Solved

Microsoft patching schedules for Windows Servers

Posted on 2014-10-17
7
306 Views
Last Modified: 2016-03-23
can some one throw light of patching monthly vs quarterly pros and cons?  
what best suits for what kind of environment?
what are best practices with respective to timelines and phase wise deployments?
0
Comment
Question by:Good
7 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40387467
sometimes company policy or regulation will define this
i've been in places where patches will be installed the following month; october patches installed in november, november patches in december, etc.  another place will immediately install to dev systems right after patch tuesday and if no issues, will push to prod the following couple weeks.  both were regulated by either SEC or PCI compliance.

the only down side to patching so quickly is that once in a while something might break from a patch so you have to weigh that also
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40387820
If you have test environment then test patches in that environment first.  We patch quarterly and we ensure to do it in the middle of the month when month-end processing is not happening.  We also use Tenable Security Center (Nessus based) to scan for patches and performing a risk assessment.  If the risk is high then we do an out of schedule patching to resolve potential critical issues (i.e. if there is an IIS critical patch but our web servers are not accessible over the Internet then the risk is low and we patch quarterly).
0
 

Author Comment

by:Good
ID: 40416240
any other additional thots on this patching schedules? what is industry best practices, did gartner released what is the percentage of firms doing monthly/quarterly patching etc...need additional information
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40417811
Every patch risks a problem and rollback procedure so the more often you do it, the more time you are spending. The hardest part for me is knowing if something broke right after a patch as sometimes it's not obvious. Knowing if something is broken and having a way to roll back are the two most important things IMO.
0
 
LVL 19

Assisted Solution

by:compdigit44
compdigit44 earned 250 total points
ID: 40418190
I work for a large company with 800+ servers and tight regulations. We patch are servers as follows.

1) All Test and Dev servers are patched the 2nd week of each month when patch come out.  All servers are then tested and validated.

2) On the 4th week of each month we patch ~100 of our most critical servers.

3) During the following weeks we patch the reaming servers in batch of 150 -200 .So there is always a constant flow of patch being deployed and in our environment a staff member has to be onsite in the server room while patches are deployed via SCCM incase a server has problems because our downtime windows is very small.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 250 total points
ID: 40421314
As mentioned by the first poster...your patching schedule should be based on your regulatory requirements. If you are working in heavily regulated/audited environment then there are already guidelines that dictate the frequency of patching.

In PCI DSS(Payment Card Industry Data Security Standard), for example, they require you to apply critical patches within 30 days of the patch being released.
However, this does not overrule the requirement that you only apply patches that are needed. Even then, we had critical systems that we only patched every 3 months due to the amount of work required to failover to the backup systems.


Apply updates on a needs only basis.

One of the common misconceptions about Microsoft updates is that they are mandatory and/or urgent.

All updates, regardless of their type (whether they are service packs, hotfixes or security patches), are to be applied on an "as-needed" basis. They need to be evaluated individually and treated as important optional updates.

Especially with security patches, the expectation is that it must be an urgent issue and must be deployed quickly. Without trying to detract from the urgency, security patches are very much a relative update; for example, customers using solely Windows NT4 can ignore a patch for a security vulnerability in Windows 2000. However, if the issue is relevant and does plug a security hole, then it should be evaluated urgently.

Only when it addresses or fixes an issue being experienced by the customer should it be considered. Of course, it still needs to be evaluated before being installed.

http://msdn.microsoft.com/en-us/library/cc750077.aspx
http://technet.microsoft.com/en-us/library/cc708536(v=ws.10).aspx

These links are Microsoft best practices for how to manage updates, but Microsoft does not stipulate when to patch other than "As needed. After evaluation and testing of the patch. When system downtime will be least impacting on your organization"

Check out the document published by the  (United States) DHS National Cyber Security Division Control Systems Security Program entitled: Recommended Practice for Patch
Management of Control Systems
https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/PatchManagementRecommendedPractice_Final.pdf

It also only talks about the patching process and controls but not the frequency.

Regarding frequency; if it's not specified by any regulations then you can patch when you need or can manage it. You need to take a risk-based approach and decide how impacted your organization would be if you patched every month. Can your support team manage it? Is your systems critically affected by the patch release?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question