We are not a wsus shop, we use St. Bernard in a geographically extended
network covering most of NE and New Jersey. The best rating I can give
update expert is ho-hum. It works reliably in most cases.
What really works best for us is to have two patch rollout procedures:
one for workstations and one for servers.
In the workstation scenario we manually install the patches on a select
set of workstations in the user community to ensure they are going to
install and make sure they will work on a typical environment and it
also covers non-standard installations. The patches sit there for a
week and the workstations are closely monitored. The trade off to the
user for allowing this to happen to them is better response time from
the help desk. After a week if no issues are uncovered it goes out via
UpdateExpert to all of the systems that UE can manage.
For servers we do a similar tactic starting with Dev and Test for a
week, then 2 weeks in QA and Model (preproduction). If at the end of 3
weeks there are no problems we schedule change control and update the
servers on the next maintenance window in the DCs. Servers are updated
using a combination of Update Expert automatic and MBSA manual depending
on the server.
This process doesn't work 100%, but its pretty close. I don't think
there any silver bullets for patch management so we use a combination of
wooden stakes and garlic.
For any patch management solution to work reliably it would require that
the software have full access to all machines all the time. Ain't gonna
happen in a large Windows shop.
-B-
-----Original Message-----
From: Jim Stagg [mailto:jstagg@sprich.com]
Sent: Monday, May 08, 2006 4:09 PM
To: focus-ms@securityfocus.com
Subject: RE: Patch Management on Critical Servers (Healthcare)
On this topic, I'd love to hear from some of the non-WSUS Microsoft
server
folks are doing. I've heard a lot about BigFix, Patchlink, St. Bernard,
SMS,
GFI et al. Has anyone found a product that works reliably?
--
Jim Stagg, Systems Administrator
-----Original Message-----
From: Renee Peters [mailto:reneep@Northeastcollege.com]
Sent: Monday, May 08, 2006 10:41 AM
To: beinm@ummhc.org; focus-ms@securityfocus.com
Subject: RE: Patch Management on Critical Servers (Healthcare)
Last year, our college campus was hit with an unclassified
virus. After the hours it took to manually run around and
patch 1000+ computers, our upper management finally approved
a WSUS server. Knock on wood, it has run beautifully, and
keeps our desktops and servers patched. As far as actually
getting the updates applied and rebooting, we have standard
times posted that the server may be unavailable due to
routine maintenance. After last year's scare, everybody
seems to be OK with this slight inconvience. We aren't
regulated as much as the healthcare field, but do still have
standards to meet for state and federal funding. As long as
the president of the college supports our practices, we don't
have much to worry about.
Renee
Network Manager
-----Original Message-----
From: beinm@ummhc.org [mailto:beinm@ummhc.org]
Sent: Monday, May 08, 2006 8:02 AM
To: focus-ms@securityfocus.com
Subject: Patch Management on Critical Servers (Healthcare)
Hello
I'm just curious to hear how people in the field have been
handling patch management with critical servers. Have you
setup maintenance windows? If, so how did you manage the down
time? What have people been doing if the device or server has
an approved FDA configuration? Are you using thing like WSUS?
Thanks,
Matthew
Security Engineer
--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
