Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

The security and patching of a production server

Status
Not open for further replies.
mortsdeh

mortsdeh

IS-IT--Management
Sep 28, 2006
28
SE
Hi,

The company I work for developes a products which we deliver together with two Windows 2003 Servers, one production server and one backup server. The servers and some equipment are on a separate domain behind two firewall routers. Both servers has SQL Server 2000 installed plus our applicaton. From the delivery date we are responsible for letting our customer know which patches from Windows Update to install so that they can install them at the time they choose and knowing that the updates would not affect their environment in a negative way.

The responsibility to investigate which updates to install has been laid upon me, so I have a few questions on strategies for updating these servers.

My plan is to install the Windows 2003 environment with the applications they use on a Virtual computer using VMware Server. Here I can test our applications and SQL Server if anything has happened after updates are installed.

Question 1: Are there any best strategies for managing updates?

Question 2: Is it enough to install patches and updates only from Windows Update?

Question 3: Is it possible to uninstall updates that have a negative impact on our environment?

Question 4: What information should I read to perform this? Newsletters? Web sites? etc.

I would be very grateful for all answers regarding this subject,

Best,
/M
 
Sort by date Sort by votes
1. I personally recommend using Windows Server Update Services (WSUS) for both clients and servers. You can configure the servers through Group Policy to only notify you (the Admin) of updates WSUS has ready for it, and "manually" install them when you can afford the downtime. WSUS can handle updates for both Windows and SQL Server 2005, and I'm almost 100% sure it can do SQL Server 2000 as well.

2. In my opinion, no. You would need to use Microsoft Update to get all the SQL Server patches as well. However, to use either site, you must install the Windows Genuine Advantage software, which many have termed "mandatory spyware". Using WSUS does not require you to install Genuine Advantage on your servers.

3. Short answer: It Depends. Some updates can be removed, some can't. My recommendation: have a good backup of your server before updating. If it's a virtual machine, you can shut down the virtual machine and copy the virtual disk file(s) to another location for a quick and easy full backup.

4. When dealing with Microsoft updates, I find AskWoody.com to be quite handy. He's a knowledgeable blogger who pays special attention to problems caused by new MS patches, and has a "Defcon" rating for each group of patches to come out (i.e. how safe or risky it is to install the new patches). Also, WSUS provides direct links to the TechNet articles for each patch it downloads. Those can be quite helpful in determining whether or not you need to install certain patches on your servers.

Does this help?

There's no "I" in "TEAM".
But there's no "U" either.
So if I'm not on the team, and you're not on the team, then nobody's on the team!
 
Upvote 0 Downvote
Yes, thank you. Very good answer.

Is it normally a good idea to install all available updates? We have e.g. a web interface to our application and threfore IIS is installed. Should Internet Explorer 7 be installed? Hardware drivers? Or should I just install security related patches.

I have no experience in Group Policies and from the little I've read, they seem complicated. Does anyone know of any good guide/tutorial to get started on group policies and also WSUS if possible.

From your answer I draw the conclusion that it is enough to only consider Microsoft provided patches through Microsoft Update and that I don't need to consider third party updates/patches?

/M
 
Upvote 0 Downvote
My personal preference is to not install all available updates on any server, unless it's used for Web or e-mail access (Outlook Express) and/or is a Terminal Server used by standard users. The more patches you install, the greater chance that one of them will break something on the server. You're best off reading the TechNet article for each patch and determining the threat level to your server(s), based on the services installed and running, and its exposure to internal clients versus Internet. In the case you mentioned, if an IIS patch comes around but it only affects, say, the SMTP component of IIS (which, for this example, you don't use), you may want to think twice before installing it. Or, if an IE patch is released but the server is on a protected LAN and never used to browse the Web, and if the patch fixes a problem that is based around user action (such as downloading a malformed WMV file, for instance) you probably don't need to install it on the server.

Never ever install patches provided by third parties for Microsoft products, unless you trust them 100% (if, for instance, they're an IT consulting firm your company has been using for years and that always does good work). Third party patches are not supported by Microsoft, and may not even be supported by the party that released them, so if they cause worse problems than they fix, you're stuck.

I'd not install IE7 on a server unless, again, it's used directly for Web or e-mail access. Most servers should be locked down to the point where they are not open to most Internet-based vulnerabilities. The jury is still out on whether or not it should be installed on a DMZ server, but I'm always wary about installing such a deep-rooted update in any critical production server.

Also, I recommend never, ever, using Windows/Microsoft Update for driver updates. If you must update drivers (which I also don't recommend on a server except to solve specific problems), you're better off going straight to the hardware vendor. More often than not, I've had Windows Update thrash a system when I tried to have it update drivers for me.

Group Policy sounds intimidating, but once you get into it, you'll find it's pretty easy to manage. It helps if you have a good background with Active Directory. If you need, I'd suggest going with a Dummies book on Active Directory - they're very good for the basic info, and should help get you comfortable enough to experiment on your own. Also, I recommend you download the Group Policy Management Console from Microsoft, and run it on an XP SP2 computer - it makes Group Policy so much easier to manage.

I tried to answer your questions as thoroughly as I could, so sorry if this is a bit wordy. Are these the kind of answers you were looking for?

There's no "I" in "TEAM".
But there's no "U" either.
So if I'm not on the team, and you're not on the team, then nobody's on the team!
 
Upvote 0 Downvote
Great answer! Thank you, now I have the information to get me started on this

Best,
/M
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
216
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
266
Aquiles Vidal
Aquiles Vidal
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
276
DrB0b
DrB0b
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
395
gbaughma
gbaughma
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
406
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top