Re: Patch Management on Critical Servers (Healthcare)



"If" you have the resources.. if you don't and are not bound by regulations, SOX, Hipaa and what not... that "test" can be merely a "canary" of a user on your network before you roll that patch out to the rest of the network.

As you well know... as the firm size gets smaller... "segregation of duties" sometimes have to have alternative options to get the same job done.

Even though I do the best I can testing on a test network..there are times that I don't find stuff out until it hits the real network because unless I have cloned the server, the workstations, the applications, the data, and especially the users... I cannot duplicate exactly my network.. Thus ..even as good as you test... realize that there will be gotchas that you have to deal with.


BTW three patches today... one on Exchange and iCals looks fun... affects Blackberry devices as well in the permission settings that it changes.. read those bulletins... read those "caveat" sections.

Chris Dalton wrote:

Some key items to remember is that testing of the patch must be done in a separate environment from production.

The test system must be at the same level as production.

Production data must not be used in testing

There must be a proper segregation of duites between those who test and those who move into production.

Chris G. Dalton C.P.A.
Corporate Audit Services
Capital One Financial
1-504-533-6419 phone
1-504-533-2355 fax



"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx> 05/08/06 4:44 PM >>>


I'm a fan of Shavlik.... not only from the standpoint of their product..but their 'community help' posture as well. They run the patchmanagement.org listserve that discusses patch management platforms and patching issues. (Check out www.patchmanagement.org)

Honestly.. it's the process of change management that is the hard part, I think..the testing and the approval process. No matter what patch tool you chose will have it's nuances that you get used to.

Why do I like Shavlik?

Because it just shows me the patches I need in a nice format unlike WSUS which has a confusing UI.
Because it works.
Because it has additional features like 'reboot before patching', Office local install source, and will patch things beyond MS in my network.

Jim Stagg wrote:



On this topic, I'd love to hear from some of the non-WSUS Microsoft server
folks are doing. I've heard a lot about BigFix, Patchlink, St. Bernard, SMS,
GFI et al. Has anyone found a product that works reliably?


--
Jim Stagg, Systems Administrator






-----Original Message-----
From: Renee Peters [mailto:reneep@xxxxxxxxxxxxxxxxxxxx] Sent: Monday, May 08, 2006 10:41 AM
To: beinm@xxxxxxxxx; focus-ms@xxxxxxxxxxxxxxxxx Subject: RE: Patch Management on Critical Servers (Healthcare)

Last year, our college campus was hit with an unclassified virus. After the hours it took to manually run around and patch 1000+ computers, our upper management finally approved a WSUS server. Knock on wood, it has run beautifully, and keeps our desktops and servers patched. As far as actually getting the updates applied and rebooting, we have standard times posted that the server may be unavailable due to routine maintenance. After last year's scare, everybody seems to be OK with this slight inconvience. We aren't regulated as much as the healthcare field, but do still have standards to meet for state and federal funding. As long as the president of the college supports our practices, we don't have much to worry about.

Renee
Network Manager


-----Original Message-----
From: beinm@xxxxxxxxx [mailto:beinm@xxxxxxxxx] Sent: Monday, May 08, 2006 8:02 AM
To: focus-ms@xxxxxxxxxxxxxxxxx Subject: Patch Management on Critical Servers (Healthcare)

Hello





I'm just curious to hear how people in the field have been handling patch management with critical servers. Have you setup maintenance windows? If, so how did you manage the down time? What have people been doing if the device or server has an approved FDA configuration? Are you using thing like WSUS?





Thanks,


Matthew

Security Engineer


--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------







* Letting your vendors set your risk analysis these days? http://www.threatcode.com


---------------------------------------------------------------------------
---------------------------------------------------------------------------








--
Letting your vendors set your risk analysis these days? http://www.threatcode.com


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Actively Securing a Windows Network from Rouge Systems
    ... network, I got a DHCP address, I got got WINS and DNS server info BUT ... "Jim Harrison (ISA SE)" wrote: ... What you can do is require 802.1x authentication at the network devices ... The DNS servers in the tests networks have the production DNS servers ...
    (microsoft.public.isa)
  • Re: Actively Securing a Windows Network from Rouge Systems
    ... network, I got a DHCP address, I got got WINS and DNS server info BUT despite ... What you can do is require 802.1x authentication at the network devices ... You can use ISA to help with domain isolation as described here: ... The DNS servers in the tests networks have the production DNS servers setup ...
    (microsoft.public.isa)
  • Re: Newbie simple LAN routing problem
    ... The problem is that none of the 192.168.222.x machines ... know where to send packets destined for the 192.168.0.x network. ... you do not need/want the static routes on the Win 2003 server. ... > (production and test networks), whatever I try it's not working, I think ...
    (microsoft.public.windows.server.networking)
  • Complex GPO Design Question
    ... technology for achieving my below Application Server lockdown task? ... - Production AD network consists of many applications on many different ...
    (microsoft.public.windows.group_policy)
  • Re: Fully parallel Scheme-based language w/ evaluator
    ... Windows Server 2003 and networks in simple - and irreverent - terms. ... If networking really is a big deal, ... Concepts and Terminology in Part I, and The Design and Deployment of Network ...
    (comp.lang.misc)