when should i apply security updates (need advice)

Question

0

Sign in to vote

Windows Server 2008 R2

there has been an objection from our development team in having to constantly restart the servers every time there's a security update that comes along. what is being proposed is to apply the updates once a month only so as not to disturb the users. I understand where they are coming from since we've heard of MS patches before that did more problems that solutions.

I could setup a test environment but that would mean having to duplicate all our production servers just to cover all the bases.

I would like to know if such proposal is practical (postponing the security patches) and "safe" since I've always restarted servers every time there is a security patch.

appreciate any help.

Sunday, December 15, 2013 6:59 AM

Reply

|

Quote

|

Answers

0

Sign in to vote
I think installing updates once a month is common practise. Of course, you should have SLA that describes service availability and possible down time, in that case, your users understand what to expect from the infrastructure. If they want to decrease downtime or provide fault tolerance then clustering is way of solution but cost grows up. Testing is also quite common. However I mainly saw testing environment for the critical servers and applications only.
- Marked as answer by Rino Mardo Sunday, December 15, 2013 11:49 AM
Sunday, December 15, 2013 7:43 AM

Reply

|

Quote

|

All replies

0

Sign in to vote
Hey

To Speak of academic & theoretical here You need to install updates immediately right after the sys admin recognized them as not harmful for your Environment,there are many centralized update management solutions like wsus, sccm ,... to help you with updates installation , Approval ,...

In real world the true step is to have them tested on your most important business critical servers clones so to find out if they affect your services availability & stability & then consider to install them or not.

when it comes to Important updates (mostly security and critical updates) it gets more vital to your servers to get the updates as fast as possible since they help keep your servers more secure and reliable, protecting your computer and your privacy. These updates include security and critical updates, as well as reliability improvements,But yet you need to have the time to test them with a forced schedule & with considering the server importance to your business & availability to the untrusted networks & peoples, the more the server is protected with other defense layers the more you have time to make sure how the update is necessary for you.

So as an exp: a server located in your servers zone which is protected by UTMS,Firewalls,etc... and is being accessed very filtered can be updated monthly but the same server in your dmz offering WEB Service to public customers needs an urgent attention with updates.

Microsoft has some recommendation on having the updates at least once every week & typically releases important updates on the second or fourth Tuesday of the month. However, updates could be released at any time,But There is no General Prescription for updates scheduled Installation according to my little knowledge but yet you can plan your own schedule with considering your servers importance to the business & percentage of availability to public users & the number of vulnerability interfaces ( every each service you offer in a server has the potential to become an vulnerability interface).

It is not safe to install any patch with out having them tested with your environment , not even security patches but also Service packs & Roll Ups,consider to have your own true update schedule & buy time with other protective defense layers.

G luck

________________________________________________________________________

SeyedHoodad HashemiNoudehi

MCSA 2008, MCITP: Enterprise Administrator, MCITP: Server Administrator, MCSE:2003 Security,MCSA:2003 Security , MCTS , MCP , Comptia Security+ ce , ITIL V3.0 , BEng CEng
- Edited by SH.Hashemi Sunday, December 15, 2013 7:45 AM
Sunday, December 15, 2013 7:37 AM

Reply

|

Quote

|

0

Sign in to vote
I think installing updates once a month is common practise. Of course, you should have SLA that describes service availability and possible down time, in that case, your users understand what to expect from the infrastructure. If they want to decrease downtime or provide fault tolerance then clustering is way of solution but cost grows up. Testing is also quite common. However I mainly saw testing environment for the critical servers and applications only.
- Marked as answer by Rino Mardo Sunday, December 15, 2013 11:49 AM
Sunday, December 15, 2013 7:43 AM

Reply

|

Quote

|

0

Sign in to vote

thanks for the replies.

i'm glad such practice is not an isolated one.

Sunday, December 15, 2013 11:48 AM

Reply

|

Quote

|

0

Sign in to vote
Updating once a month is not a good practice for all of your servers, specially when it comes to DMZ servers , you should make your own update Schedule as I suggested B4 in my post dude !
- Edited by SH.Hashemi Sunday, December 15, 2013 12:24 PM
Sunday, December 15, 2013 12:21 PM

Reply

|

Quote

|

0

Sign in to vote
I think installing updates once a month is common practise. Of course, you should have SLA that describes service availability and possible down time, in that case, your users understand what to expect from the infrastructure. If they want to decrease downtime or provide fault tolerance then clustering is way of solution but cost grows up. Testing is also quite common. However I mainly saw testing environment for the critical servers and applications only.

Dude, with respect, there is no such common practice for all servers in enterprise environment, he should design HIS OWN business oriented update schedule !

________________________________________________________________________

SeyedHoodad HashemiNoudehi
MCSA 2008, MCITP: Enterprise Administrator, MCITP: Server Administrator, MCSE:2003 Security,MCSA:2003 Security , MCTS , MCP , Comptia Security+ ce , ITIL V3.0 , BEng CEn
- Edited by SH.Hashemi Sunday, December 15, 2013 12:28 PM
Sunday, December 15, 2013 12:27 PM

Reply

|

Quote

|

0

Sign in to vote

it should be downloaded immediately and deployed after office time same day

Sunday, December 15, 2013 12:27 PM

Reply

|

Quote

|

0

Sign in to vote
it should be downloaded immediately and deployed after office time same day

hey Zain-DAIN

he needs to install updates immediately right after the sys admin recognized them as not harmful for his Environment(approved updates).

G luck

________________________________________________________________________

SeyedHoodad HashemiNoudehi
MCSA 2008, MCITP: Enterprise Administrator, MCITP: Server Administrator, MCSE:2003 Security,MCSA:2003 Security , MCTS , MCP , Comptia Security+ ce , ITIL V3.0 , BEng CEn
- Edited by SH.Hashemi Sunday, December 15, 2013 12:31 PM
Sunday, December 15, 2013 12:30 PM

Reply

|

Quote

|

0

Sign in to vote

I think installing updates once a month is common practise. Of course, you should have SLA that describes service availability and possible down time, in that case, your users understand what to expect from the infrastructure. If they want to decrease downtime or provide fault tolerance then clustering is way of solution but cost grows up. Testing is also quite common. However I mainly saw testing environment for the critical servers and applications only.

Dude, with respect, there is no such common practice for all servers in enterprise environment, he should design HIS OWN business oriented update schedule !
________________________________________________________________________

SeyedHoodad HashemiNoudehi
MCSA 2008, MCITP: Enterprise Administrator, MCITP: Server Administrator, MCSE:2003 Security,MCSA:2003 Security , MCTS , MCP , Comptia Security+ ce , ITIL V3.0 , BEng CE

Sunday, December 15, 2013 12:33 PM

Reply

|

Quote

|

0

Sign in to vote

On Sun, 15 Dec 2013 12:27:38 +0000, SH.Hashemi wrote:

Dude, with respect, there is no such common practice for all servers in enterprise environment, he should design HIS OWN business oriented update schedule !

Of course there is, which is one of the reasons Microsoft switched to a
once a month schedule for releasing updates.

Paul Adare - FIM CM MVP
"The biggest crime of all that [Microsoft] commits is getting people
accustomed to huge, slow, unstable software as the norm." -- Jay Maynard

Sunday, December 15, 2013 2:29 PM

Reply

|

Quote

|

0

Sign in to vote
On Sun, 15 Dec 2013 12:27:38 +0000, SH.Hashemi wrote:

Dude, with respect, there is no such common practice for all servers in enterprise environment, he should design HIS OWN business oriented update schedule !

Of course there is, which is one of the reasons Microsoft switched to a
once a month schedule for releasing updates.

Paul Adare - FIM CM MVP
"The biggest crime of all that [Microsoft] commits is getting people
accustomed to huge, slow, unstable software as the norm." -- Jay Maynard

hey

Paul Dude, with all the respect for your experience :)

Microsoft has recommendations on having the updates at least once every week & typically releases important updates on the second or fourth Tuesday of the month. However, updates could be released at any time As the official page of windows updates says.

http://windows.microsoft.com/is-is/windows/understanding-windows-automatic-updating#1TC=windows-7

Yet I insist of having different policies for different groups of servers with different mission in business,I have weekly schedule for my DMZ servers , monthly for my intranet severs ,of course emergency patch installation are always available due to emergency cases.

All update installation of course are subjected to not being identified as harmful for our application servers and etc.

I never forget Windows 2003 sp2 problem with isa server 2004,it cost my vacation to find out that incompatibility.

http://www.isaserver.org/blogs/shinder/news/warning-windows-server-2003-sp2-may-destroy-your-isa-firewall-without-warning-470.html

G luck

________________________________________________________________________

SeyedHoodad HashemiNoudehi
MCSA 2008, MCITP: Enterprise Administrator, MCITP: Server Administrator, MCSE:2003 Security,MCSA:2003 Security , MCTS , MCP , Comptia Security+ ce , ITIL V3.0 , BEng CE
- Edited by SH.Hashemi Sunday, December 15, 2013 2:52 PM
Sunday, December 15, 2013 2:41 PM

Reply

|

Quote

|

0

Sign in to vote

On Sun, 15 Dec 2013 14:41:55 +0000, SH.Hashemi wrote:

Microsoft has recommendations on having the updates at least once every week & ty_pically releases important updates on the second or fourth Tuesday of the mont_h. However, updates could be released at any time As the official page of windows updates says.

Yet I insist of having different policies for different groups of servers with different mission in business,I have weekly schedule for my DMZ servers , monthly for my intranet severs ,of course emergency patch installation are always available due to emergency cases.

Microsoft releases updates on the second Tuesday of each month, unless
there is a specific, urgent need to do otherwise, which is relatively rare.

Paul Adare - FIM CM MVP
It used to be said [...] that AIX looks like one space alien discovered
Unix, and described it to another different space alien who then
implemented
AIX. But their universal translators were broken and they'd had to gesture
a lot. -- Paul Tomblin

Sunday, December 15, 2013 3:25 PM

Reply

|

Quote

|

Answered by:

when should i apply security updates (need advice)

Question

Answers

All replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?