Solved

Windows security patches standard procedure?

Posted on 2007-11-30
4
145 Views
Last Modified: 2010-04-13
Hi Guys,
I would like to know best practice of installing windows updates on production SQL/Web servers. We have Windows 2000 Advanced servers installed on 10 servers. Should auto download from WSUS and auto install be set and reboot the machine in maintenance window or auto download and manual install in maint window? What is the best practice before installing these updates meaning are these updates supposed to be tested before applying to production?
Please provide some details. Thanks
0
Comment
Question by:Rainbow002
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 51

Accepted Solution

by:
Vitor Montalvão earned 250 total points
ID: 20382909
If you tested them before applying to production environment, then you should apply it at the best time you can find without interfering with normal work day. And check if no jobs are running too.
I usually use SMS to apply security patches during the night, but if you don't have SMS then you must install it manually.

Good luck
0
 
LVL 6

Assisted Solution

by:chuck-williams
chuck-williams earned 250 total points
ID: 20382951
If you tested the patches then you can set WSUS and group policy to install and reboot the servers. I currently use that in a production environment and use two policies to update and reboot two sets of servers (using different update groups)  at different times. I have not had any problems with that as of yet since I test my patches ahead too.
0
 

Author Comment

by:Rainbow002
ID: 20382983
Since, there won't be any service pack or major enhancement coming from MS, is it still a best practice to test?
0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 20383076
I usually only test service packs and major upgrades (like IE7). I dont test every single patch and usually wait until about a week after they come out to approve them. Usually by that time if there is a bug in the patch microsoft has replaced it. When it comes to service packs becuase of our large environment it may take us up to 6 months before we deploy those due to many different departments with different applications.

I DO NOT recomment automatically approving patches through WSUS. I approve all of the manually. Takes 5 minutes out of your week. If you stay on top of them by approving at least once a week you should be able to stay up to date before any vulnerabilty is exploited.

Hope that helps.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Via a live example, show how to shrink a transaction log file down to a reasonable size.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question