Best way to apply patches/updates to servers that have .net applications/business applications?

Yashy used Ask the Experts™
hi guys

The environment I'm working in has around 150+ servers. Our team have to apply patches and keep these servers updated on a regular basis which they haven't done as yet. Now, the issue we have is that these servers are not just owned by the infrastructure and security teams, as that would be easy to manage. But the business analysts, business intelligence and applications teams own a good percentage of these too.

I need to put strategies in place so that my team, infrastructure&security, ensures that when these updates are applied that the impact is minimised and that we don't suddenly have updates which affect the applications sitting on those servers and firefighting errors.

One of my ideas was to ensure that there is a testing environment. But if I did, would I then liaise with the development teams to replicate everything that is on the production environment onto their testing too and regularly? So that when they make changes to development, they do the same onto testing?

What is the approach you have found works best?

Thanks for helping
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

wait 7 days then approve all updates and install them this way I can see if there are any  breaking updates.


Would you build a test environment for all of these servers?
Top Expert 2016

Actually the machines are owned by the company, must meet the standards set by the security team and then allocated (not owned) by the other business units.If you just apply security updates (after the 1 week wait) then I'd not bother testing just approve and get them installed.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

In many cases, updates should be applied in steps by creating groups of machines to allow phased testing.

Group 1 - initial test
Approve updates and monitor to confirm nothing dodgy occurs.
Put a selection of test/dev/IT dept machines in here. non critical systems only.

Group 2 - Test machines spread around the business.
Assuming no issues occurred in group 1, release updates to this group.
Let each dept/functionary specify which of their server(s) can be used as a test, encouraging them to allow you one of each 'type' to ensure you have tested all eventualities.
e.g. one of their web servers, one of their app servers, one of their DB servers.

By using this group, they can quickly identify if any issue/outage occurs on the servers designated as test servers and whether recent updates may be the cause or not.

Group 3 - remaining servers
Assuming test group 2 is a valid set servers for testing purposes and no issues were found, releasing updates to the remaining servers should be minimal risk as the updates have already been proved.


Steve, thank you for that.

Anytime :-)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial