Solved

Windows security patches standard procedure?

Posted on 2007-11-30
4
137 Views
Last Modified: 2010-04-13
Hi Guys,
I would like to know best practice of installing windows updates on production SQL/Web servers. We have Windows 2000 Advanced servers installed on 10 servers. Should auto download from WSUS and auto install be set and reboot the machine in maintenance window or auto download and manual install in maint window? What is the best practice before installing these updates meaning are these updates supposed to be tested before applying to production?
Please provide some details. Thanks
0
Comment
Question by:Rainbow002
  • 2
4 Comments
 
LVL 45

Accepted Solution

by:
Vitor Montalvão earned 250 total points
ID: 20382909
If you tested them before applying to production environment, then you should apply it at the best time you can find without interfering with normal work day. And check if no jobs are running too.
I usually use SMS to apply security patches during the night, but if you don't have SMS then you must install it manually.

Good luck
0
 
LVL 6

Assisted Solution

by:chuck-williams
chuck-williams earned 250 total points
ID: 20382951
If you tested the patches then you can set WSUS and group policy to install and reboot the servers. I currently use that in a production environment and use two policies to update and reboot two sets of servers (using different update groups)  at different times. I have not had any problems with that as of yet since I test my patches ahead too.
0
 

Author Comment

by:Rainbow002
ID: 20382983
Since, there won't be any service pack or major enhancement coming from MS, is it still a best practice to test?
0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 20383076
I usually only test service packs and major upgrades (like IE7). I dont test every single patch and usually wait until about a week after they come out to approve them. Usually by that time if there is a bug in the patch microsoft has replaced it. When it comes to service packs becuase of our large environment it may take us up to 6 months before we deploy those due to many different departments with different applications.

I DO NOT recomment automatically approving patches through WSUS. I approve all of the manually. Takes 5 minutes out of your week. If you stay on top of them by approving at least once a week you should be able to stay up to date before any vulnerabilty is exploited.

Hope that helps.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Everyone has problem when going to load data into Data warehouse (EDW). They all need to confirm that data quality is good but they don't no how to proceed. Microsoft has provided new task within SSIS 2008 called "Data Profiler Task". It solve th…
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Viewers will learn how the fundamental information of how to create a table.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now