Re: Patching internet facing MS systems

["Kurt Buff" <kurt.buff () gmail com>]

If I had Internet-facing machines, it would depend on the exact
configuration of the server WRT my enterprise.

If they were, as they are in your situation, in a DMZ on the same
physical site as my business, I'd open up port 3389 from my trusted
network into the DMZ, and RDP into the machines. That would allow me
to copy over the patches, or if I were more adventurous, allow me to
use IE to manually visit the MSFT update and download sites.

If RDP fails your conditions for security, you might also consider a
long-reach or IP KVM with a disjoint subnet.

On Mon, Mar 10, 2008 at 2:44 PM, Dan Lynch <DLynch () placer ca gov> wrote:
> Greetings group,
>
>  I'm looking for current best practice recommendations regarding the
>  maintenance and patching of internet-facing Windows servers. In my
>  environment, these are hardened, stand-alone (i.e., non-domain member)
>  servers, mainly running IIS, and in at least one case, MS SQL Server.
>  They reside on a network segregated behind a firewall from the internet,
>  and from our core network. At this time, no connections are allowed from
>  them to the private network. All unnecessary services are disabled,
>  including the Server Service.
>
>  Currently, Remote Desktop is used for many maintenance tasks, but
>  patching remains a problem. Applicable patches are copied to a USB
>  memory stick, and an administrator at the server console manually
>  installs. This sneaker-net solution is the source of much wailing and
>  gnashing of teeth among our sysadmins.
>
>  A number of options are available that run the gamut from turning on
>  automatic updates and allowing them to make outbound HTTP connections to
>  microsoft.com, to making them domain member servers and using SMS to
>  push patches.
>
>  How do _you_ do it?
>
>
>
>  Dan Lynch, CISSP
>  Information Technology Analyst
>  County of Placer
>  Auburn, CA