+ Post New Thread
Results 1 to 8 of 8
Wireless Networks Thread, Server updates in Technical; Apologies if this is posted to the wrong thread but I'm trying to figure out what the current thinking is ...
  1. #1
    speckytecky's Avatar
    Join Date
    May 2006
    Location
    UK
    Posts
    2,497
    Thank Post
    3,372
    Thanked 256 Times in 209 Posts
    Blog Entries
    3
    Rep Power
    109

    Server updates

    Apologies if this is posted to the wrong thread but I'm trying to figure out what the current thinking is on server updates.

    Running a lone vanilla DC et al currently on Windows Server 2003 R2.

    In the past I had a 2000 server go up the creek on MS updates so have since been very cautious.

    However, in recent years my confidence has been restored and I have been thinking that if the updates are released then they need applying - I usually leave a week or so before running them. Speaking to a first line tech at the Server manufacturer a while ago he told me it was healthy to restart servers fairly regularly so running updates has usually tied in with a restart.

    This week our server picked up a couple of updates (Net Framework 3.5 and a general security update) but they failed to apply.

    Seeking help First line encountered the same problems I had and passed me to one of their software second line techs. This very helpful chap figured out the updates were not after all needed. (Of course he pointed out the wisdom of only applying updates after testing them on a non critical machine - wish I could). He then amazed me by telling me that many organisations that have a decent firewall never apply the regular updates only applying them at SP stage. In his opinion the updates were only really useful for organisations that have public facing servers and often for them the updates are too late anyhow.

    What's the general feeling here?

  2. #2

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,701
    Thank Post
    1,783
    Thanked 2,168 Times in 1,603 Posts
    Rep Power
    769
    I tend to leave it a couple of weeks from release before applying them so that others get the problems first, but no more than that

  3. Thanks to elsiegee40 from:

    speckytecky (2nd November 2010)

  4. #3
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    Tend to do it in the holidays, that way anything gets screwed you have time to fix it. But obviously things that are needed straight away for perhaps a certain server app like dot net go on.

  5. Thanks to jsnetman from:

    speckytecky (2nd November 2010)

  6. #4

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,711
    Thank Post
    144
    Thanked 548 Times in 492 Posts
    Rep Power
    149
    Funny that, I left XP SP3 for over a year before deploying it, as I found it was bricking installs when applied to certain machines. Just installed it manually as and when images were updated. I tend to leave them a week then deploy, touch wood not had too many problems with it.

  7. Thanks to 3s-gtech from:

    speckytecky (2nd November 2010)

  8. #5


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,629
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Quote Originally Posted by speckytecky View Post
    In his opinion the updates were only really useful for organisations that have public facing servers and often for them the updates are too late anyhow.

    What's the general feeling here?
    My feeling is he's never had a network fubar'd because some idiot salesweasel managed to give his laptop an std by plugging it into a filthy customer network despite being told not to. The "we've got a firewall, so we don't need to patch" attitude is irresponsible.

    Most compromises are caused by internal users doing something (arbitrary removable storage, clicking on something) or not doing something (say sysadmins not patching when they should) - there are *still* machines out there infected by code red, slammer and nimda, so much so SANS ran a cleanup initiative: Cyber Security Awareness Month Activity: SQL Slammer Clean-up

    </rant>

    Critical / actively exploited vulns get patched on the Thursday evening following Patch Tuesday after being tested on sacrifical vms that run equivalent services and OS' unless they break something in a way we can't fix. I haven't had a patch break anything on a server that I can't fix for a long time.

    Clients get critical patches pushed out on the Friday morning, with a deadline of Tuesday 5pm. Since we have a bunch of ASTs who go into other schools with their laptops they're a major infection threat if not patched.

  9. Thanks to pete from:

    speckytecky (2nd November 2010)

  10. #6

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,126
    Thank Post
    215
    Thanked 1,255 Times in 786 Posts
    Blog Entries
    4
    Rep Power
    505
    All WSUS controlled here.

    Updates get sent to a group of machines whose users I know are fairly sensible, my own and a couple of servers.

    the following week if there's no issues they get released to the rest of the office and are installed automatically at the weekend.

    The vast majority of patches nowadays are vulnerability patching - and given how quickly vulnerabilities become exploits in the wild, do you really want those open?

    and the firewall argument, really? So when a user tells IE to download something (most likely ignoring a variety of warnings) which later takes advantage of an unpatched vulnerability - how does the firewall help?

  11. Thanks to Domino from:

    speckytecky (2nd November 2010)

  12. #7

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,701
    Thank Post
    1,783
    Thanked 2,168 Times in 1,603 Posts
    Rep Power
    769
    Quote Originally Posted by 3s-gtech View Post
    Funny that, I left XP SP3 for over a year before deploying it, as I found it was bricking installs when applied to certain machines. Just installed it manually as and when images were updated. I tend to leave them a week then deploy, touch wood not had too many problems with it.
    Very true... I am selective as well. SP3 got left a LONG tome here before deployment, as did IE8; I was thinking more of security patches, etc.

    Everything's done through WSUS here.

  13. #8
    speckytecky's Avatar
    Join Date
    May 2006
    Location
    UK
    Posts
    2,497
    Thank Post
    3,372
    Thanked 256 Times in 209 Posts
    Blog Entries
    3
    Rep Power
    109
    Thanks for all the very useful replies folks. Much as I thought nowadays - almost everyone see it as the responsible way to go to apply the updates and try and build in a time delay toward hope that any broken updates are fixed before they hit school systems. Second line chap I spoke to might be right in his experience that sometimes updates create problems but on the ground techy experience and common sense dictate that it's best to apply security and criticalupdates at the very least.

SHARE:
+ Post New Thread

Similar Threads

  1. Server updates and now doesn't boot?
    By nephilim in forum Windows Server 2008 R2
    Replies: 10
    Last Post: 13th May 2010, 11:52 AM
  2. Server 2008 hanging on completing updates
    By krb548 in forum Windows Server 2008
    Replies: 7
    Last Post: 3rd May 2010, 06:30 AM
  3. Server 10.5 updates won't install
    By rolfea in forum Mac
    Replies: 11
    Last Post: 17th July 2009, 12:50 AM
  4. Server 2003 x64 SP2 Windows Updates
    By Messa in forum Windows
    Replies: 2
    Last Post: 13th May 2009, 11:13 AM
  5. Software updates via Mac OS X Server
    By Osprey in forum Mac
    Replies: 2
    Last Post: 15th November 2007, 06:22 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •