Sharing of thoughts and information is what blogging is all about. This way we can learn from each other. Post A Comment!These postings are provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.
Anthony Bartolo Twitter | LinkedIn
Pierre Roman Twitter | LinkedIn
A lot of IT pros don’t like to talk about patching due to the amount of work it can generate for them in their already PACKED jobs. It came up as a heated topic of discussion at a user group event I attended a while back – so much so, I decided to produce a monthly podcast (“Security Bulletins for the Regular IT Guy” – go check it out!) to help out with “Patch Tuesday” information overload. It’s goal is to simplify the jargon and corporate speak contained in the security bulletins and give you what you need to know to get started with your patch plans. When I was editing the last episode, it got me thinking that as an IT Community – we need to start a conversation around the processes we use to handle patching in their own environments.
Back when I was jiggling cables under desks and looking after my LAN (after I ripped and replaced the arcnet) - I remember it used to be this random chaotic mess of patches that needed to be deployed and they always seemed to pop up when you absolutely did NOT have the time to look at them. I remember the time before automatic “let me check for you” services or routine/scheduled updates on a regular basis. luckily things have gotten better – but patching is something where we each have our own process and tolerance level for how long before deployment.
If you’re an old IT Hack – patching is probably second nature and ingrained in your DNA. If you are new to the game of IT – better get used to it and put in place a process to handle it. Your best bet is (to quote the boy scouts) - be prepared.
I thought I would share some things that I know have helped other IT Pros out there with their patching routines. Some of these recommendations will take time to implement, but trust me – once you do, you won’t approach patching with that feeling of nerves in your gut. you know what? Send me your ideas (email@example.com) or comment below and I will expand on it so everyone can benefit from your experiences:
The worst possible thing you can do is to NOT patch your systems. You are exposing your organization (and your job security) at risk by not staying up to date. If you simply can not patch something – you are going to want to at least research mitigation steps to keep the system safe until such time as you can apply a patch. This is going to require further digging into patch itself and ultimately is only a Band-Aid fix for the short term.
As I mentioned at the beginning of this post – this is part of a larger conversation we need to have as a community in order to help each other out. What do you do and how has it helped you cope with patching? Comment below or email me (firstname.lastname@example.org) and I’ll make sure to include a follow up post here and quite probably create a special “out of band” podcast episode with your learnings.
IT Pro Team Blog | IT Managers Blog |Twitter | Facebook | LinkedIn My Shared Bookmarks
And don't forget if you're trying to control what does and doesn't go in Network Wide, just download and use the free WSUS (Windows Server Update Services) Also helps control bandwidth on the internet by having only ONE device do the updates, and I do believe you can still setup the Windows Update / Microsoft update as a fallback on the workstations.
I used WSUS for a couple of years. When updates came out on Tuesdays, I would get them out on my system and a few others while monitoring the Windows Update newsgroup and other sites to see if there were any issues. We had really just one critical application. If there was no common thread and the select few PCs had no issues with the patches, most of the time, the patches went out company-wide on the Thursday night. All but a handful of systems were considered critical.
Now unless there was something very critical, servers were done manually [not via WSUS] and rebooted during the off hours but not immediately.
Thanks for sharing Ed. Glad to hear that you have a plan to tackle patch Tuesday / Update Tuesday.
Keep 'em comming.