One other thing to add in - if you check the audit logs and find the last
time the services booted, you can get a good idea of what the normal uptime
really is. This can be good information to have.
I once wanted to set a bunch of service passwords to expire every 70 days,
and the owner complained it would mess up his uptime figures. I scanned each
of their boxes, found the real uptimes, and made nice charts with circles
and arrows that showed that only 5% of their systems ever made it to > 70
days without a reboot, so changing the password ought not be that big a
deal. The service owner wasn't especially happy that security knew more
about his uptime stats than he did, but that's the breaks.
The other thing to do is break things up into as many OU's as you need, and
set policy for each one as you like. You really wouldn't want them all
rebooting at once, so use the setting for when the updates get applied to
have them cycle in stages. IMHO, if it is a sensitive server, you may want
to just push the patches out, and apply them once the admin logs on. This
way it isn't bouncing on people with no warning.
-----Original Message-----
From: Mike.Carney@bentley.com [mailto:Mike.Carney@bentley.com]
Sent: Friday, June 17, 2005 7:35 AM
To: r.balk@nl.intrum.com; focus-ms@securityfocus.com
Subject: RE: WSUS/Reboot
Hi Ronald,
Your probably going to hate this answer but I'm going through
the same process here myself.
The best way to keep yourself and the company as a whole
covered as far as down time is sit down with the business
side of the company and determine what your maintenance
windows are. From there you can develop a list of servers
and there availability to be patched and rebooted.
It really needs to become a policy rather than a technical question.
For example,
You will go to management and say when can this set of
servers be rebooted(make sure they know this means downtime),
you list the server names and in there they will see your
e-mail and database servers. To which they will respond
"these can't be down" and you will have to explain that this
is possible but it will cost a ton of money to cluster the
servers they have said "can't be down" and if they don't
patch the servers they can become infected or hacked and the
company will have an extended period of down time due to a
virus taking out the server or the other(perhaps scarier
scenario) is that the company would have to go to their
customers and explain why there data was stolen.
At this point the business side will either pony up the money
to cluster the systems or they will work with you to find the
different windows during the month/week that you are able to
patch the servers and reboot them.
You should also work in here the emergency patching that may
need to occur if a large virus outbreak occurs.
Anyway, good luck on this, it is a lengthy process that you
have to go through, but in the end you will be able to have a
good idea when things can be patched and rebooted and have
ammo if anything bad were to happen.
Thanks,
Mike
Msoft Doc:
http://www.microsoft.com/downloads/details.aspx?FamilyID=227ad
5a5-676f-4
f00-bc7a-3c7058f1f327&DisplayLang=en
-----Original Message-----
From: Ronald Balk [mailto:r.balk@nl.intrum.com]
Sent: Friday, June 17, 2005 5:31 AM
To: focus-ms@securityfocus.com
Subject: WSUS/Reboot
Hiya all,
We have been testing with this new WSUS from MS.
All seems fine -;)
My question is how to handle the server reboots after a installed
security patch which requires a reboot.
We hold about 150 servers, mixed Exchange, reverse proxy, Sql etc.etc.
Whats the best way to manage this ?
Thanks
Ronald Balk
--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
