Patch Management

[sysadmin123]

I'm a new network administrator and I'm trying to figure out an effective patch management procedure. What does everyone else do when MS releases new patches.

In my environment we have about 30 computers in our network and 2 servers. On server being the main server. They are both Domain Controllers. I installed SUS on the main DC and it's working fine. So I have it set to Synch every night at 3am. So let's say I check and see MS sent out new updates.

At this point what does everyone do? I don't have a testing environment set up nor do I have any computers to set up a testing environment. We have a patch management form to fill out which has a place for me to say what the update is and approve it and then write down what happened when I tested it etc. I'm just lost....and was wondering if you guys might share the steps/procedures you take in this process.

 

[agrappe]

We have 6,000+ systems and we use SUS(soon to upgrade to WUS asap). We set our schedules and server address in a GPO. Even if you don't have Active Directory, a simple batch file with registry settings is all it takes. Then we only have to approve updates after the server downloads them. We spent several days researching patch management solutions, and it's really the simplest process out there IMHO.

 

[wdoellefeld]

*Agrees wholeheartedly with agrappe*



FRCP

http://www.frcp.net

 

[sysadmin123]

I have SUS working good so all I have to do it approve the updates and the system download and install them overnight.

I was just wondering what you did as far as patch testing. When we don't have any test systems set up to send patches to it makes it hard. Do you just download the patches and approve them all.....or does some testing etc take place.

What's the word on WUS? That will be nice when it does come out. Looking forward to being able to patch office stuff as well!

 

[MoobyCow]

Sysadmin123,

I'm in the same situation that you are. I put the patches on my machine first and then run through the apps that everyone uses to see if there are any obvious problems. I then run with them for about a week before I approve them for everyone else.

So far I haven't had an issue though.

 

[sysadmin123]

So just manually go out to windows update and dl them then see what happens. Hmm that's a good idea but then I would need to get licenses etc for myself as I have no need for the programs they use working in banking. But i think my boss would like an extra license fee vs setting up a true testing environment.

 

[agrappe]

You can set SUS to automatically dl updates from MS so all you have to do is approve the ones you want to install.

I hate to admit it, but we don't test updates at all. We haven't rolled out SP2 yet, so the SP1 updates seem to be pretty few anymore. Most of our apps are MS apps anyway, so there's not much chance of problems.

You might think about purchasing a copy or two of Norton's Ghost. You can pull an image from your machine and store it on a server before you install the updates so you can restore your test machine to the way it was if something goes awry.

 

[sysadmin123]

I've been thinking of doing that.

Thx for the advice. We haven't been testing updates but I think we should. We rolled out sp2 with no issues thank goodness but when I look back at what could of happened it gets pretty scary