RE: Patch testing

• Previous message: Dave.Hartley_at_uk.delarue.com: "RE: focus-ms@securityfocus.com"
• Maybe in reply to: Brei, Matt: "Patch testing"
• Next in thread: Merriman, Jason: "RE: Patch testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-ms@securityfocus.com
Date: Tue, 26 Aug 2003 09:21:54 -0600

Just a thought, use mirrored disks, then before installing the patch(es)
break the mirror and install to one of the disks. If all goes well, set the
mirroring back up, if it doesn't go well, then fire up the machine from the
"broken" mirror disk, and you'll be back where you were right before the
patch installation.

-----Original Message-----
From: Kurt Seifried [mailto:bt@seifried.org]
Sent: Monday, August 25, 2003 2:39 PM
To: Matt Brei
Cc: Todd Schubert; focus-ms@securityfocus.com
Subject: Re: Patch testing

> And we're supposed to do this for every patch MS releases? I would have
> to hire 5 guys just to test patches. Not to mention that if one of the
> patches does fail we have a production server(s) down. Backups are
> great yes, but have you ever done a 100+ GB restore from an Ext. SCSI
> LTO drive? It takes about 14 hours.

Then this is one of the additional costs of running Windows that you will
need to accept. Or else you can forego patch testing, cross your fingers and
hope nothing breaks. People who complain about this strike me as a bit odd,
you did know about these problems going into your MS purchase, didn't you?
TCO, blah blah blah.

As far as making this mess easier to deal with there are some potential
lights:

VMWare Workstation- pro: it's cheap, it's easy, you can test many configs
quickly. cons: hardware issues probably will not come up.
VMWare GSX/ESX/etc - pro: you can segment a server and test patches on
"identical" setups, using only one hardware, cons: it's not cheap.

Removable harddrives (if you can afford server downtime): simply swap the
drives, go to a "test" drive, see if it blows up, if not go to production
drive.

Ultimately if you have a server so critical that it can't go down for more
then a few minutes, and you have no backup/recovery plan that accounts for a
hardware failure (they do happen) then you are screwed equally for testing
and backup.

And as another poster mentioned this is likely to only get worse, with part
of IIS 6 running in kernel mode to increase speed (ala Tux web server on
Linux, except IIS is a whole lot more complicated). VPN's are increasingly
going to rely on hardware acceleration, especially on the servers, security
updates may affect the drivers there.

> Matt Brei
> Network Administrator

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

---------------------------------------------------------------------------
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security
Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
---------------------------------------------------------------------------

---------------------------------------------------------------------------
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
---------------------------------------------------------------------------

• Previous message: Dave.Hartley_at_uk.delarue.com: "RE: focus-ms@securityfocus.com"
• Maybe in reply to: Brei, Matt: "Patch testing"
• Next in thread: Merriman, Jason: "RE: Patch testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]