Patching Strategy in Your Environment

admin · ‎07-15-2009

Although not related specifically to esx, I am interested to hear how others handle Windows security patching in their environments. In other environments I have worked patching used to be regliously performed shortly after security patches were made available however in the last few years I have found that I have been patching my windows infrastructure maybe every three to five months depending on the systems. I find that although there are typically a handful of patches per month released for each server OS (Windows 2003, 2k3 R2 and 2k8) many are not applicable when you read the details. We handle our externally facing systems differently but our internal environment is secure enough both from the outside as well as internally that normally we are not concerned about remote execution, etc related vulnerabilities as most servers are inaccessible at that level to staff outside of our operations group anyways. We have about 300 windows servers so patching regularly is a time consuming nuisance as well. We have an obligation through a lot of our contracts to patch our Linux environment (about 60 out of 180) when there are critical vulnerabilities or once a month.

So I am curious how others handle this. Likewise it should be noted that we dont actually patch every one of our windowsservers and I have some, somewhat more isolated windows servers, that have been up for more then 400 and 470 days (8 or 9 and a couple in the 300 range) - whoever said windows couldnt see decently high uptime?! Oh, these servers are averaging more then 200 concurrent connections per day as well so they're not sitting idle.

Curious how other companies with a 100+ servers handle their environments considering the downtime in 24/7 environments can be troublesome to accomodate and schedule.

azn2kew · ‎07-16-2009

To be honest, each environment has their own security and change management policies and throughout my consulting careers, it seems to be the most worries is MS Updates deployment because Windows is known for vulnerabilities and with strict financial corporation and banking securities compliance and change management policies are very strict and we have to implement the most effective change management procedure and patch management. We're currently using SMS 2007 to patch all the Windows servers statewide streaming from 9 different site servers. The MS Updates has been thoroughly tested in a test environment so it will not create a reverse effect before we would create a change control ticket to management for approval. The approval process will go through 5 different managers and it will automatically deployed through approval and filtering process. If critical servers needed to be patched, we have dedicated staff to personally monitor it. The deployment took place during maintenance hours as specified per application/server policies.

Again, I've seen people use WSUS 3.0 just fine with medium size environment and its very easy to implement. I've also seen organization are not so actively with the patch systems and sometimes you check on the servers, it's way behind patches for days/months so its hard to tell. Definitely depends on security and change management policies the enforcing the server owners to take care of business as needed.

For both Windows/Linux guest OS, I would suggest looking at VMware Update Manager which are capable of deploying patches to ESX hosts, (windows/linux guests) pretty sweet and automated.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

VMware vExpert 2009

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

All

Patching Strategy in Your Environment