Re: Patch Management on Critical Servers (Healthcare)

Some key items to remember is that testing of the patch must be done in a separate environment from production.

The test system must be at the same level as production.

Production data must not be used in testing

There must be a proper segregation of duites between those who test and those who move into production.

Chris G. Dalton C.P.A.
Corporate Audit Services
Capital One Financial
1-504-533-6419 phone
1-504-533-2355 fax

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx> 05/08/06 4:44 PM >>>
I'm a fan of Shavlik.... not only from the standpoint of their
product..but their 'community help' posture as well. They run the
patchmanagement.org listserve that discusses patch management platforms
and patching issues. (Check out www.patchmanagement.org)

Honestly.. it's the process of change management that is the hard part,
I think..the testing and the approval process. No matter what patch
tool you chose will have it's nuances that you get used to.

Why do I like Shavlik?

Because it just shows me the patches I need in a nice format unlike WSUS
which has a confusing UI.
Because it works.
Because it has additional features like 'reboot before patching', Office
local install source, and will patch things beyond MS in my network.

Jim Stagg wrote:

On this topic, I'd love to hear from some of the non-WSUS Microsoft server
folks are doing. I've heard a lot about BigFix, Patchlink, St. Bernard, SMS,
GFI et al. Has anyone found a product that works reliably?


--
Jim Stagg, Systems Administrator




-----Original Message-----
From: Renee Peters [mailto:reneep@xxxxxxxxxxxxxxxxxxxx]
Sent: Monday, May 08, 2006 10:41 AM
To: beinm@xxxxxxxxx; focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Patch Management on Critical Servers (Healthcare)

Last year, our college campus was hit with an unclassified
virus. After the hours it took to manually run around and
patch 1000+ computers, our upper management finally approved
a WSUS server. Knock on wood, it has run beautifully, and
keeps our desktops and servers patched. As far as actually
getting the updates applied and rebooting, we have standard
times posted that the server may be unavailable due to
routine maintenance. After last year's scare, everybody
seems to be OK with this slight inconvience. We aren't
regulated as much as the healthcare field, but do still have
standards to meet for state and federal funding. As long as
the president of the college supports our practices, we don't
have much to worry about.

Renee
Network Manager


-----Original Message-----
From: beinm@xxxxxxxxx [mailto:beinm@xxxxxxxxx]
Sent: Monday, May 08, 2006 8:02 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Patch Management on Critical Servers (Healthcare)

Hello





I'm just curious to hear how people in the field have been
handling patch management with critical servers. Have you
setup maintenance windows? If, so how did you manage the down
time? What have people been doing if the device or server has
an approved FDA configuration? Are you using thing like WSUS?





Thanks,


Matthew

Security Engineer


--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------





*
Letting your vendors set your risk analysis these days?
http://www.threatcode.com


---------------------------------------------------------------------------
---------------------------------------------------------------------------





---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • Re: Patch Management on Critical Servers (Healthcare)
    ... They run the patchmanagement.org listserve that discusses patch management platforms and patching issues. ... Knock on wood, it has run beautifully, and keeps our desktops and servers patched. ... We aren't regulated as much as the healthcare field, but do still have standards to meet for state and federal funding. ...
    (Focus-Microsoft)
  • Re: Patch Management - Policy/Practice
    ... We do not have an identical test environment as production environment, ... servers within 48 hours when they are released. ... > I personally consider the patch managament a critical issue on my ... > 3) NEVER apply a patch in production before test it in another ...
    (comp.security.misc)
  • Re: Specified method is not supported.
    ... I finally contacted Microsoft PSS and it turns out that it is a bug. ... The patch applies to kb article 835763, ... > I'm having the exact same problem on one of my servers. ... >> Last night our production servers were updated with the following ...
    (microsoft.public.dotnet.security)
  • Re: Whats the big deal with cross-platform?
    ... "Mission critical applications"- Never Apply Patches on Production ... if the same patch is not applied before on test machine and ... I don't recall if it was their Exchange servers or filer ...
    (borland.public.delphi.non-technical)
  • SUMMARY: patch policy
    ... My question was how to avoid serios accidents on a production system ... How should I apply recommended patches not to risk ... We do not apply the latest patch as it becomes available then do some ... Things such as clients, servers, software, configuration are ...
    (SunManagers)