I have read a number of conflicting 'best practice' documents on the subject of patch management and none of them agree with one another. :)
Most of them assign a minimum patch time based on the severity of the patch and climate (is womrable? do worms exist for it? are exploits in the wild? etc.). I believe its FIPS that says a critical patch has to be tested and installed within 24 hours of its release, others very or don't say.
My favorite document on the subject is the NIST guide found @ http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf
Hope that helps.
On Fri, 13 Apr 2007 13:33:46 -0400, Erik Selke <[log in to unmask]> wrote:
> My servers download the updates, but *never* auto-install. I have 3 of
> the same server, so I test on our least critical first. I manually
> install pretty much everything on our servers.
>
> Typically I wait for Shavlik to add it to their NetChk Pro scan setup as
> they do preliminary testing, and then I check out to see what problems
> early adopters have experienced. Our servers are pretty vanilla, so
> I've been lucky so far to not have any problems.
>
> Erik
>
> Laurence Bates wrote:
>> What is the general consensus about the best way of installing
>> Microsoft’s regular update Patches?
>>
>>
>>
>> 1) Automatically install when available
>>
>> 2) Automatically download and install ASAP
>>
>> 3) Automatic download and install after a reasonable comment
> period.
>>
>> 4) Do extensive testing before installing regular updates
>>
>> 5) Install first on a virtual LAN which mimics all of the major
>> servers ;-)
>>
>>
>>
>>
>>
>>
>>
>> Laurence A. Bates
>>
>> College of Education
>>
>> Michigan State University
>>
>> 217E Erickson Hall
>>
>> East Lansing
>>
>> MI 48824
>>
>> 517-355-2178
>>
>> [log in to unmask] <mailto:[log in to unmask]>
>>
>>
>>
>
> --
> Erik Selke
> Information Technologist
> Department of Sociology
> 316 Berkey Hall
> Michigan State University
> [log in to unmask]
> (517) 353-1804
--
Bryan Murphy, CISSP, MCP
|