none
What is best practice to keep Windows Server 2016/2012/2008 most secured and high available? RRS feed

  • Question

  • Hi,

      Since our company's goal is to keep Windows Server 2016/2012/2008 high available, I rarely use windows update. I install individual hotfixes for vulnerability(e.g. MS17-10, CVE-2019-0708) instead. However, is there any tools that can confirm that all my Windows servers are secured? I try Microsoft Security Baseline Analyzer, Metasploit Framework, Nmap, CVE-2019-0708 scanner( https://github.com/robertdavidgraham/rdpscan ), all these can do some sort of work. however, I still look for a one solution that can scan all my servers, all vulnerabilities and make sure that all servers are patches and secured.

      You may say "ok, use WSUS and run  patch automatically". It does not work for us.

    1. Some Windows updates apply immediately and it will shutdown mission-critical application server like SAP system.(In Windows server 2003 or 2000, but I am not sure if Windows Server 2016 works like this way now)

    2. Our best practice is deploy patches with testing. (Development system => Quality Assurance System => Production System)

        Some windows updates are features updates, not security updates so it is not necessary. Also, it is troublesome in these two years. Sorry, No offense.

    3. I heard about nessus, is it the best solution for this? But I know it is not a freeware.



    Tuesday, November 19, 2019 4:30 AM

Answers

  • Windows updates are cumulative so you cannot pick and choose what to install. If you don't patch them regularly then windows is not secure.

    Better to ask SAP about a high availability or clustered solution.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Marked as answer by dennislee1245 Tuesday, November 26, 2019 9:04 AM
    Tuesday, November 19, 2019 4:43 AM
  • Hi,

    I just discussed with our HA colleagues and we think that updating one node first and then updating another node one week later will not have a negative impact on the cluster. It is the best practice to install the same patches on all nodes. It is to avoid the unhealthy state of the cluster caused by the known issues mentioned in some patches. In addition, we recommend that you migrate all roles on the node to other nodes before installing the patch.

    If you think the answer is helpful, please mark it as a reply, which will help more users get valid information.

    Have a nice day~

    Best Regards,

    Kiki


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by dennislee1245 Tuesday, November 26, 2019 9:00 AM
    Tuesday, November 26, 2019 7:44 AM

All replies

  • Windows updates are cumulative so you cannot pick and choose what to install. If you don't patch them regularly then windows is not secure.

    Better to ask SAP about a high availability or clustered solution.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Marked as answer by dennislee1245 Tuesday, November 26, 2019 9:04 AM
    Tuesday, November 19, 2019 4:43 AM
  • Hi

    For further help, I suggest you submit a new case on High Availability (Clustering) Forum directly as they will be more professional on your issue.

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.

    Thanks for your understanding and cooperating.

    Best Regards

    Kiki 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 20, 2019 7:07 AM
  • Hi,

    OK, just have a nice day!

    Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 20, 2019 9:27 AM
  • HA is all about redudancy so you need to make sure that you have other servers to take over the services when you are rebooting a server. Of course, the design of HA depends on the solution you are running so you need to check with your application support on how to achieve it. In terms of patching, you can use WSUS to control when updates are pushed and use scripts to orchestrator your reboot sequence. Of course, you can run your reboot scripts outside of business hours to minimize downtimes and related impacts.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, November 25, 2019 1:19 PM
  • Hi Ahmed MALEK,

      Thanks for your reply. Since Microsoft decides to deliver cumulative updates only(I don't know, maybe in these two years), I guess the windows updates always take a very long time. I download Nov 2019 cumulative update and its size is incredible 1.2GB. WOW!! I guess 80% ~ 90% are features updates maybe 10% or less are security updates. Why don't Windows split features updates and security updates. Install features on Windows Server are really unnecessary.

      And Also, Microsoft recommend all nodes in Windows Failover Cluster should be have the same patch level which cause a very serious problem, your scheduled/planned downtime will increased significantly. Maybe from 10 minutes to 30 minutes or more, and if you add high-end hardware reboot time(cold start), it takes you another 15 minutes.

      All this are not acceptable. We decide to patch one node first and patch the second after one week later. Would this cause any negative malfunction on Windows Server Cluster. Sorry, This question is off topic, it is not a windows updates issue any more, it is a cluster issue related. I will post this question in Windows Server Failover Clsuter. Sorry for any inconvenience.

    Tuesday, November 26, 2019 2:30 AM
  • No problem, you can post this feedback over here on uservoice.

    https://windowsserver.uservoice.com/forums/304618-installation-and-patching

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, November 26, 2019 2:34 AM
  • Hi dennislee1245,

    We are looking forward to your good news. Have a nice day~

    Regards,

    Kiki


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 26, 2019 2:47 AM
  • Hi Dave/Kiki,

      Thanks a lot for your reply. I used to defense for Microsoft Windows Server and Windows update but now I won't do it anymore.

    Here is a reddit thread why people don't like windows updates.

    Warning: If you are a Microsoft's employee or fans, you will definitely not like it. Don't read.

    ----

    https://www.reddit.com/r/sysadmin/comments/dv6k1z/why_is_windows_update_always_the_top_reason/

    Why is Windows update always the top reason people don't like Microsoft Windows?

    Tuesday, November 26, 2019 3:52 AM
  • Hi,

    I just discussed with our HA colleagues and we think that updating one node first and then updating another node one week later will not have a negative impact on the cluster. It is the best practice to install the same patches on all nodes. It is to avoid the unhealthy state of the cluster caused by the known issues mentioned in some patches. In addition, we recommend that you migrate all roles on the node to other nodes before installing the patch.

    If you think the answer is helpful, please mark it as a reply, which will help more users get valid information.

    Have a nice day~

    Best Regards,

    Kiki


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by dennislee1245 Tuesday, November 26, 2019 9:00 AM
    Tuesday, November 26, 2019 7:44 AM