits being you can choose what to download (critical updates, optional etc, etc) and test them before unleashing on your production environment. Windows update as far as i am concerned is more for a SOHO environment not enterprise. You don't particiuly want you production servers wandering off to Microsoft on their own accord and downloading updates.

      just my opinion.
      I concur with your response - I also suggest the use of WSUS. This gives you control over when patches are installed, which patches are installed (for instance, you may not want to install dotnet3.5 framework patches in a server that runs a dotnet1.1 application only..)
      It also allows you to setup test groups and deploy patches in a staged manner.
      It also means that you only download the patches and updates once.. and at an offpeak time, rather than having X number of srvers all downloading the same thing.
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Automatic updates enabled or disabled on Windows 2003 Server?

        I would also recommend WSUS as a way to control the updates for your servers. If you're unable to implement WSUS then I recommend setting the Automatic Updates service to disabled on your servers and implementing a regular maintenance schedule for you to assess and install updates on your servers.

        Just an off topic side note: The .NET frameworks are independent of each other. 1, 2, and 3 (and their accompanying service packs) can be installed on the same machine without affecting applications that require a particular framework.

        Comment


        • #5
          Re: Automatic updates enabled or disabled on Windows 2003 Server?

          Even with WSUS, I always set servers to "download and notify to install" rather than automatic install. This is in an environment with approaching 50 servers. As it gets bigger, I will have to set up a test area.
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Automatic updates enabled or disabled on Windows 2003 Server?

            Hi,

            I appreciate all your reponses. I'm aware of WSUS or even 3rd Party distribution servers but I'm not looking for a solution but a recommendation as there is no distribution server in an environment. My client does not have a distribution server and are not willing to spend on additional hardware\software.
            Basically, they have automatic updates enabled on the Default domain policy. From experience, having automatic updates on servers is not the way to go because the way I look at it is if it ain't broken there is no need for updates on servers unless it's a critical update. In saying that, having automatic updates on does not provide me with a platform in which I can test the patches\updates as with a product like WSUS for example.
            Correct me if I'm wrong but I don't think there is any harm with having it on considering the option is set to 'Notify me but don't automatically download them or install them'? I would like to put forward a recommendation to have this GPO disabled purely so that servers do not get the prompt that there are updates available. Can you think of any good reason to disable this on the servers? Are there security risks if this is enabled or is there a best practice\ recommendation by a higher party such as Microsoft to disable this on servers?
            Again thank you all for your efforts.

            Comment


            • #7
              Re: Automatic updates enabled or disabled on Windows 2003 Server?

              they shouldn't have to spend money on additional hardware or software.. if you've got some spare disk space, you can just install WSUS. It's free.

              I'd recommend they go this direction. WSUS load is relatively low, depending on your environment of course..
              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

              Comment


              • #8
                Re: Automatic updates enabled or disabled on Windows 2003 Server?

                This reminds of a thread I started some time back. I think the consensus is to not have your servers update automatically. I don't even link to download them automatically. Every few months I review the list of updates that are waiting and then I download and install them if any are particularly necessary. If none are necessary, I don't even have the server download them. I try to reboot servers as little as possible and prefer to see uptime measured in months and not days. Of course, certain servers and circumstances do not permit this, but that's a general rule.
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: Automatic updates enabled or disabled on Windows 2003 Server?

                  Thank you.

                  Comment

                  Working...
                  X