ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Patch Fast

    Scheduled Pinned Locked Moved IT Discussion
    articlescott alan millerpatchingsmbitjournalmalwaresecurityransomware
    14 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dafyreD
      dafyre @Carnival Boy
      last edited by

      @Carnival-Boy said in Patch Fast:

      @dafyre said in Patch Fast:

      There is no real reason for businesses of any size to not be able to backup (at bare minimum) and / or snapshot their systems before running patches.

      Who here snapshots their systems before patching their Microsoft servers? Scott says it's so easy to snapshot and roll back, so perhaps I'm missing a trick here? I can see that it's easy if you're manually installing patches, but who does that?

      The other problem is that you may not realise that a patch has broken something for a couple of days, and by then it's likely to be too late to satisfactorily restore from backup.

      We schedule our snapshots here (VMware) to run an hour before our patch time... and we do the patches manually.

      1 Reply Last reply Reply Quote 2
      • C
        Carnival Boy
        last edited by

        Tell me more. How often do you patch? Does the same person do it? When do you do it, Sundays? How do you to check that server applications aren't getting broken?

        I need to get more organised and am looking for best practice.

        dafyreD scottalanmillerS travisdh1T 3 Replies Last reply Reply Quote 0
        • dafyreD
          dafyre @Carnival Boy
          last edited by

          @Carnival-Boy said in Patch Fast:

          Tell me more. How often do you patch? Does the same person do it? When do you do it, Sundays? How do you to check that server applications aren't getting broken?

          I need to get more organised and am looking for best practice.

          I don't know about "best practices" but what we do here...

          Every SysAdmin has a list of systems they are responsible for. So the systems we are responsible for are also the ones we patch. We have a daily maintenance Window from 6am to 7am for patches and software upgrades and such.

          1 Reply Last reply Reply Quote 1
          • C
            Carnival Boy
            last edited by

            That's ok at a larger organisation, but trickier at a smaller one where there's only one or two IT staff, or they use an MSP. Having a maintenance window during the week is nice though.

            scottalanmillerS 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @Carnival Boy
              last edited by

              @Carnival-Boy said in Patch Fast:

              Tell me more. How often do you patch? Does the same person do it? When do you do it, Sundays? How do you to check that server applications aren't getting broken?

              I need to get more organised and am looking for best practice.

              We patch every six hours with a randomizer to keep patching from pounding our WAN. So each server has a few hours of randomization, but update four times a day. We don't snap before patching, because we use primarily Linux and the risks are effectively zero because patches are better tested, patch footprint is smaller, the patching events are smaller (four times a day, not one time a week) and patch rollbacks are trivial.

              1 Reply Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller @Carnival Boy
                last edited by

                @Carnival-Boy said in Patch Fast:

                That's ok at a larger organisation, but trickier at a smaller one where there's only one or two IT staff, or they use an MSP. Having a maintenance window during the week is nice though.

                If you use an MSP it would be simple. Just tell your MSP what patch process you want 🙂

                1 Reply Last reply Reply Quote 1
                • travisdh1T
                  travisdh1 @Carnival Boy
                  last edited by

                  @Carnival-Boy Patches are applied with yum-cron or dnf-automatic. Snapshots are taken before any system changes, and after testing is completed, but not before or after patching.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    SCCM has a tool for this...

                    https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiL3qzD0PnTAhXrzVQKHb3bAwYQFggnMAA&url=http%3A%2F%2Fwww.sccmog.com%2Fsccm-powercli-auto-snapshot-before-patching-task-sequence-script%2F&usg=AFQjCNFR-gHL6wzY-7ySShHxGqQ8oux_Sw&sig2=5VAlrHaotcUezXY_YBrOQg

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller
                      last edited by

                      Can't edit the last link due to wifi issues. But here is the real link...

                      http://www.sccmog.com/sccm-powercli-auto-snapshot-before-patching-task-sequence-script/

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        Never used this but take a look...

                        http://www.smikar.com/

                        1 Reply Last reply Reply Quote 0
                        • 1 / 1
                        • First post
                          Last post