Re: patch management policy/practice
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa@pacbell.net)
Date: 03/12/03
- Next message: Jay Zhang: "Creator owner block domain admin access"
- Previous message: life: "Windows Advanced Server 2000 PKI"
- In reply to: Activated: "Re: patch management policy/practice"
- Next in thread: Karl Levinson [x y] mvp: "Re: patch management policy/practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Mar 2003 20:40:04 -0800 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
The SANS emails indicate that their "big firms" have a quarterly patch schedule
unless the patch is of such critical nature that they cannot wait. They test in
a test environment before rolling out.
I'm a little firm. I'm a "canary". I patch using hfnetchkPro as my patch
management tool every Friday if a patch comes out. Why? I'm a wacko person
that takes the responsibility of breaking things around here. I have no test
server. I am my test server.
So ... I patch... I make sure that I archive the patches.... I figure out what
broke and fix it.
Thus far this year there has only been 6 [it's sort of like those horror
movies....it's too quiet you know]
Get on a NT platform....
St Bernards Update Expert
Shavliks hfnetchk pro
or be brave and 2K/XP with Auto updates
Activated wrote:
> I can't resist saying a little about this large question.
>
> The real issue regarding patches and service packs and Microsoft is that it
> is barely manageable. The frequency of updates that are said to be
> "critical", and the complexity of applying the updates have led most larger
> companies with a very large headache. Microsoft is not to blame for hackers
> and the ante that is raised by them, but it IS responsible for the
> architecture for applying changes, and the relative weakness the software
> has shown over time to have in regard to the "holes" discovered. Since the
> software is mission critical, and really, since Microsoft is a major game in
> regard to infrastructure, we customers are wholly dependent on, and need
> Microsoft to "fix" the mess. It may not be easy to fix, it may require a
> massive rearchitecting of the products, but at present, and in reality, the
> cycle of hole-hack-discovery-fix-patch creation/posting-updating is the
> single most taxing byproduct of buying and using Microsoft products.
> Microsoft makes it worse also by allowing marketing to make make name
> changes too often, and to bring even more confusion to the product trees
> which are dynamically in flux in regard to patches and updates.
>
> To be fair, all products are undergoing this kind of flux, but Microsoft
> with its breadth of product, and the problems noted regarding dates, and
> packages and application of them, brings a very difficult situation to
> corporations, and even worse for the casual home users, and small home
> offices. Really, the SoHo are on their own by and large. A cottage
> industry has sprouted around them, but most often they are running with old
> software, non-patched, and open to all levels of risk and destruction.
>
> If you want an answer to how often? It is not dictated by the size of your
> company, it is dictated by your willingness, ability, and internal resources
> to keep up with the updates. It is dicated, today, by your ability to take
> critical servers offline regularly, and to accept that most of your clients
> are going to go unpatched for long periods, and with risk. Most often,
> unless you have a ton of extra money for an IT org to have enough techs to
> chase the clients down, you will wait for new product releases, and hope
> Microsoft will include patches to the date of purchase that cover the
> "holes" discovered prior to the new product release itself. Then you will
> immediately begin to degrade in regard to clients and patches.
>
> "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> news:OxXlzfB6CHA.2052@TK2MSFTNGP11.phx.gbl...
> >
> > "Doug Fox" <dfox168@hotmail.com> wrote in message
> > news:OoPMXOB6CHA.1808@TK2MSFTNGP12.phx.gbl...
> > > It may be OT questions, but they are relevant! I will compile a list of
> > all
> > > responses.
> > >
> > > How soon do you apply patches to your "critical" servers? Within a week?
> > > two weeks? a month? or upcoming mainteance window, which could be 3
> months
> > > down the road? (assuming testing has been done.)
> >
> > Depends on a lot of different things and varies from computer to computer
> or
> > from company to company. It's up to you and your need for security and
> the
> > risk of the exploit being used on that machine. For example, installing
> > non-critical patches might be delayed for internal machines where maximum
> > uptime and reliability is essential. It's also sometimes good in some
> cases
> > to wait and see if other people report problems with a patch, though with
> > some very public critical patches, you may not want to wait.
> >
> > Remember that the goal of security is generally not to make your server
> > impenetrable, but to try to save money and maximize availability of
> > resources where ever it is sensible to do so. It could be that certain
> > safeguards are more "costly" than the threats they are trying to reduce,
> in
> > which case you might choose to accept the risk of that threat instead of
> > trying to reduce it.
> >
> > > If you do not feel comfortable applying the patches for whatever
> reasons,
> > > but security insists. How would you handle the situation?
> >
> > I suppose do testing or document and provide the reasons for your concerns
> > to your security group and management. That patch is probably going to
> get
> > on your system sooner or later, when the next service pack or
> comprehensive
> > rollup whatever is released.
> >
> >
- Next message: Jay Zhang: "Creator owner block domain admin access"
- Previous message: life: "Windows Advanced Server 2000 PKI"
- In reply to: Activated: "Re: patch management policy/practice"
- Next in thread: Karl Levinson [x y] mvp: "Re: patch management policy/practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
