Forum Moderators: phranque
Lately, whenever I log into our webserver, I am informed by the Windows Update tool that new patches are ready to install.
I am very concerned about the brief descriptions of the patches and what will happen if I install them. Often a patch description will say 'You may need to restart to complete installation'
This is not good enough. Firstly it would be preferable if the server did not have to restart at all. Secondly, what is the point of 'MAYBE' I want to know for sure, and not have to install a patch and then find out I have to stay back at work to reboot the machine.
Lastly, with the latest round of patches, the installer actually stopped all my IIS services without even putting up a dialog box. The services were not restarted.
Had I logged out of the box, I would not have known untill I tried hitting our websites, or recieved an angry phone call.
I am trying to be security concious and keep my server updated, but the windows update tool is so poor that it hardly makes it worthwhile. I mean there are new patches every week?!?
So my questions are:
1. Where can I find comprehensive information on all patches?
2. What procedures do listers follow in patching their servers?
Firstly it would be preferable if the server did not have to restart at all
NT and subsequent derivitives maintain a protected cache of system level files. The restart triggers updating the cache and I don't think you can avoid it without some fancy scripting or until MS moves away from the protected cache structure.
Do any of you IIS admins have any suggestions or solutions for Brontojoris?
It's doubly rough when it's a live server and people are depending on it being there, but that's the trade off for using Microsoft products.
I run a Windows server with IIS with ASP and JSP, and whenever the little popup with Updates appears I just "bear it" without the grin and deal with it.
Disable Automatic Updates on everything but that server. Use the template that is free from Microsoft to point all W2K or WXP workstations\servers to your update server. You can have it synchronize with Microsoft late at night (like 3 am) so it doesn't interfere with bandwidth...Plus you can approve which updates you wish to apply after you had a chance to test them first. Great for big environments.
I hate patch management as well but what can you do? Not to darn much I guess. I like the control that I have to deploy my patches when I choose AFTER testing.
What really annoyed me was how the IIS service was just stopped without warning me in the description or putting up a dialog asking me.
Even during our quiet times, we will have one or two customers on the checkout page. It seems foolish to just pull the plug on them and reboot the machine. If I were a customer at a website, I would not be coming back if that happened to me.
Maybe I should be looking at a clustering solution. Then when one server has to restart, traffic is diverted to the second machine(?)
Another great patch management software application is Shavlik HFNetChk. These are the people that created the HFNetChk utility for Microsoft. It is utilized by many applications but is widely available in the Baseline Security Analyzer. HFNetChk LT (aka Lite) is free for up to 50 PC's. Want more and you pay for it. It will push patches to SQL, Exchange, Office, IE, NT, XP, 2000, and others. It tracks everything you have deployed. You get to choose whether to reboot or not. This feature is nice. I use it in combination with the BSA and SUS to cover as many bases as possible. All of these utilities are free.
HFNetChkLT requires activation but it is still free: [shavlik.com...]
Hope this helps with the reboot issues.
