Solved

Microsoft patching schedules for Windows Servers

Posted on 2014-10-17
7
285 Views
Last Modified: 2016-03-23
can some one throw light of patching monthly vs quarterly pros and cons?  
what best suits for what kind of environment?
what are best practices with respective to timelines and phase wise deployments?
0
Comment
Question by:Good
7 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40387467
sometimes company policy or regulation will define this
i've been in places where patches will be installed the following month; october patches installed in november, november patches in december, etc.  another place will immediately install to dev systems right after patch tuesday and if no issues, will push to prod the following couple weeks.  both were regulated by either SEC or PCI compliance.

the only down side to patching so quickly is that once in a while something might break from a patch so you have to weigh that also
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 40387820
If you have test environment then test patches in that environment first.  We patch quarterly and we ensure to do it in the middle of the month when month-end processing is not happening.  We also use Tenable Security Center (Nessus based) to scan for patches and performing a risk assessment.  If the risk is high then we do an out of schedule patching to resolve potential critical issues (i.e. if there is an IIS critical patch but our web servers are not accessible over the Internet then the risk is low and we patch quarterly).
0
 

Author Comment

by:Good
ID: 40416240
any other additional thots on this patching schedules? what is industry best practices, did gartner released what is the percentage of firms doing monthly/quarterly patching etc...need additional information
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40417811
Every patch risks a problem and rollback procedure so the more often you do it, the more time you are spending. The hardest part for me is knowing if something broke right after a patch as sometimes it's not obvious. Knowing if something is broken and having a way to roll back are the two most important things IMO.
0
 
LVL 19

Assisted Solution

by:compdigit44
compdigit44 earned 250 total points
ID: 40418190
I work for a large company with 800+ servers and tight regulations. We patch are servers as follows.

1) All Test and Dev servers are patched the 2nd week of each month when patch come out.  All servers are then tested and validated.

2) On the 4th week of each month we patch ~100 of our most critical servers.

3) During the following weeks we patch the reaming servers in batch of 150 -200 .So there is always a constant flow of patch being deployed and in our environment a staff member has to be onsite in the server room while patches are deployed via SCCM incase a server has problems because our downtime windows is very small.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 250 total points
ID: 40421314
As mentioned by the first poster...your patching schedule should be based on your regulatory requirements. If you are working in heavily regulated/audited environment then there are already guidelines that dictate the frequency of patching.

In PCI DSS(Payment Card Industry Data Security Standard), for example, they require you to apply critical patches within 30 days of the patch being released.
However, this does not overrule the requirement that you only apply patches that are needed. Even then, we had critical systems that we only patched every 3 months due to the amount of work required to failover to the backup systems.


Apply updates on a needs only basis.

One of the common misconceptions about Microsoft updates is that they are mandatory and/or urgent.

All updates, regardless of their type (whether they are service packs, hotfixes or security patches), are to be applied on an "as-needed" basis. They need to be evaluated individually and treated as important optional updates.

Especially with security patches, the expectation is that it must be an urgent issue and must be deployed quickly. Without trying to detract from the urgency, security patches are very much a relative update; for example, customers using solely Windows NT4 can ignore a patch for a security vulnerability in Windows 2000. However, if the issue is relevant and does plug a security hole, then it should be evaluated urgently.

Only when it addresses or fixes an issue being experienced by the customer should it be considered. Of course, it still needs to be evaluated before being installed.

http://msdn.microsoft.com/en-us/library/cc750077.aspx
http://technet.microsoft.com/en-us/library/cc708536(v=ws.10).aspx

These links are Microsoft best practices for how to manage updates, but Microsoft does not stipulate when to patch other than "As needed. After evaluation and testing of the patch. When system downtime will be least impacting on your organization"

Check out the document published by the  (United States) DHS National Cyber Security Division Control Systems Security Program entitled: Recommended Practice for Patch
Management of Control Systems
https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/PatchManagementRecommendedPractice_Final.pdf

It also only talks about the patching process and controls but not the frequency.

Regarding frequency; if it's not specified by any regulations then you can patch when you need or can manage it. You need to take a risk-based approach and decide how impacted your organization would be if you patched every month. Can your support team manage it? Is your systems critically affected by the patch release?
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now