RE: Patch Management on Critical Servers (Healthcare)



We've started using VMware which allows us to take a snapshot of a
running server, copy that snapshot to a testing server, and apply
patches to the test copy without taking our production machines down.
Using WSUS, we can then roll out the patches to the live machines once
we're sure they don't break anything.

This obviously only works when the hardware can be virtualized, though
you might be able to achieve a similar result by restoring your backups
to a test server and patching that. This would have the bonus of testing
your backup/restore procedures regularly.

Once the patch is approved, we install it manually during a weekly
downtime window. For some servers we can afford to be a bit
opportunistic, so if the patch is critical and server usage is low,
we'll inform the users and apply it early.

-seren


-----Original Message-----
From: beinm@xxxxxxxxx [mailto:beinm@xxxxxxxxx]
Sent: Monday, May 08, 2006 7:02 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Patch Management on Critical Servers (Healthcare)

Hello



I'm just curious to hear how people in the field have been handling
patch management with critical servers. Have you setup maintenance
windows? If, so how did you manage the down time? What have people been
doing if the device or server has an approved FDA configuration? Are you
using thing like WSUS?



Thanks,

Matthew
Security Engineer

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Patch Management on Critical Servers (Healthcare)
    ... that "test" can be merely a "canary" of a user on your network before you roll that patch out to the rest of the network. ... The test system must be at the same level as production. ... They run the patchmanagement.org listserve that discusses patch management platforms and patching issues. ... After the hours it took to manually run around and patch 1000+ computers, our upper management finally approved a WSUS server. ...
    (Focus-Microsoft)
  • Re: Hosting 3 Public Websites on SBS2k3
    ... >> Responsiblity towards my clients and their data is more like it, root. ... >> If you want to not patch your server, root, be my guest. ... >> Even Chicken Little would have patch management in place these days. ... >>>>Have you considered sticking that web site on a separate box, ...
    (microsoft.public.windows.server.sbs)
  • Re: Patch Management
    ... Subject: Patch Management ... WSUS 3.0 has a "server cleanup" feature ... expired updates and superseded updates. ... I'm not sure how WSUS v3.0 handles the bloat of declined/expired ...
    (Security-Basics)
  • Re: [Full-disclosure] Getting Off the Patch
    ... Not a patch management one. ... Please feel free to ignore my future posts and future work then so as ... Why hasn't the server been better managed to prevent ... I asked you to give some examples of your controls where would have prevented this unknown threat. ...
    (Full-Disclosure)
  • Re: Hosting 3 Public Websites on SBS2k3
    ... Responsiblity towards my clients and their data is more like it, ... If you want to not patch your server, root, be my guest. ... Even Chicken Little would have patch management in place these days. ... >>Have you considered sticking that web site on a separate box, ...
    (microsoft.public.windows.server.sbs)