Announcement

Collapse
No announcement yet.

Rule of Thumb for Approving/Denying Windows Updates in WSUS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Rule of Thumb for Approving/Denying Windows Updates in WSUS

    Hello friends,

    I was wondering what rules of thumb folks were using to determine what Windows updates to approve or deny in WSUS for servers running in their environment.

    As for me, the servers in my environment are all Windows 2k3 R2 connected to the local intranet and do _not_ have external access to the internet (however, the clients that can access the servers do have Internet access, so there is always the possibility of infection indirectly from a client). As a general rule, I've been approving all security related updates and dealing with non-security updates on a case by case basis. This has worked fine because there are no special applications runing on the servers, just various MS default services (e.g. DNS, Windows file server, directory services, etc). However, we are now considering installing Windows updates on a few servers that are running special applications. So to minimize the number of updates deployed (and reduce the possibility of some sort of an update related problem occuring), I am toying with the idea of changing my Windows Update strategy, where instead of approving _all_ security related updates we approve only the critical updates, which typically involve some sort of remote exploitation. (Of course we test install the updates in a test environment first).

    What do you all think about the above idea? And what other update strategies are you all using in your environments?

  • #2
    Re: Rule of Thumb for Approving/Denying Windows Updates in WSUS

    Originally posted by grittyminder View Post
    I was wondering what rules of thumb folks were using to determine what Windows updates to approve or deny in WSUS for servers running in their environment.
    Rule #1: If it ain't broken, don't fix it. That is, in restricted production environment, do not apply a patch unless you have a reason to install it - and you have tested it too.

    Rule #2: Test the patches within limited a group. If a security patch mucks something up, you are able to catch and fix settings before releasing the patch into production systems. A classic example for Server 2003 is SP1 that changes DCOM security settings. If one applies such a patch to system using DCOM, one is going to be in a world of hurt unless one knows that the settings are going to change.

    Rule #3: Read and understand the release notes and KB articles. They are there for a reason.

    -vP

    Comment


    • #3
      Re: Rule of Thumb for Approving/Denying Windows Updates in WSUS

      Thank you for your reply.

      > Rule #1: If it ain't broken, don't fix it. That is, in restricted production
      > environment, do not apply a patch unless you have a reason to install it -
      > and you have tested it too.

      You are not actually suggesting that I do not update the servers with new security updates at all (unless something is broken), right?

      Is it safe to say that you think that approving all security related updates, even the low exploitability/impact updates, is not necessary? Do you think the strategy of only approving critical updates that involve remote code execution is a good rule of thumb? Or something even more restrictive, like only approving updates that involve vulnerabilities that are exploited passively by the server (i.e. an administrator does not have to actively open or browse to a file; rather, just by existing out there on the network the server is vulnerable to exploitation by an attacker on the network).

      Comment


      • #4
        Re: Rule of Thumb for Approving/Denying Windows Updates in WSUS

        Originally posted by grittyminder View Post
        You are not actually suggesting that I do not update the servers with new security updates at all (unless something is broken), right?
        No, I am not suggesting you to ignore security fixes. What I suggest is that you TEST the fixes on other systems before you install them on production servers. If you do not do that, unexpected problems might occur. What would happen if your payroll system breaks because of a patch? Can you afford the downtime?


        Is it safe to say that you think that approving all security related updates, even the low exploitability/impact updates, is not necessary?
        I am advocating auto-accept for patches only for ordinary home users. In no corporate environment would I recommend such a strategy.

        Should there be a patch that breaks some other part of the system, one needs to decide whether the patch is more important than providing the service. This is a hard question to answer. As usually, the answer is "it depends".

        In order to determine if you need the patch right now is that you evaluate the risk. A remote root exploit is scary, but less so if your unpatched servers are protected with some serious firewalls and other security measures.

        I'd say one needs defence in depth. System that has all the patches might still be vulnerable to zero day attacks. So one needs firewalls, IDS systems, antivirus and auditing too. There is no a single solution.

        -vP

        Comment


        • #5
          Re: Rule of Thumb for Approving/Denying Windows Updates in WSUS

          Thank you for your reply.

          Okay, I see where we are not 100% on the same page, but it's my fault--I wasn't clear enough.

          You mentioned auto-approval. I suppose that is what I'm thinking about when I mention 'approval': if a certain update all of the criteria necessary for approval then it would be allowed to be installed and tested. However, I think that you think I want to auto-approve directly to the production the environment, yet that is not the case. I want to auto-approve to a test environment. If the updates evaluated OK in test, then they would be applied to production.

          So to rephrase the question, what is a good rule of thumb for approving updates to be evaluated in the test environment?

          Comment


          • #6
            Re: Rule of Thumb for Approving/Denying Windows Updates in WSUS

            For the test environment, allow everything -- otherwise how can you test it?
            If no problems / reported problems in say a week, approve for the remainder of machines
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment

            Working...
            X