Patching Windows RRS feed

  • Question

  • I am curious how many other admins patch and restart their servers at every patch update interval.

    Most environments these days sit behind a firewall with very limited access from the outside world into the corporate lan. In my opinion this should theoretically negate the necessity for a number of the patches that are actually released for windows 2000, 2003 and 2008 servers especially considering that most of them are for vulnerabilities based around internet explorer and remote code execution in circumstances where they are accessible from the net.

    If your servers are not accessible to or from the internet and they are not being used to browse or use the internet you would think this would limit the number of patch deployments necessary.

    In my 12 years as windows and linux systems administrator i have only come across a handful of situations where unpatched servers were exploitable by internal staff. IE. Staff clever and BRAVE enough to try and exploit internal systems.

    How do others feel about such and handle this? The reason I ask is to this point we have made a point of trying to keep the majority of our servers about 250 windows 2000/2003 /2008 servers on the patch update rotation. But given the amount of services we provide that are effected by these downtimes including the fact that trying to coordinate downtime windows across all of these different servers I am starting to loosen the requirement for such frequent updates.

    We are throwing around the idea of once every six months or so or sooner in the case of a critical patch that resolves an exploit that is relavent inside our corporate lan. As a side note, we have a handful of 2000 and 2003 servers that are nearing 380 days. That is over a year, not bad for windows servers if you ask me and these are not clusters mind you. Some of our linux and solaris boxes have been up for over 2.5 years and remind me of the good old days of novell.

    Anyways I would be interested to hear how others are approaching this in their organization and how they feel about it.
    Thursday, June 5, 2008 11:42 PM


  • You are right that many servers sit within a perimeter network, but there are a couple of things that make that more of a 'chain link fence' than a barricade.  (I've worked with quite a few Fortune 1000/100/50 companies, as this is based on what I have seen them doing.)

    First, the perimeter is not as fixed as it once was.  Companies are opening more and more applications to partners and customers, creating a web of connections.  Yes, there is the DMZ and then the firewall and then the backend, but that still means that a method of communication into the 'protected' environment is available.  That means that you need to protect inside more diligently those servers that are on the chain of one of these communication links.

    Historically, I believe you are right in your assumption that a strong perimeter has prevented internal infection.  For example, some of these large shops (thousands of servers) have told me they haven't had a breach through their firewalls for several years.  However, they still have the problem of a sales rep taking his laptop on the road, browsing to someplace where he gets infected, and then happily plugs into the network behind the firewall.  I remember walking into one of these customers recently as they were scrambling to distribute an updated signature file to protect against a virus that had come in through this very manner.  They were actually using their emergency address system to alert all people to turn off their computers and get a copy of a CD from IT because anything that was on the network was getting affected.

    So, if all you have to worry about are systems that are totally isolated, or you can guarantee that your workstations are always up to date with the latest malware protection, I think regular application of security patches is a wise thing to do.

    Based on that, these companies that I deal with will look at each patch that comes in and make the determination as to how 'risky' it is to NOT apply a given patch.  They will sometimes not a apply a patch because they don't think that in their particular environment, the patch isn't as critical as rated by the vendor of the product being patched.  However, they almost all have a roll-up date, generally once a quarter, where all outstanding patches are applied.

    Friday, June 6, 2008 3:48 PM