off / suspended guests and AV/Patch

Do you deploy any specific procedures around keeping off and suspended guests patched with OS security updates and AV definitions? If not - what is the risk? If yes - why so, why the need? I.e. if you power them on after 6 months they'll obviously be behind (I assume you cant patch and off or suspended guest?) but wouldnt your patch management and AV update tools just kick in and patch them the next time they are on?

I've been going through one of the DoD checklists and they say organisations must have some sort of process to keep off/suspended guests patched.

From vCenter - where could one see a list of currently off and suspended guests, could anyone provide a screenshot? And is there any where that you can see how long they have been "off" or "suspended for"?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IanThCommented:
I think you need to do that with powercli
0
IanThCommented:
see
http://read.virtualizeplanet.com/?p=157

you could see it in vcenter but as it logs everything at the bottom finding a spcific vm off after 6 months
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
If we Suspend Machines (which we do not really) for any length of time, when a VM is Powered On it will be discovered by AV and Patching software automaitcally and updated to Company Standards.

All Physical and Virtual machines need to be patched and maintained, whether on or off.

in vCenter the Virtual Machine will have a "pause symbol" indificating Suspended in the Inventory.

Suspended Machine
Suspended Machine
The event logs in vCenter would state when the Machine was Suspended.
0
pma111Author Commented:
>All Physical and Virtual machines need to be patched and maintained, whether on or off.

Why so, because if you turn it back on, then surely then the AV/PM solution wll find it, find its out of date and update it? Are you saying you schedule an "on window" where you patch it, then turn it off again, until the next window?

Whats the symbol for an "off" machine as opposed a suspended? Why would you suspend over turning it off, or is it the same issue?
0
pma111Author Commented:
My concern is if you have an unpatched machine thats off, who can attack it?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
In the screeshots above, a virtual machine which is OFF, does not have a Green Arrow or Yellow Suspended Pause Button.

It's just Blue. As per vMaster VM.

You would maybe want to Suspend, if you wanted to turn the VM on quicker, but I do not think it's used much in a Production World.

Yes, you need to ensure ALL Computers are patched.

Yes, in our Config, if a computer is attached to our LAN, and discovered by AV and Patching software it's updated.

IF THE MACHINE IS OFF, IT IS NOT AS RISK! IT CANNOT BE ATTACKED!
0
pma111Author Commented:
So you say all machines must be patched, but then say if its off theres no risk. So... why and how do you patch your "off" machines? Do you just turn them back on and let your AV/PM tool patch them, even if theyd been off say 6 months, or do you schedule maintenance windows to patch them in case they were ever back on. I.e. turn the offs on, patch, and turn them off again/

Can you explain why machines would be turned off for prolonged periods of time. And why they'd be off for minimal periods of time?
0
pma111Author Commented:
Im basically getting at do you need any special arrangements for machines you know will be off for some time. I.e. does the fact turning them on with 6 months worth of missing patches/AV cause a window of opportunity...
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
if our machines are OFF for an extended period the are for decommissioning.

otherwise machines are not turned off.

In the real world, machines would not be off for extended periods if in Production.
0
pma111Author Commented:
Why would they be off at all?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
because they are going to be retired. deleted and archived.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.