# Patch management process for critical severs



## mobi_khan (May 13, 2008)

Hi guyz,


Hope you are doing well. I need to discuss about the process for patch management especially for the critical servers. I have read that typically such process should be like analyze the patchs fix i.e. what bug is fixed in the patch is it related to security or system? Then taking approval and verification and testing the patch in a testing environment, , making a back off plan in case of any issue arise with new patch installed etc.

But small business company where there is no testing environment is present what should be the best practice for deploying these patches? How can we safely deploy these patches as there is no actual testing environment present and what should be done in case of a major security fix? Should that be deployed immediately or take some time even deploying such critical patches.


----------



## avisitor (Jul 13, 2008)

I'd say at least test the updates in a virtual machine. Then you have a pretty good idea of what they're going to do. I'd say deploy updates regularly, but cautiously. You should always have backups of your shares, AD, Exchange, etc. Update one server at a time. If you lose one machine, it's not as bad as losing all of your servers.


----------



## StumpedTechy (Jul 7, 2004)

IMHO with Windows Updates this really is the best method. 1) Look up WSUS and how to set it up. 2) Use WSUS to determine what you are going to deploy to all of the machines other machines. 3) Hold all "updates" for a good couple of weeks after they are deployed. 4) Deploy to a small test grouping within WSUS to deploy the test to a few machines before sending it out to everyone.

Note - there are client settings that have to be maniputlated to make things point to WSUS but it can all be done with some simple GPOs.
Some things I always live by 
A) On servers I pretty much NEVER install a new version of I.E. people should not be web browsing on servers and the security should be locked down on them anyhow.
B) Make sure the servers have full backups before you deploy the patch and the patch is verified after its deployed onto the machines.
C) When deploying the patch make sure you only deploy it if it is something that pertains to your operating environment. If they have a patch for something you don't use don't install it.


Using WSUS really helps you with making sure that clients get the updates when YOU want them to not when the end user decides they want to click on the little update now button.


----------

