The SysAdmin Network

No more hiding in the server room

Patching Production Windows Servers

This is a poll, I'm interested in your opinions and experiences.

 

Patching Production Windows Servers, quarterly or monthly? And what product do you use (if you use a 3rd party product)?

 

I'm a believer in monthly is over-kill and I prefer Quarterly patching windows. I'm looking to hear if other sys admins agree, or if not can you convince me that monthly is best. We have been using Patch Authority but I'm not a big fan of this product.

 

Thank you

Tags: Microsoft Updates, Windows Server

Views: 164

Reply to This

Replies to This Discussion

Permalink Reply by Cole Lavallee on August 12, 2010 at 7:54pm
I do monthly, I have a maintenance schedule setup. I also get the security bulletins to make sure that I'm patching the critical patches immediately.
Permalink Reply by Victor Green on August 13, 2010 at 7:56pm
I agree with you in regards to Patching WIndows Servers. I have 2 Windows 2008 Servers in production and I only patch them quarterly because this gives me time to evaluate the boxes after they have been patch. for me this has been the best approach and it works well considering the number patches being release.

I currently use Microsoft WSUS to push my patches and it works perfect.
Permalink Reply by Graycat on August 16, 2010 at 12:57pm
We patch monthly on the last Friday of the month.

That way we're a few weeks behind "Patch Tuesday" and can see if there are any updates we should be wary of. Second line servers and below get the patches first with the main production boxes usually being done over the weekend between backup slots.

Quarterly is too far apart IMHO and would only go to every other month due to holidays or sheer workload.

We us WSUS to control the updates with auto-approval rules for the products we use etc. The servers are then controlled by GPO to download only for manual install. Desktops just get the updates as they land.
Permalink Reply by Kev Gallagher on August 19, 2010 at 4:36pm
I patch once a month. Our Desktops are handled by WSUS and our Servers are done via Windows Update. We patch during the third week of the month. We get a lot of questions from various quarters questioning our policy primarily from people who aren't involved in patching but think they could always do it better untill offered the chance to do so.

Basically our posistion is thus: We decide when to apply the patches and are not driven by Microsoft. This gives us time to test them although not vigerously. We apply patches outside core hours over a number of evenings. We perform MBSA scans before and after the server is patched. I get the MSRC emails buletins to inform us what patches are being released and how critical they are.

I manage the logistics of patching although I would like a centralised solution I haven't found the best one for our servers so far. I doubt there will be any funding now either.
Permalink Reply by Phil Shannon on August 19, 2010 at 6:14pm
Now I wonder what I'm missing. I've been patching quarterly going back a decade. I've never been burned by not patching servers monthly, maybe I've just been lucky.

It looks like the standard seems to be monthly and that WSUS is the popular tool. Thanks for the feedback everybody.
Permalink Reply by Graycat on August 21, 2010 at 12:16am
I patch monthly partly to keep up with the latest security patches and partly to limit how many patches I have to apply in one go. If you're only patching quarterly don't you find you're applying 100+ to each server at a time?

WSUS is definitely the easiest way forward especially as it is free from MS. if you've got SCE I think it's part of that but then that costs so might not be an option.
Permalink Reply by Shane Corellian on August 23, 2010 at 6:37pm
I'm generally a once per month patcher, unless there is an urgent need for a particular update. I like WSUS for standard Windows updates.
Permalink Reply by Shawn Anderson on August 23, 2010 at 6:50pm
Bear in mind that hard and fast policies can become valuable information to hackers.

Quarterly patching may be convenient, but when you have a serious patch, including zero day and out of cycle patches, then the knowledge of your quarterly patching may become a liability.

My preference is to test each patch and release to production usually within two weeks, latest.
Permalink Reply by John McGrath on August 24, 2010 at 11:34am
This is where 'Defense in Depth' comes into play.

Patching is a necessary task, and while testing and setting schedules are best practice, there are still time windows between patch release from the vendor and patch application. Zero and Critical 'out of cycle' patches make these windows critical, but usually the exploits that these types of patches fix were in the wild before the patches were made available.

That window could be exploitable if your network is insecure through misapplication of network defense policies and procedures. That means the gamut of issues, from proxies that fail over, to firewalls that don't, to click happy users.

I patch on a monthly basis for servers, and a weekly basis for desktops. Critical patches go out as they come through.

RSS

© 2012   Created by Elizabeth Ayer and Michael Francis.   Powered by

Badges  |  Report an Issue  |  Terms of Service

Sign in to chat!