It's amazing when you read the workarounds for many of the updates MS pushes out.
9 times out of 10 the vulnerability is already addressed by another security measure I have put in place, or it affects a service on the server that I don't even have enabled. I read the updates carefully for each update released to a server. I wait about a week as well. (Mainly it's a just a matter of when I get around to it and block off a maint. period). I don't even bother reading the updates to workstation. Test, wait a few hours, scour the web, and push out later that day. Sam -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Tuesday, September 29, 2009 4:20 PM To: NT System Admin Issues Subject: Re: WSUS question On Tue, Sep 29, 2009 at 1:08 PM, Sam Cayze <[email protected]> wrote: > Use GPO's to control it. I always use "Auto download and notify for > install." for servers. +1 / "Me too!" / etc. Workstations get patches approved practically immediately and get install forced. Servers, I watch for any known issues or active exploitation, and deploy when it seems like a good idea, typically a week or so after release. Sooner if it's a "OMG we're all gonna die" security hole. Later if the web is buzzing about problems with an update. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
