Security Basics mailing list archives

Re: Patching internet facing MS systems

From: <nobledark () hushmail com>
Date: Thu, 13 Mar 2008 08:06:01 -0400

I believe that WSUS supports server chaining (not sure if that is 
what it is called) so you could put a WSUS server in your DMZ that 
gets its (approved by you) updates from your LAN-based WSUS server. 
The DMZ-based WSUS then distributes patches to your DMZ-based 
servers.

Alternately, if you did not want your DMZ-based WSUS to talk w/ 
your LAN-based WSUS, the DMZ WSUS could operate independently, 
getting its updates directly from the Internet. You would need to 
manage two WSUS at that point but the end result would be the same. 
Non MS patches, etc could be handled by other means (WPKG is a good 
open source tool for this).

My 2 cents....

On Mon, 10 Mar 2008 18:44:57 -0400 Dan Lynch <DLynch () placer ca gov> 
wrote:

Greetings group,

I'm looking for current best practice recommendations regarding 
the
maintenance and patching of internet-facing Windows servers. In my
environment, these are hardened, stand-alone (i.e., non-domain 
member)
servers, mainly running IIS, and in at least one case, MS SQL 
Server.
They reside on a network segregated behind a firewall from the 
internet,
and from our core network. At this time, no connections are 
allowed from
them to the private network. All unnecessary services are 
disabled,
including the Server Service. 

Currently, Remote Desktop is used for many maintenance tasks, but
patching remains a problem. Applicable patches are copied to a USB
memory stick, and an administrator at the server console manually
installs. This sneaker-net solution is the source of much wailing 
and
gnashing of teeth among our sysadmins. 

A number of options are available that run the gamut from turning 
on
automatic updates and allowing them to make outbound HTTP 
connections to
microsoft.com, to making them domain member servers and using SMS 
to
push patches. 

How do _you_ do it?



Dan Lynch, CISSP
Information Technology Analyst
County of Placer


--
The strong, silent type. Click here for great looking bamboo flooring!
http://tagline.hushmail.com/fc/Ioyw6h4eMtvIzpIXOm84X4wojtXOmZlKzpNW43DyK9gnAZ52LSQLwg/

Auburn, CA

Current thread:

Re: Patching internet facing MS systems, (continued)
- Re: Patching internet facing MS systems Kurt Buff (Mar 11)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
  - Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
    - RE: Patching internet facing MS systems Dan Lynch (Mar 13)
    - RE: Patching internet facing MS systems Dan Denton (Mar 13)
    - Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
    - Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- RE: Patching internet facing MS systems Kevin Ortloff (Mar 27)
- RE: Patching internet facing MS systems Rob McShinsky (Mar 11)
- Re: Patching internet facing MS systems evilwon (Mar 11)
- Re: Patching internet facing MS systems nobledark (Mar 13)