Server updates

[speckytecky]

Apologies if this is posted to the wrong thread but I'm trying to figure out what the current thinking is on server updates.

 

Running a lone vanilla DC et al currently on Windows Server 2003 R2.

 

In the past I had a 2000 server go up the creek on MS updates so have since been very cautious.

 

However, in recent years my confidence has been restored and I have been thinking that if the updates are released then they need applying - I usually leave a week or so before running them. Speaking to a first line tech at the Server manufacturer a while ago he told me it was healthy to restart servers fairly regularly so running updates has usually tied in with a restart.

 

This week our server picked up a couple of updates (Net Framework 3.5 and a general security update) but they failed to apply.

 

Seeking help First line encountered the same problems I had and passed me to one of their software second line techs. This very helpful chap figured out the updates were not after all needed. (Of course he pointed out the wisdom of only applying updates after testing them on a non critical machine - wish I could). He then amazed me by telling me that many organisations that have a decent firewall never apply the regular updates only applying them at SP stage. In his opinion the updates were only really useful for organisations that have public facing servers and often for them the updates are too late anyhow.

 

What's the general feeling here?

[elsiegee40]

I tend to leave it a couple of weeks from release before applying them so that others get the problems first, but no more than that

[jsnetman]

Tend to do it in the holidays, that way anything gets screwed you have time to fix it. But obviously things that are needed straight away for perhaps a certain server app like dot net go on.

[3s-gtech]

Funny that, I left XP SP3 for over a year before deploying it, as I found it was bricking installs when applied to certain machines. Just installed it manually as and when images were updated. I tend to leave them a week then deploy, touch wood not had too many problems with it.

[pete]

In his opinion the updates were only really useful for organisations that have public facing servers and often for them the updates are too late anyhow.

 

What's the general feeling here?

 

My feeling is he's never had a network fubar'd because some idiot salesweasel managed to give his laptop an std by plugging it into a filthy customer network despite being told not to. The "we've got a firewall, so we don't need to patch" attitude is irresponsible.

 

Most compromises are caused by internal users doing something (arbitrary removable storage, clicking on something) or not doing something (say sysadmins not patching when they should) - there are *still* machines out there infected by code red, slammer and nimda, so much so SANS ran a cleanup initiative: Cyber Security Awareness Month Activity: SQL Slammer Clean-up

 

 

Critical / actively exploited vulns get patched on the Thursday evening following Patch Tuesday after being tested on sacrifical vms that run equivalent services and OS' unless they break something in a way we can't fix. I haven't had a patch break anything on a server that I can't fix for a long time.

 

Clients get critical patches pushed out on the Friday morning, with a deadline of Tuesday 5pm. Since we have a bunch of ASTs who go into other schools with their laptops they're a major infection threat if not patched.

[Domino]

All WSUS controlled here.

 

Updates get sent to a group of machines whose users I know are fairly sensible, my own and a couple of servers.

 

the following week if there's no issues they get released to the rest of the office and are installed automatically at the weekend.

 

The vast majority of patches nowadays are vulnerability patching - and given how quickly vulnerabilities become exploits in the wild, do you really want those open?

 

and the firewall argument, really? So when a user tells IE to download something (most likely ignoring a variety of warnings) which later takes advantage of an unpatched vulnerability - how does the firewall help?

[elsiegee40]

Funny that, I left XP SP3 for over a year before deploying it, as I found it was bricking installs when applied to certain machines. Just installed it manually as and when images were updated. I tend to leave them a week then deploy, touch wood not had too many problems with it.

Very true... I am selective as well. SP3 got left a LONG tome here before deployment, as did IE8; I was thinking more of security patches, etc.

 

Everything's done through WSUS here.

[speckytecky]

Thanks for all the very useful replies folks. Much as I thought nowadays - almost everyone see it as the responsible way to go to apply the updates and try and build in a time delay toward hope that any broken updates are fixed before they hit school systems. Second line chap I spoke to might be right in his experience that sometimes updates create problems but on the ground techy experience and common sense dictate that it's best to apply security and criticalupdates at the very least.