We are not a wsus shop, we use St. Bernard in a geographically extended network covering most of NE and New Jersey. The best rating I can give update expert is ho-hum. It works reliably in most cases.
What really works best for us is to have two patch rollout procedures: one for workstations and one for servers. In the workstation scenario we manually install the patches on a select set of workstations in the user community to ensure they are going to install and make sure they will work on a typical environment and it also covers non-standard installations. The patches sit there for a week and the workstations are closely monitored. The trade off to the user for allowing this to happen to them is better response time from the help desk. After a week if no issues are uncovered it goes out via UpdateExpert to all of the systems that UE can manage. For servers we do a similar tactic starting with Dev and Test for a week, then 2 weeks in QA and Model (preproduction). If at the end of 3 weeks there are no problems we schedule change control and update the servers on the next maintenance window in the DCs. Servers are updated using a combination of Update Expert automatic and MBSA manual depending on the server. This process doesn't work 100%, but its pretty close. I don't think there any silver bullets for patch management so we use a combination of wooden stakes and garlic. For any patch management solution to work reliably it would require that the software have full access to all machines all the time. Ain't gonna happen in a large Windows shop. -B- -----Original Message----- From: Jim Stagg [mailto:[EMAIL PROTECTED] Sent: Monday, May 08, 2006 4:09 PM To: [email protected] Subject: RE: Patch Management on Critical Servers (Healthcare) On this topic, I'd love to hear from some of the non-WSUS Microsoft server folks are doing. I've heard a lot about BigFix, Patchlink, St. Bernard, SMS, GFI et al. Has anyone found a product that works reliably? -- Jim Stagg, Systems Administrator > -----Original Message----- > From: Renee Peters [mailto:[EMAIL PROTECTED] > Sent: Monday, May 08, 2006 10:41 AM > To: [EMAIL PROTECTED]; [email protected] > Subject: RE: Patch Management on Critical Servers (Healthcare) > > Last year, our college campus was hit with an unclassified > virus. After the hours it took to manually run around and > patch 1000+ computers, our upper management finally approved > a WSUS server. Knock on wood, it has run beautifully, and > keeps our desktops and servers patched. As far as actually > getting the updates applied and rebooting, we have standard > times posted that the server may be unavailable due to > routine maintenance. After last year's scare, everybody > seems to be OK with this slight inconvience. We aren't > regulated as much as the healthcare field, but do still have > standards to meet for state and federal funding. As long as > the president of the college supports our practices, we don't > have much to worry about. > > Renee > Network Manager > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, May 08, 2006 8:02 AM > To: [email protected] > Subject: Patch Management on Critical Servers (Healthcare) > > Hello > > > > > > I'm just curious to hear how people in the field have been > handling patch management with critical servers. Have you > setup maintenance windows? If, so how did you manage the down > time? What have people been doing if the device or server has > an approved FDA configuration? Are you using thing like WSUS? > > > > > > Thanks, > > > Matthew > > Security Engineer > > > -------------------------------------------------------------- > ---------- > --- > -------------------------------------------------------------- > ---------- > --- > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
