Discussion:
WSUS advice.
(too old to reply)
ed
2010-03-24 17:56:01 UTC
Permalink
Hi all,

We have wndows 2003 SUS server and I want to ask your advice.
It seems that it's very difficult to apply security updates to some
application servers as some application developers are afraid that security
updates will break their applications. What are some advices on these? Do
you test the security update on each application server? When are you going
to patch the critical updates and security updates? (when MS just released
them)

Thank you!
Dave Mills
2010-03-24 18:28:19 UTC
Permalink
I guess you have to test them. This is where a VM is so good.

What will the developers say to getting Conficker on the server because it is
not patched. They will have to work with the updates installed at some time.
Post by ed
Hi all,
We have wndows 2003 SUS server and I want to ask your advice.
It seems that it's very difficult to apply security updates to some
application servers as some application developers are afraid that security
updates will break their applications. What are some advices on these? Do
you test the security update on each application server? When are you going
to patch the critical updates and security updates? (when MS just released
them)
Thank you!
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Lawrence Garvin [MVP]
2010-03-24 19:31:22 UTC
Permalink
Post by ed
Hi all,
We have wndows 2003 SUS server and I want to ask your advice.
It seems that it's very difficult to apply security updates to some
application servers as some application developers are afraid that security
updates will break their applications. What are some advices on these?
T E S T I N G
Post by ed
Do you test the security update on each application server?
Actually, if they're in-house application developers, I'd delegate the
responsible for testing to them, and put a deadline on delivering negative
results. Ergo, if they don't report any problems within xx days after the
update is released, you'll assume no such problems exist, and the update
will be deployed.
Post by ed
When are you going
to patch the critical updates and security updates? (when MS just released
them)
My personal take -- and granted, not 100% foolproof, so get out your salt
shaker -- is that if application developers are properly developing their
applications, *nothing* being done in the underlying operating system to
plug security holes should break anything they're doing. If it does, then
that implies that the application was making use of the functionality with
the security defect, and the application *does* need to be repaired as well.

[And now I'll read Dave's reply. <g>]
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
ed
2010-03-24 20:52:01 UTC
Permalink
Thank you for ALL your help.
Did MS require that we have to apply critical updates within 24 hours?
Post by Lawrence Garvin [MVP]
Post by ed
Hi all,
We have wndows 2003 SUS server and I want to ask your advice.
It seems that it's very difficult to apply security updates to some
application servers as some application developers are afraid that security
updates will break their applications. What are some advices on these?
T E S T I N G
Post by ed
Do you test the security update on each application server?
Actually, if they're in-house application developers, I'd delegate the
responsible for testing to them, and put a deadline on delivering negative
results. Ergo, if they don't report any problems within xx days after the
update is released, you'll assume no such problems exist, and the update
will be deployed.
Post by ed
When are you going
to patch the critical updates and security updates? (when MS just released
them)
My personal take -- and granted, not 100% foolproof, so get out your salt
shaker -- is that if application developers are properly developing their
applications, *nothing* being done in the underlying operating system to
plug security holes should break anything they're doing. If it does, then
that implies that the application was making use of the functionality with
the security defect, and the application *does* need to be repaired as well.
[And now I'll read Dave's reply. <g>]
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)
My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Shenan Stanley
2010-03-24 20:57:24 UTC
Permalink
Post by ed
Thank you for ALL your help.
Did MS require that we have to apply critical updates within 24 hours?
Eh?

Microsoft requires *nothing* of you other than properly licensing their
product and using it in accordance with the end-user licensing agreement.
Your systems and how they are maintained/updated are something left to you
within other limiting factors (product life cycles and your need for actual
Microsoft support, for example.)
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
Lawrence Garvin [MVP]
2010-03-24 21:03:06 UTC
Permalink
Post by ed
Did MS require that we have to apply critical updates within 24 hours?
Microsoft has no such requirement; however, if you were to call Product
Support Services some period after the updates were released and your
environment were not fully patched with all available Critical and Security
Updates, it would not be inconceivable that they would first ask you to
update your systems, then reproduce the issue and call them back. :-)
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
ed
2010-03-25 13:43:01 UTC
Permalink
thank you for ALL your help.

one security consultant found out that we have some application server did
not get security patches as developers refused to patch.

then consultant told my boss that some updates are required to aplly within
24 hours. that's why I just wonder whether there is such a thing?

Thank you.
Post by Lawrence Garvin [MVP]
Post by ed
Did MS require that we have to apply critical updates within 24 hours?
Microsoft has no such requirement; however, if you were to call Product
Support Services some period after the updates were released and your
environment were not fully patched with all available Critical and Security
Updates, it would not be inconceivable that they would first ask you to
update your systems, then reproduce the issue and call them back. :-)
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)
My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Lawrence Garvin [MVP]
2010-03-25 18:37:27 UTC
Permalink
Post by ed
then consultant told my boss that some updates are required to aplly within
24 hours. that's why I just wonder whether there is such a thing?
The consultant may have been miswording a *recommendation* to install an
update ASAP because of the high-risk vulnerability it patched, rather than
necessarily intending to imply there was a Microsoft-imposed requirement.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Dave Mills
2010-03-25 18:56:19 UTC
Permalink
Post by ed
thank you for ALL your help.
one security consultant found out that we have some application server did
not get security patches as developers refused to patch.
then consultant told my boss that some updates are required to aplly within
24 hours. that's why I just wonder whether there is such a thing?
A rather extreme statement. Reasonable quickly after testing would be more
reasonable. Ten years ago it was typically 400 days between a security hole
being discovered and an exploit appearing, now that time is 3 days or so.
Post by ed
Thank you.
Post by Lawrence Garvin [MVP]
Post by ed
Did MS require that we have to apply critical updates within 24 hours?
Microsoft has no such requirement; however, if you were to call Product
Support Services some period after the updates were released and your
environment were not fully patched with all available Critical and Security
Updates, it would not be inconceivable that they would first ask you to
update your systems, then reproduce the issue and call them back. :-)
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)
My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Loading...