Re: Windows Patch Management

[Gary Flynn <flynngn () JMU EDU>]

Rose, Ryan wrote:

> Greetings,
>
> I'm curious how other institutions are conducting Windows Server Patch
> Management.  Currently we are testing the patches in our test
> environment for the week following the release date.  We then roll-out
> the updates to all productions servers over the following weekend within
> our maintenance windows.  This takes an amazing amount of time, we
> believe it is best to stick to a monthly schedule but our sys admins are
> going crazy.  Any suggestions or thoughts around this issue.


The IT Windows group purchased hfnetchk for IT systems
that we administer. We run a WSUS server but don't
recommend that critical severs subscribe to the service.

We do not do a lot of testing and depend quite a bit on
Microsoft's testing and field experience reports. WSUS
updates are delayed while we monitor things like MS
newsgroups for reports of problems. Those to which we
have high exposure or which have a high risk of exploits
are pushed first. Others may be significantly delayed
particularly if there is any indication of problems.

Hfnetchk updates to central servers are pushed pretty
quickly with little testing. Sometimes we roll to less
critical systems first. Sometimes we only roll updates
for which there is a high exposure and/or high risk
of exploitation and delay the others while field
experience is monitored.

While best practices would suggest stringent testing on
parallel environments for all changes, we have neither
the hardware/software resources nor manpower to do so
even in IT. A little care in analyzing updates and
monitoring field experience and, when possible, a
little delay in their installation would seem to
greatly decrease the risk of a wide-spread,
irreversible, catastrophic event caused by a bad
update. But that possibility still exists.



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security