Patch management strategy

[versello]

I just started a new job at a company and my first task is to revise their patch management strategy... I'm wondering what you guys out there do.

Since Microsoft comes out with Security Updates on the 2nd Tuesday of each month, do you apply them to staging servers, and then apply them to production the following week or what?

 

[BuGaLoU]

WSUS is a free and pretty good serivice if you have 2000 or 2k3 server box to throw it on.
I think you have to have an Active Directory domain to use it though.

 

[mobiux]

I don't think you have to have AD to use it, you can set the server and all the settings in the registry on each computer you are using, AD just makes it easy to do.


I am rolling out WSUS to the workstation side of things here shortly.
For each machine class, there will be a test group, and prod group.
Patches will be rolled out to the test environment and then when assured they don't break things, rolled out to a limited userbase. they will test the for several days to double check safety, then entire organization will get them.

I'm not using WSUS on the server side, at least for high visibility servers. Since they affect numerous people, I like a more manual approach to them.
On my lower end servers/ utility servers, Jetadmin/Antivirus controller, I will probably use WSUS for them as they are less critical..

 

[MorfiusX]

We use WSUS and it gets configured via AD. Patches come out on Tuesday, that Saturday the get applied to our Dev environment, the next Saturday they get applied to our staging environment, the next Monday the get approved for all of production. Clients install within 24 hours, servers install the following Saturday. I am working to combine the Dev and Stg steps to reduce our time that we are at risk.