Good point, and one that I should mention. One strategy that many smaller shops do take is that they are not really in a position to do all of the levels of testing usually required to detect and mitigate any regression issues that might come up in specific systems.
Therefore, what I've done in the past is let the big guys take the lead - let them do some of your testing for you. Hang back just a couple, three days to let some of the bigger issues surface. The big issues are publicly noted, the smaller ones are discussed on BugTraq or some of the other Security related newsgroups. Also, the Security related newsgroups should be your first stop to find out what's really big (does this patch - the Important - not the Critical) really impact me? (Criticals impact everyone - make NO mistake on that) There is nothing wrong with watching to see what issues are being detected by first responders. Most of these folks are at the top of the game when it comes to Security, and they had to get there much the same way - watching what others did. Where do best practices come from? Someone learning that maybe this wasn't such a great idea, and I should have done THAT instead.... ;o) Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Taylor, Michael Sent: Tuesday, July 05, 2005 2:28 PM To: [email protected] Subject: RE: [ActiveDir] Patching Strategy on DC's I've been wondering about this same thing. I was just recently promoted to server administrator of about 30 servers. What would be the easiest way to make sure a patch doesn't interfere with Exchange, SQL, IIS, etc? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, July 05, 2005 12:52 PM To: [email protected] Subject: RE: [ActiveDir] Patching Strategy on DC's How about: (and maybe not in this order) 1) Install a test environment - test patches before implementation 2) Patch half after compatibility and performance, then patch the others within 48 hrs. (less, if you're feeling comfortable or the patch is of a very critical and high risk category) 3) Get a complete system state backup of all DCs before applying any patches. A couple thoughts - and to expand upon my earlier comment. Security IS Risk Management - plain and simple. Don't patch quickly just for the sake of patching because Microsoft releases a fix. Look closely at the details of the patch - specifically the Technical sections. Determine what RISK this vulnerability poses to your environment. If it has to do with Alerter on your DCs, but you have the Alerter service off and Disabled, then it poses less of a risk than, say - RPC which will allow remote execution if exploited. However, at the time you need to take into account that there is a real potential that the application of any un-tested patch WILL cause disruption of normal operations. Thereby, you need to approach any patching with the give and take of applying a patch because it is necessary and critical, with that of the possibility of disruption. Analyze the risk of either action, and act accordingly. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall Sent: Tuesday, July 05, 2005 12:31 PM To: [email protected] Subject: [ActiveDir] Patching Strategy on DC's I have a question about a patching strategy for Domain controllers. We have a single forest single domain, 4 dc's, when patching for security patches should we do all the DC's at once, or do half of them or should we introduce a test lab or lastly a latent replicated production site with a dc in it? Thoughts and approaches appreciated! List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
