WSUS advice.

Hi all,

We have wndows 2003 SUS server and I want to ask your advice.
It seems that it's very difficult to apply security updates to some
application servers as some application developers are afraid that security
updates will break their applications. What are some advices on these? Do
you test the security update on each application server? When are you going
to patch the critical updates and security updates? (when MS just released
them)

Thank you!

I guess you have to test them. This is where a VM is so good.

What will the developers say to getting Conficker on the server because it is
not patched. They will have to work with the updates installed at some time.



On Wed, 24 Mar 2010 10:56:01 -0700, ed <> wrote:

>Hi all,
>
>We have wndows 2003 SUS server and I want to ask your advice.
>It seems that it's very difficult to apply security updates to some
>application servers as some application developers are afraid that security
>updates will break their applications. What are some advices on these? Do
>you test the security update on each application server? When are you going
>to patch the critical updates and security updates? (when MS just released
>them)
>
>Thank you!
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

"ed" <> wrote in message
news:A479C2BE-8176-4ACF-8126-...
> Hi all,
>
> We have wndows 2003 SUS server and I want to ask your advice.
> It seems that it's very difficult to apply security updates to some
> application servers as some application developers are afraid that
> security
> updates will break their applications. What are some advices on these?

T E S T I N G

> Do you test the security update on each application server?

Actually, if they're in-house application developers, I'd delegate the
responsible for testing to them, and put a deadline on delivering negative
results. Ergo, if they don't report any problems within xx days after the
update is released, you'll assume no such problems exist, and the update
will be deployed.

> When are you going
> to patch the critical updates and security updates? (when MS just released
> them)

My personal take -- and granted, not 100% foolproof, so get out your salt
shaker -- is that if application developers are properly developing their
applications, *nothing* being done in the underlying operating system to
plug security holes should break anything they're doing. If it does, then
that implies that the application was making use of the functionality with
the security defect, and the application *does* need to be repaired as well.

[And now I'll read Dave's reply. <g>]

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Thank you for ALL your help.
Did MS require that we have to apply critical updates within 24 hours?


"Lawrence Garvin [MVP]" wrote:

> "ed" <> wrote in message
> news:A479C2BE-8176-4ACF-8126-...
> > Hi all,
> >
> > We have wndows 2003 SUS server and I want to ask your advice.
> > It seems that it's very difficult to apply security updates to some
> > application servers as some application developers are afraid that
> > security
> > updates will break their applications. What are some advices on these?
>
> T E S T I N G
>
> > Do you test the security update on each application server?
>
> Actually, if they're in-house application developers, I'd delegate the
> responsible for testing to them, and put a deadline on delivering negative
> results. Ergo, if they don't report any problems within xx days after the
> update is released, you'll assume no such problems exist, and the update
> will be deployed.
>
> > When are you going
> > to patch the critical updates and security updates? (when MS just released
> > them)
>
> My personal take -- and granted, not 100% foolproof, so get out your salt
> shaker -- is that if application developers are properly developing their
> applications, *nothing* being done in the underlying operating system to
> plug security holes should break anything they're doing. If it does, then
> that implies that the application was making use of the functionality with
> the security defect, and the application *does* need to be repaired as well.
>
> [And now I'll read Dave's reply. <g>]
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2010)
>
> My Blog: http://onsitechsolutions.spaces.live.com
> Microsoft WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

ed wrote:
> Thank you for ALL your help.
> Did MS require that we have to apply critical updates within 24
> hours?

Eh?

Microsoft requires *nothing* of you other than properly licensing their
product and using it in accordance with the end-user licensing agreement.
Your systems and how they are maintained/updated are something left to you
within other limiting factors (product life cycles and your need for actual
Microsoft support, for example.)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

"ed" <> wrote in message
news:146822A3-4ED1-4513-A25C-...

> Did MS require that we have to apply critical updates within 24 hours?

Microsoft has no such requirement; however, if you were to call Product
Support Services some period after the updates were released and your
environment were not fully patched with all available Critical and Security
Updates, it would not be inconceivable that they would first ask you to
update your systems, then reproduce the issue and call them back. :-)




--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

thank you for ALL your help.

one security consultant found out that we have some application server did
not get security patches as developers refused to patch.

then consultant told my boss that some updates are required to aplly within
24 hours. that's why I just wonder whether there is such a thing?

Thank you.

"Lawrence Garvin [MVP]" wrote:

> "ed" <> wrote in message
> news:146822A3-4ED1-4513-A25C-...
>
> > Did MS require that we have to apply critical updates within 24 hours?
>
> Microsoft has no such requirement; however, if you were to call Product
> Support Services some period after the updates were released and your
> environment were not fully patched with all available Critical and Security
> Updates, it would not be inconceivable that they would first ask you to
> update your systems, then reproduce the issue and call them back. :-)
>
>
>
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2010)
>
> My Blog: http://onsitechsolutions.spaces.live.com
> Microsoft WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

"ed" <> wrote in message
news:2105AF5A-CAF4-4374-A9B9-...

> then consultant told my boss that some updates are required to aplly
> within
> 24 hours. that's why I just wonder whether there is such a thing?

The consultant may have been miswording a *recommendation* to install an
update ASAP because of the high-risk vulnerability it patched, rather than
necessarily intending to imply there was a Microsoft-imposed requirement.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

On Thu, 25 Mar 2010 06:43:01 -0700, ed <> wrote:

>thank you for ALL your help.
>
>one security consultant found out that we have some application server did
>not get security patches as developers refused to patch.
>
>then consultant told my boss that some updates are required to aplly within
>24 hours. that's why I just wonder whether there is such a thing?

A rather extreme statement. Reasonable quickly after testing would be more
reasonable. Ten years ago it was typically 400 days between a security hole
being discovered and an exploit appearing, now that time is 3 days or so.

>
>Thank you.
>
>"Lawrence Garvin [MVP]" wrote:
>
>> "ed" <> wrote in message
>> news:146822A3-4ED1-4513-A25C-...
>>
>> > Did MS require that we have to apply critical updates within 24 hours?
>>
>> Microsoft has no such requirement; however, if you were to call Product
>> Support Services some period after the updates were released and your
>> environment were not fully patched with all available Critical and Security
>> Updates, it would not be inconceivable that they would first ask you to
>> update your systems, then reproduce the issue and call them back. :-)
>>
>>
>>
>>
>> --
>> Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
>> Principal/CTO, Onsite Technology Solutions, Houston, Texas
>> Microsoft MVP - Software Distribution (2005-2010)
>>
>> My Blog: http://onsitechsolutions.spaces.live.com
>> Microsoft WSUS Website: http://www.microsoft.com/wsus
>> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.