RE: patching servers...





> -----Original Message-----
> From: Murad Talukdar [mailto:talukdar_m@xxxxxxxxxx]
> Sent: Tuesday, January 10, 2006 12:06 AM
> To: focus-ms@xxxxxxxxxxxxxxxxx
> Subject: patching servers...
>
> Hi all,
> I wanted to get a few ideas of what people do to test their
> systems once
> they have applied a patch/hotfix.
>
> Currently I pull one of the hotswap drives that has the OS
> mirrored on it
> and then let it run with the patch applied for a few days/week before
> letting it rebuild.
> In that time I will check things like event logs/performance
> and do some
> general 'listening' for any issues.
> Does anyone have a more scientific method? What do you keep
> an eye on? Also,
> Do you actually ever check whether the vulnerability(for
> example) that the
> patch was designed to thwart has actually been plugged?
> In the last two years I've only had one instance of a patch
> causing an OS to
> fail--and then just removing and then reapplying the patch
> seemed to work
> just fine. However, I don't want to get complacent.
>
> Kind Regards
> Murad Talukdar
>

I'm an advocate of standard configurations and fast patching. I've had a
server hosed by Windows Updates once, but the way it had been set up
probably didn't help things much.

I typically will patch my own workstation first (if it is a
cross-platform patch) and restart. Then I'll patch a couple
non-production servers as they aren't as important and typically have
messier configurations. If those work out then I move on to the rest of
the non-production servers, then production servers.

When it comes to domain controllers, I run dcdiag first and then
transfer any FSMO roles off the server I'm going to patch (and I never
patch more than one DC at once). After the transfer I run dcdiag again
just to be sure. Then I patch the server and if it comes back up I do
the rest of the DCs in a similar fashion.

The time I wait between servers depends on how important and complex the
patch is. For the WMF patch I wasted no time getting it on all the
servers: it's an (was? Whatever) 0-day exploit and frankly if I don't
see pretty thumbnails on my servers who cares. A service pack (important
but complicated) or Windows Malicious Software Removal Tool (not
important but simple) can wait a few days.

Also if you have a test environment you should load it up with
everything you can and make some configuration changes. A fresh install
of Windows 2003 isn't a real good patch test for a heavy-duty server.

Derick Anderson

---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Patch Management on Critical Servers (Healthcare)
    ... *nix servers patch management is handled at two levels. ... meeting and approved, especially patching. ... change meetings for the hospitals and dates set. ...
    (Focus-Microsoft)
  • Upgrade MDAC to version 2.8 vs MS03-033 Patch
    ... I manage a domain with Windows 2000 Domain Controllers, ... that we have a few member servers and clients running Microsoft Great ... I was set to apply the MS03-33 patch to all of the Windows 2000 Server ...
    (microsoft.public.security)
  • Re: Errors on worm patch update
    ... At least on Windows 2000 I have the option to ... > roll back the patch but on NT I just get a message saying ... > servers are low on resources. ...
    (microsoft.public.win2000.security)
  • Re: problems with KB951746
    ... Do any of the four servers run *without* ISA? ... What I suspect is happening is that the patch is doing what it is supposed to do. ... If your firewall is not configured to allow DNS traffic from a random source port then your recursive DNS requests are being stopped at the firewall...and you'll get the symptoms you describe. ... It is also possible, but less likely, that your ISP's DNS servers are misconfigured and are unable to reply on odd source ports. ...
    (microsoft.public.windows.server.sbs)
  • Best Practice re: patching multiple Sun Servers connected to a Hitachi SAN
    ... All Sun Servers are using Solaris 8 with Veritas Volume Manager 3.2 to ... Hitachi 9200 are under Veritas control and use VxFS filing system with large ... 8_recommended patch cluster with a date stamp of 4/20/2004. ... to install the patch cluster in single user mode with my mirrors detached ...
    (comp.unix.solaris)