Good
asked on
Microsoft patching schedules for Windows Servers
can some one throw light of patching monthly vs quarterly pros and cons?
what best suits for what kind of environment?
what are best practices with respective to timelines and phase wise deployments?
what best suits for what kind of environment?
what are best practices with respective to timelines and phase wise deployments?
If you have test environment then test patches in that environment first. We patch quarterly and we ensure to do it in the middle of the month when month-end processing is not happening. We also use Tenable Security Center (Nessus based) to scan for patches and performing a risk assessment. If the risk is high then we do an out of schedule patching to resolve potential critical issues (i.e. if there is an IIS critical patch but our web servers are not accessible over the Internet then the risk is low and we patch quarterly).
ASKER
any other additional thots on this patching schedules? what is industry best practices, did gartner released what is the percentage of firms doing monthly/quarterly patching etc...need additional information
Every patch risks a problem and rollback procedure so the more often you do it, the more time you are spending. The hardest part for me is knowing if something broke right after a patch as sometimes it's not obvious. Knowing if something is broken and having a way to roll back are the two most important things IMO.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i've been in places where patches will be installed the following month; october patches installed in november, november patches in december, etc. another place will immediately install to dev systems right after patch tuesday and if no issues, will push to prod the following couple weeks. both were regulated by either SEC or PCI compliance.
the only down side to patching so quickly is that once in a while something might break from a patch so you have to weigh that also