Re: Auto-Updates for production servers

Sorry Anthony, you misunderstand the problem. I totally agree with keeping
the servers up to date. Every Friday night, or whatever, is perfect.

HOWEVER, that is not what I am asking about.

They have the actual Windows Auto-Update on which applies all updates on an
'as released basis' from Microsoft. In other words, updates go on production
servers, and nobody, not even them, have any idea which updates went on or
when. Since auto-updates are on, the 'you need to reboot your server now'
function keeps trying to reboot servers. For example, every time we log on
to terminal services, we are prompted to reboot because of auto-updates.
However, we don't have authority to reboot, so the box is grayed out. We just
have to cancel the prompt. This prompt comes up every 10 or 15 minutes.
There are days when I will work for 10 hours through terminal services, for
every day of the week, so there are times, that for 40 or 50 hour work week,
I am canceling that dang prompt every 10 minutes. It is not unusual that I
may have to tunnel through 2 or 3 levels of terminal services, so take the
every 10 or 15 minutes times 2 or 3.

To me, this is down and out wreckless to just apply updates to production
without any knowledge whatsoever of what is being applied.

"Anthony" wrote:

Hi Brian,
I hope you won't mind advice that contradicts your presumed views.
When Microsoft or any software vendor discovers a flaw that can be
exploited, they need to fix it.
If you don't apply the fix, you are vulnerable from that time on because
everyone knows what the flaw is.
You can test the fix to see if it breaks anything, but you still need to
apply it even if it does.
So really it could be a responsibility of the developers to be aware of
fixes, maintain a testing environment and identify what to do if a fix
breaks their software. They would then need to deploy their own patch within
a week or two. If they object to having to test, it demonstrates that it is
really an argument about who should do the work rather than whether it
should be done.
The only way to avoid patching, or to postpone it till the developers are
ready, is to maintain a sealed environment. You can do this as follows:
- run the application on terminal services
- allow no other applications to run: no IE, no Word, no iTunes etc, just
the application.
- run a firewall between the LAN and the terminal servers and allow no other
connections to the terminal servers.
Apart from that, you just have to live with patching. What problems exactly
does it cause? Rebooting should be addressed either by patching
out-of-hours, or by a resilient service (e.g more than one application
server). What are the miscellaneous problems? You should probably identify
what they are and try to resolve them rather than prevent patching.
Hope that helps,
Anthony, http://www.airdesk.co.uk



"Brian Kitt" <BrianKitt@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FB252A39-79A5-4522-9113-71C1A1303DBB@xxxxxxxxxxxxxxxx
Hello.
I am a developer, and have been having an ongoing battle with our Network
Admins, and would like advice here.

They have Microsoft Windows Auto-Updates turned on for all production
servers. This has caused numerous problems, because patches get applied,
then cause servers to reboot, or other miscellaneous problems.

I keep trying to tell them it is not a 'best practice' to have
auto-updates
on for production servers, but rather they should push them out with admin
tools on a regular scheduled basis. They assure me they 'know what they
are
doing', and auto updates 'are required to prevent viruses and hackers'.
They
have assured me that Microsoft strongly recommends auto updates for all
production servers.

The amount of problems alone this has causes ought to be proof enough this
is a bad idea, but can anyone point me to 'official' statements from
Microsoft as to 'auto-updates' for production servers? I am having
trouble
finding an official statement from Microsoft either way.



.

Relevant Pages

  • Re: Trouble with TS Admin over RDP
    ... Policy instead of configuring it manually on all my servers. ... configured the Group Policy setting for Terminal Services to Not Configured, ... I've already removed the network service rights. ... It could be re-instated (until the next reboot) by simply running the ...
    (microsoft.public.windows.terminal_services)
  • Re: Auto-Updates for production servers
    ... scheduled Automatic Updates installation". ... the servers up to date. ... the 'you need to reboot your server now' ... production servers. ...
    (microsoft.public.windows.server.general)
  • Re: Anyone having TS problems since the latest round of Security Hotfixes?
    ... server not listening after reboot). ... Windows 2003 SP1 servers in our DMZ. ... on reboot of the server Terminal Services does not ... Microsoft High Security Baseline Member server policy. ...
    (microsoft.public.windows.terminal_services)
  • Re: Auto-Updates for production servers
    ... I've tried to take this up with management, but it's the old 'buddy system', ... update your servers on a frequent basis but it is not best practice to have ... I prefer to push my updates on a weekly basis. ... on for production servers, but rather they should push them out with admin ...
    (microsoft.public.windows.server.general)
  • Re: Auto-Updates for production servers
    ... His issues are with servers being updated ... Why not propose they schedule their auto updates say like every evening at ... the 'you need to reboot your server ... production servers. ...
    (microsoft.public.windows.server.general)