Re: Auto-Updates for production servers
- From: "Anthony" <anthony.spam@xxxxxxxxxxxxxx>
- Date: Mon, 29 Oct 2007 22:42:46 -0000
Hi Brian,
I hope you won't mind advice that contradicts your presumed views.
When Microsoft or any software vendor discovers a flaw that can be
exploited, they need to fix it.
If you don't apply the fix, you are vulnerable from that time on because
everyone knows what the flaw is.
You can test the fix to see if it breaks anything, but you still need to
apply it even if it does.
So really it could be a responsibility of the developers to be aware of
fixes, maintain a testing environment and identify what to do if a fix
breaks their software. They would then need to deploy their own patch within
a week or two. If they object to having to test, it demonstrates that it is
really an argument about who should do the work rather than whether it
should be done.
The only way to avoid patching, or to postpone it till the developers are
ready, is to maintain a sealed environment. You can do this as follows:
- run the application on terminal services
- allow no other applications to run: no IE, no Word, no iTunes etc, just
the application.
- run a firewall between the LAN and the terminal servers and allow no other
connections to the terminal servers.
Apart from that, you just have to live with patching. What problems exactly
does it cause? Rebooting should be addressed either by patching
out-of-hours, or by a resilient service (e.g more than one application
server). What are the miscellaneous problems? You should probably identify
what they are and try to resolve them rather than prevent patching.
Hope that helps,
Anthony, http://www.airdesk.co.uk
"Brian Kitt" <BrianKitt@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FB252A39-79A5-4522-9113-71C1A1303DBB@xxxxxxxxxxxxxxxx
Hello.
I am a developer, and have been having an ongoing battle with our Network
Admins, and would like advice here.
They have Microsoft Windows Auto-Updates turned on for all production
servers. This has caused numerous problems, because patches get applied,
then cause servers to reboot, or other miscellaneous problems.
I keep trying to tell them it is not a 'best practice' to have
auto-updates
on for production servers, but rather they should push them out with admin
tools on a regular scheduled basis. They assure me they 'know what they
are
doing', and auto updates 'are required to prevent viruses and hackers'.
They
have assured me that Microsoft strongly recommends auto updates for all
production servers.
The amount of problems alone this has causes ought to be proof enough this
is a bad idea, but can anyone point me to 'official' statements from
Microsoft as to 'auto-updates' for production servers? I am having
trouble
finding an official statement from Microsoft either way.
.
- Follow-Ups:
- Re: Auto-Updates for production servers
- From: Leythos
- Re: Auto-Updates for production servers
- From: Brian Kitt
- Re: Auto-Updates for production servers
- From: Anthony
- Re: Auto-Updates for production servers
- Prev by Date: Re: Auto-Updates for production servers
- Next by Date: Re: Auto-Updates for production servers
- Previous by thread: Re: Auto-Updates for production servers
- Next by thread: Re: Auto-Updates for production servers
- Index(es):
Relevant Pages
|
