Patching Hyper-V environment

carbonbase
carbonbase used Ask the Experts™
on
I have a number of Hyper-V servers running Windows 2012 Core which have not been patched in some time.  Can I just patch the Hyper-V hosts or do I need to patch the VM's as well.  

For background, this is a legacy environment and they people that built it have left the company some time ago without any handover.  Windows Update service has been disabled on all the vm's for some reason.  The vm's are a mix of Windows 7 and Windows 2008R2.

Is it just enough to patch the Hyper-V hosts?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
PeeterBIT Support Tech

Commented:
No, not enough just to patch the Hosts ... you need to patch VMs as well .... and, if that hasn't been done for a while expect GBs of patches to be downloaded and installed ...
bbaoIT Consultant

Commented:
if you are talking about a production environment, then both Hyper-V host and the VMs running on it should be updated, and always do so as a best practice.

FYI - the Hyper-V host here provides only hardware support for the VMs including physical memory, storage and processor power. every VM works individually like a real server, hence they need to be updated as normal servers.
Commented:
Patch management is a preventive control that corrects discovered weaknesses by applying a patch to the original program code that eliminates the weakness preventing exploitation.
• Make sure that a patch management system is in place to ensure that all relevant patches are installed. This is especially important for any patches released that apply to the virtualization software itself. Also, carefully determine when and if general operating system patches should also be installed on the host and guests.
• Pay special attention to how you configure virtual networking devices, enabling network connectivity between systems only when necessary.
• Consistently capture snapshots, or the state of the virtual environment at a certain point in time, to provide a quick and easy way to recover the entire environment should it be compromised.
• Carefully monitor the number of virtual machines to avoid VM sprawl.

https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
https://www.sans.org/reading-room/whitepapers/threats/paper/34450
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Both the hosts and the guests need to be patched.

Expect downtime for the guests that are running on the host to be patched. If the hosts are domain joined then Shared Nothing Live Migration could be used to move the VMs to another host (mindful of licensing) to avoid downtime.

There is a just released patch for the Remote Desktop Protocol that is patching a vulnerability that is WannaCry like in that the bad actors can worm across all operating systems with the vulnerability.

Long and short of it is to patch! I suggest subscribing to www.patchmanagement.org. It's an awesome resource.

Author

Commented:
Thanks all for your comments.  As I suspected, but thanks for confirming.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial