Re: Patching internet facing MS systems
- From: "Josh Haft" <pacmansyu@xxxxxxxxx>
- Date: Tue, 11 Mar 2008 10:00:07 -0500
Hi Dan,
Not sure how well my method fits with best practices, but I believe it
to be fairly secure and efficient.
My network is set up similar to yours. I have three separate networks,
one for web servers, another for sql servers, and then the LAN where
all users sit. We use remote desktop administration for most tasks on
servers in the web/sql networks, but the access is restricted to a few
admin desktops from the LAN. We use WSUS 3.0, which also sits in the
LAN, and a firewall rule is configured to allow the servers to contact
WSUS and vice-versa. I manually approve applicable updates for each
group in WSUS and the server doles out the updates as necessary. The
servers are configured via registry settings on setup to point to
WSUS; downloading and installing updates automatically. I usually
approve patches within 1 week of release, and typically come in late
evening once every couple/few weeks to reboot the servers as
necessary.
Approving updates is manual, but it's via the WSUS 3.0 console from
one location, which makes it fairly painless. After the initial setup,
I don't usually need to visit each server (over 100) anymore.
As far as non-windows patches/ third party software, I typically
deploy using WPKG, which is also setup during the initial server
build. This further eliminates any requirement of making changes at
the console/RDC of 100+ servers.
Although access is granted between networks, it is extremely limited
by a Checkpoint firewall between each.
Hope this helps.
Josh
On Mon, Mar 10, 2008 at 5:44 PM, Dan Lynch <DLynch@xxxxxxxxxxxxx> wrote:
Greetings group,
I'm looking for current best practice recommendations regarding the
maintenance and patching of internet-facing Windows servers. In my
environment, these are hardened, stand-alone (i.e., non-domain member)
servers, mainly running IIS, and in at least one case, MS SQL Server.
They reside on a network segregated behind a firewall from the internet,
and from our core network. At this time, no connections are allowed from
them to the private network. All unnecessary services are disabled,
including the Server Service.
Currently, Remote Desktop is used for many maintenance tasks, but
patching remains a problem. Applicable patches are copied to a USB
memory stick, and an administrator at the server console manually
installs. This sneaker-net solution is the source of much wailing and
gnashing of teeth among our sysadmins.
A number of options are available that run the gamut from turning on
automatic updates and allowing them to make outbound HTTP connections to
microsoft.com, to making them domain member servers and using SMS to
push patches.
How do _you_ do it?
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
- References:
- Patching internet facing MS systems
- From: Dan Lynch
- Patching internet facing MS systems
- Prev by Date: Syslog events generated by a security device.
- Next by Date: Re: How safe / unsafe is Free Open WiFi?
- Previous by thread: Re: Patching internet facing MS systems
- Next by thread: Re: Patching internet facing MS systems
- Index(es):
Relevant Pages
|
