RE: WSUS/Reboot

• Previous message: jordanpw: "Re: WSUS/Reboot"
• In reply to: Mike.Carney_at_bentley.com: "RE: WSUS/Reboot"
• Next in thread: Kim Lvheim Pedersen: "RE: WSUS/Reboot"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <Mike.Carney@bentley.com>, <r.balk@nl.intrum.com>, <focus-ms@securityfocus.com>
Date: Sat, 18 Jun 2005 19:55:21 -0700

One other thing to add in - if you check the audit logs and find the last
time the services booted, you can get a good idea of what the normal uptime
really is. This can be good information to have.

I once wanted to set a bunch of service passwords to expire every 70 days,
and the owner complained it would mess up his uptime figures. I scanned each
of their boxes, found the real uptimes, and made nice charts with circles
and arrows that showed that only 5% of their systems ever made it to > 70
days without a reboot, so changing the password ought not be that big a
deal. The service owner wasn't especially happy that security knew more
about his uptime stats than he did, but that's the breaks.

The other thing to do is break things up into as many OU's as you need, and
set policy for each one as you like. You really wouldn't want them all
rebooting at once, so use the setting for when the updates get applied to
have them cycle in stages. IMHO, if it is a sensitive server, you may want
to just push the patches out, and apply them once the admin logs on. This
way it isn't bouncing on people with no warning.

> -----Original Message-----
> From: Mike.Carney@bentley.com [mailto:Mike.Carney@bentley.com]
> Sent: Friday, June 17, 2005 7:35 AM
> To: r.balk@nl.intrum.com; focus-ms@securityfocus.com
> Subject: RE: WSUS/Reboot
>
> Hi Ronald,
>
> Your probably going to hate this answer but I'm going through
> the same process here myself.
>
> The best way to keep yourself and the company as a whole
> covered as far as down time is sit down with the business
> side of the company and determine what your maintenance
> windows are. From there you can develop a list of servers
> and there availability to be patched and rebooted.
>
> It really needs to become a policy rather than a technical question.
> For example,
>
> You will go to management and say when can this set of
> servers be rebooted(make sure they know this means downtime),
> you list the server names and in there they will see your
> e-mail and database servers. To which they will respond
> "these can't be down" and you will have to explain that this
> is possible but it will cost a ton of money to cluster the
> servers they have said "can't be down" and if they don't
> patch the servers they can become infected or hacked and the
> company will have an extended period of down time due to a
> virus taking out the server or the other(perhaps scarier
> scenario) is that the company would have to go to their
> customers and explain why there data was stolen.
>
> At this point the business side will either pony up the money
> to cluster the systems or they will work with you to find the
> different windows during the month/week that you are able to
> patch the servers and reboot them.
>
> You should also work in here the emergency patching that may
> need to occur if a large virus outbreak occurs.
>
> Anyway, good luck on this, it is a lengthy process that you
> have to go through, but in the end you will be able to have a
> good idea when things can be patched and rebooted and have
> ammo if anything bad were to happen.
>
> Thanks,
>
> Mike
>
> Msoft Doc:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=227ad
5a5-676f-4
> f00-bc7a-3c7058f1f327&DisplayLang=en
>
> -----Original Message-----
> From: Ronald Balk [mailto:r.balk@nl.intrum.com]
> Sent: Friday, June 17, 2005 5:31 AM
> To: focus-ms@securityfocus.com
> Subject: WSUS/Reboot
>
>
> Hiya all,
>
> We have been testing with this new WSUS from MS.
> All seems fine -;)
> My question is how to handle the server reboots after a installed
> security patch which requires a reboot.
> We hold about 150 servers, mixed Exchange, reverse proxy, Sql etc.etc.
> Whats the best way to manage this ?
>
> Thanks
> Ronald Balk
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: jordanpw: "Re: WSUS/Reboot"
• In reply to: Mike.Carney_at_bentley.com: "RE: WSUS/Reboot"
• Next in thread: Kim Lvheim Pedersen: "RE: WSUS/Reboot"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]