"If" you have the resources.. if you don't and are not bound by
regulations, SOX, Hipaa and what not... that "test" can be merely a
"canary" of a user on your network before you roll that patch out to the
rest of the network.
As you well know... as the firm size gets smaller... "segregation of
duties" sometimes have to have alternative options to get the same job done.
Even though I do the best I can testing on a test network..there are
times that I don't find stuff out until it hits the real network because
unless I have cloned the server, the workstations, the applications, the
data, and especially the users... I cannot duplicate exactly my
network.. Thus ..even as good as you test... realize that there will be
gotchas that you have to deal with.
BTW three patches today... one on Exchange and iCals looks fun...
affects Blackberry devices as well in the permission settings that it
changes.. read those bulletins... read those "caveat" sections.
Chris Dalton wrote:
Some key items to remember is that testing of the patch must be done in a
separate environment from production.
The test system must be at the same level as production.
Production data must not be used in testing
There must be a proper segregation of duites between those who test and those
who move into production.
Chris G. Dalton C.P.A.
Corporate Audit Services
Capital One Financial
1-504-533-6419 phone
1-504-533-2355 fax
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net> 05/08/06 4:44 PM >>>
I'm a fan of Shavlik.... not only from the standpoint of their
product..but their 'community help' posture as well. They run the
patchmanagement.org listserve that discusses patch management platforms
and patching issues. (Check out www.patchmanagement.org)
Honestly.. it's the process of change management that is the hard part,
I think..the testing and the approval process. No matter what patch
tool you chose will have it's nuances that you get used to.
Why do I like Shavlik?
Because it just shows me the patches I need in a nice format unlike WSUS
which has a confusing UI.
Because it works.
Because it has additional features like 'reboot before patching', Office
local install source, and will patch things beyond MS in my network.
Jim Stagg wrote:
On this topic, I'd love to hear from some of the non-WSUS Microsoft server
folks are doing. I've heard a lot about BigFix, Patchlink, St. Bernard, SMS,
GFI et al. Has anyone found a product that works reliably?
--
Jim Stagg, Systems Administrator
-----Original Message-----
From: Renee Peters [mailto:reneep@Northeastcollege.com]
Sent: Monday, May 08, 2006 10:41 AM
To: beinm@ummhc.org; focus-ms@securityfocus.com
Subject: RE: Patch Management on Critical Servers (Healthcare)
Last year, our college campus was hit with an unclassified
virus. After the hours it took to manually run around and
patch 1000+ computers, our upper management finally approved
a WSUS server. Knock on wood, it has run beautifully, and
keeps our desktops and servers patched. As far as actually
getting the updates applied and rebooting, we have standard
times posted that the server may be unavailable due to
routine maintenance. After last year's scare, everybody
seems to be OK with this slight inconvience. We aren't
regulated as much as the healthcare field, but do still have
standards to meet for state and federal funding. As long as
the president of the college supports our practices, we don't
have much to worry about.
Renee
Network Manager
-----Original Message-----
From: beinm@ummhc.org [mailto:beinm@ummhc.org]
Sent: Monday, May 08, 2006 8:02 AM
To: focus-ms@securityfocus.com
Subject: Patch Management on Critical Servers (Healthcare)
Hello
I'm just curious to hear how people in the field have been
handling patch management with critical servers. Have you
setup maintenance windows? If, so how did you manage the down
time? What have people been doing if the device or server has
an approved FDA configuration? Are you using thing like WSUS?
Thanks,
Matthew
Security Engineer
--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
*
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
