Guest Brian Kitt Posted October 29, 2007 Posted October 29, 2007 Hello. I am a developer, and have been having an ongoing battle with our Network Admins, and would like advice here. They have Microsoft Windows Auto-Updates turned on for all production servers. This has caused numerous problems, because patches get applied, then cause servers to reboot, or other miscellaneous problems. I keep trying to tell them it is not a 'best practice' to have auto-updates on for production servers, but rather they should push them out with admin tools on a regular scheduled basis. They assure me they 'know what they are doing', and auto updates 'are required to prevent viruses and hackers'. They have assured me that Microsoft strongly recommends auto updates for all production servers. The amount of problems alone this has causes ought to be proof enough this is a bad idea, but can anyone point me to 'official' statements from Microsoft as to 'auto-updates' for production servers? I am having trouble finding an official statement from Microsoft either way.
Guest SBS Rocker Posted October 29, 2007 Posted October 29, 2007 Re: Auto-Updates for production servers I'm with you for all the reasons you have stated. It is best practice to update your servers on a frequent basis but it is not best practice to have them automatically updated. there are a lot of updates that may not even apply to your environment then there are others that will reboot your server thus causing great inconvenience as you have experienced. Personally myself I prefer to push my updates on a weekly basis. I usually do this on a Friday evening in case a reboot is required so I don't disrupt "production". You do not need an official document or staement from MS. the disruption and loss of work you have suffered should be the proof in the pudding. I would take this up with their supervisor or manager. "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com... > Hello. > I am a developer, and have been having an ongoing battle with our Network > Admins, and would like advice here. > > They have Microsoft Windows Auto-Updates turned on for all production > servers. This has caused numerous problems, because patches get applied, > then cause servers to reboot, or other miscellaneous problems. > > I keep trying to tell them it is not a 'best practice' to have > auto-updates > on for production servers, but rather they should push them out with admin > tools on a regular scheduled basis. They assure me they 'know what they > are > doing', and auto updates 'are required to prevent viruses and hackers'. > They > have assured me that Microsoft strongly recommends auto updates for all > production servers. > > The amount of problems alone this has causes ought to be proof enough this > is a bad idea, but can anyone point me to 'official' statements from > Microsoft as to 'auto-updates' for production servers? I am having > trouble > finding an official statement from Microsoft either way.
Guest Anthony Posted October 29, 2007 Posted October 29, 2007 Re: Auto-Updates for production servers Hi Brian, I hope you won't mind advice that contradicts your presumed views. When Microsoft or any software vendor discovers a flaw that can be exploited, they need to fix it. If you don't apply the fix, you are vulnerable from that time on because everyone knows what the flaw is. You can test the fix to see if it breaks anything, but you still need to apply it even if it does. So really it could be a responsibility of the developers to be aware of fixes, maintain a testing environment and identify what to do if a fix breaks their software. They would then need to deploy their own patch within a week or two. If they object to having to test, it demonstrates that it is really an argument about who should do the work rather than whether it should be done. The only way to avoid patching, or to postpone it till the developers are ready, is to maintain a sealed environment. You can do this as follows: - run the application on terminal services - allow no other applications to run: no IE, no Word, no iTunes etc, just the application. - run a firewall between the LAN and the terminal servers and allow no other connections to the terminal servers. Apart from that, you just have to live with patching. What problems exactly does it cause? Rebooting should be addressed either by patching out-of-hours, or by a resilient service (e.g more than one application server). What are the miscellaneous problems? You should probably identify what they are and try to resolve them rather than prevent patching. Hope that helps, Anthony, http://www.airdesk.co.uk "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com... > Hello. > I am a developer, and have been having an ongoing battle with our Network > Admins, and would like advice here. > > They have Microsoft Windows Auto-Updates turned on for all production > servers. This has caused numerous problems, because patches get applied, > then cause servers to reboot, or other miscellaneous problems. > > I keep trying to tell them it is not a 'best practice' to have > auto-updates > on for production servers, but rather they should push them out with admin > tools on a regular scheduled basis. They assure me they 'know what they > are > doing', and auto updates 'are required to prevent viruses and hackers'. > They > have assured me that Microsoft strongly recommends auto updates for all > production servers. > > The amount of problems alone this has causes ought to be proof enough this > is a bad idea, but can anyone point me to 'official' statements from > Microsoft as to 'auto-updates' for production servers? I am having > trouble > finding an official statement from Microsoft either way.
Guest Anthony Posted October 29, 2007 Posted October 29, 2007 Re: Auto-Updates for production servers When you say auto-update, I am assuming that they are using Group policy to schedule the update: - either download the updates and manually run them out-of-hours - or schedule the update for an out-of-hours time Anthony, http://www.airdesk.co.uk "Anthony" <anthony.spam@spammedout.com> wrote in message news:uDMoW0nGIHA.4272@TK2MSFTNGP06.phx.gbl... > Hi Brian, > I hope you won't mind advice that contradicts your presumed views. > When Microsoft or any software vendor discovers a flaw that can be > exploited, they need to fix it. > If you don't apply the fix, you are vulnerable from that time on because > everyone knows what the flaw is. > You can test the fix to see if it breaks anything, but you still need to > apply it even if it does. > So really it could be a responsibility of the developers to be aware of > fixes, maintain a testing environment and identify what to do if a fix > breaks their software. They would then need to deploy their own patch > within a week or two. If they object to having to test, it demonstrates > that it is really an argument about who should do the work rather than > whether it should be done. > The only way to avoid patching, or to postpone it till the developers are > ready, is to maintain a sealed environment. You can do this as follows: > - run the application on terminal services > - allow no other applications to run: no IE, no Word, no iTunes etc, just > the application. > - run a firewall between the LAN and the terminal servers and allow no > other connections to the terminal servers. > Apart from that, you just have to live with patching. What problems > exactly does it cause? Rebooting should be addressed either by patching > out-of-hours, or by a resilient service (e.g more than one application > server). What are the miscellaneous problems? You should probably identify > what they are and try to resolve them rather than prevent patching. > Hope that helps, > Anthony, http://www.airdesk.co.uk > > > > "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message > news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com... >> Hello. >> I am a developer, and have been having an ongoing battle with our Network >> Admins, and would like advice here. >> >> They have Microsoft Windows Auto-Updates turned on for all production >> servers. This has caused numerous problems, because patches get applied, >> then cause servers to reboot, or other miscellaneous problems. >> >> I keep trying to tell them it is not a 'best practice' to have >> auto-updates >> on for production servers, but rather they should push them out with >> admin >> tools on a regular scheduled basis. They assure me they 'know what they >> are >> doing', and auto updates 'are required to prevent viruses and hackers'. >> They >> have assured me that Microsoft strongly recommends auto updates for all >> production servers. >> >> The amount of problems alone this has causes ought to be proof enough >> this >> is a bad idea, but can anyone point me to 'official' statements from >> Microsoft as to 'auto-updates' for production servers? I am having >> trouble >> finding an official statement from Microsoft either way. > >
Guest Brian Kitt Posted October 30, 2007 Posted October 30, 2007 Re: Auto-Updates for production servers I've tried to take this up with management, but it's the old 'buddy system', and I am new. We have entrenched management and network guys who are so stale in their knowledge that they are out of touch with reality. Unfortunately the 'new guy' carries no weight. That's why I'm hoping to find a statement that I can forward to them. "SBS Rocker" wrote: > I'm with you for all the reasons you have stated. It is best practice to > update your servers on a frequent basis but it is not best practice to have > them automatically updated. there are a lot of updates that may not even > apply to your environment then there are others that will reboot your server > thus causing great inconvenience as you have experienced. Personally myself > I prefer to push my updates on a weekly basis. I usually do this on a Friday > evening in case a reboot is required so I don't disrupt "production". You do > not need an official document or staement from MS. the disruption and loss > of work you have suffered should be the proof in the pudding. I would take > this up with their supervisor or manager. > > > "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message > news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com... > > Hello. > > I am a developer, and have been having an ongoing battle with our Network > > Admins, and would like advice here. > > > > They have Microsoft Windows Auto-Updates turned on for all production > > servers. This has caused numerous problems, because patches get applied, > > then cause servers to reboot, or other miscellaneous problems. > > > > I keep trying to tell them it is not a 'best practice' to have > > auto-updates > > on for production servers, but rather they should push them out with admin > > tools on a regular scheduled basis. They assure me they 'know what they > > are > > doing', and auto updates 'are required to prevent viruses and hackers'. > > They > > have assured me that Microsoft strongly recommends auto updates for all > > production servers. > > > > The amount of problems alone this has causes ought to be proof enough this > > is a bad idea, but can anyone point me to 'official' statements from > > Microsoft as to 'auto-updates' for production servers? I am having > > trouble > > finding an official statement from Microsoft either way. > > >
Guest Brian Kitt Posted October 30, 2007 Posted October 30, 2007 Re: Auto-Updates for production servers Sorry Anthony, you misunderstand the problem. I totally agree with keeping the servers up to date. Every Friday night, or whatever, is perfect. HOWEVER, that is not what I am asking about. They have the actual Windows Auto-Update on which applies all updates on an 'as released basis' from Microsoft. In other words, updates go on production servers, and nobody, not even them, have any idea which updates went on or when. Since auto-updates are on, the 'you need to reboot your server now' function keeps trying to reboot servers. For example, every time we log on to terminal services, we are prompted to reboot because of auto-updates. However, we don't have authority to reboot, so the box is grayed out. We just have to cancel the prompt. This prompt comes up every 10 or 15 minutes. There are days when I will work for 10 hours through terminal services, for every day of the week, so there are times, that for 40 or 50 hour work week, I am canceling that dang prompt every 10 minutes. It is not unusual that I may have to tunnel through 2 or 3 levels of terminal services, so take the every 10 or 15 minutes times 2 or 3. To me, this is down and out wreckless to just apply updates to production without any knowledge whatsoever of what is being applied. "Anthony" wrote: > Hi Brian, > I hope you won't mind advice that contradicts your presumed views. > When Microsoft or any software vendor discovers a flaw that can be > exploited, they need to fix it. > If you don't apply the fix, you are vulnerable from that time on because > everyone knows what the flaw is. > You can test the fix to see if it breaks anything, but you still need to > apply it even if it does. > So really it could be a responsibility of the developers to be aware of > fixes, maintain a testing environment and identify what to do if a fix > breaks their software. They would then need to deploy their own patch within > a week or two. If they object to having to test, it demonstrates that it is > really an argument about who should do the work rather than whether it > should be done. > The only way to avoid patching, or to postpone it till the developers are > ready, is to maintain a sealed environment. You can do this as follows: > - run the application on terminal services > - allow no other applications to run: no IE, no Word, no iTunes etc, just > the application. > - run a firewall between the LAN and the terminal servers and allow no other > connections to the terminal servers. > Apart from that, you just have to live with patching. What problems exactly > does it cause? Rebooting should be addressed either by patching > out-of-hours, or by a resilient service (e.g more than one application > server). What are the miscellaneous problems? You should probably identify > what they are and try to resolve them rather than prevent patching. > Hope that helps, > Anthony, http://www.airdesk.co.uk > > > > "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message > news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com... > > Hello. > > I am a developer, and have been having an ongoing battle with our Network > > Admins, and would like advice here. > > > > They have Microsoft Windows Auto-Updates turned on for all production > > servers. This has caused numerous problems, because patches get applied, > > then cause servers to reboot, or other miscellaneous problems. > > > > I keep trying to tell them it is not a 'best practice' to have > > auto-updates > > on for production servers, but rather they should push them out with admin > > tools on a regular scheduled basis. They assure me they 'know what they > > are > > doing', and auto updates 'are required to prevent viruses and hackers'. > > They > > have assured me that Microsoft strongly recommends auto updates for all > > production servers. > > > > The amount of problems alone this has causes ought to be proof enough this > > is a bad idea, but can anyone point me to 'official' statements from > > Microsoft as to 'auto-updates' for production servers? I am having > > trouble > > finding an official statement from Microsoft either way. > > >
Guest Leythos Posted October 30, 2007 Posted October 30, 2007 Re: Auto-Updates for production servers In article <FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com>, BrianKitt@discussions.microsoft.com says... > They have Microsoft Windows Auto-Updates turned on for all production > servers. This has caused numerous problems, because patches get applied, > then cause servers to reboot, or other miscellaneous problems. This is normally a bad move, and most patches are not necessary in all shops. If you're server is protected then even many security updates are not needed. Patches should be set to download and then allow you to manually install them once they have been tested on a QA server. Only noob admins set production servers to update automatically, or ones where the production server is not important enough to maintain a running status 24/7. -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address)
Guest Leythos Posted October 30, 2007 Posted October 30, 2007 Re: Auto-Updates for production servers In article <uDMoW0nGIHA.4272@TK2MSFTNGP06.phx.gbl>, anthony.spam@spammedout.com says... > I hope you won't mind advice that contradicts your presumed views. > When Microsoft or any software vendor discovers a flaw that can be > exploited, they need to fix it. > If you don't apply the fix, you are vulnerable from that time on because > everyone knows what the flaw is. > You can test the fix to see if it breaks anything, but you still need to > apply it even if it does. No, Anthony, you don't. You need to patch if the update provides a resolution to something that you might be exposed to, but if your server is not exposed to xyz then you don't need ot patch for it. Not all production servers are fully exposed to the Internet, most are behind a firewall and have little or no exposure to most of the threats you read about. Yes, it's "good practice" to update with all critical updates and security patches, but the update should be based against the threat vs stability. -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address)
Guest Anthony Posted October 30, 2007 Posted October 30, 2007 Re: Auto-Updates for production servers OK, so you have a specific problem with the update options. I would take a look at the Group Policies for Windows Updates and suggest to them which ones would make your life easier. http://technet2.microsoft.com/windowsserver/en/library/51c8a814-6665-4d50-a0d8-2ae27e69ca7c1033.mspx?mfr=true It sounds as though the one that is affecting you is "No auto-restart for scheduled Automatic Updates installation". That reboot prompt would only happen if: - the production server was switched off at the scheduled time, and so the installation happens when it restarts, or - a user is logged in either at the scheduled time (but it's supposed to be out-of-hours). So I would talk to them about the specific update options: when is the scheduled time, and what options are they using? Hope that helps, Anthony, http://www.airdesk.co.uk "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message news:1548528A-3E6A-460E-AF22-5FD215FBC738@microsoft.com... > Sorry Anthony, you misunderstand the problem. I totally agree with > keeping > the servers up to date. Every Friday night, or whatever, is perfect. > > HOWEVER, that is not what I am asking about. > > They have the actual Windows Auto-Update on which applies all updates on > an > 'as released basis' from Microsoft. In other words, updates go on > production > servers, and nobody, not even them, have any idea which updates went on or > when. Since auto-updates are on, the 'you need to reboot your server now' > function keeps trying to reboot servers. For example, every time we log > on > to terminal services, we are prompted to reboot because of auto-updates. > However, we don't have authority to reboot, so the box is grayed out. We > just > have to cancel the prompt. This prompt comes up every 10 or 15 minutes. > There are days when I will work for 10 hours through terminal services, > for > every day of the week, so there are times, that for 40 or 50 hour work > week, > I am canceling that dang prompt every 10 minutes. It is not unusual that > I > may have to tunnel through 2 or 3 levels of terminal services, so take the > every 10 or 15 minutes times 2 or 3. > > To me, this is down and out wreckless to just apply updates to production > without any knowledge whatsoever of what is being applied. > > "Anthony" wrote: > >> Hi Brian, >> I hope you won't mind advice that contradicts your presumed views. >> When Microsoft or any software vendor discovers a flaw that can be >> exploited, they need to fix it. >> If you don't apply the fix, you are vulnerable from that time on because >> everyone knows what the flaw is. >> You can test the fix to see if it breaks anything, but you still need to >> apply it even if it does. >> So really it could be a responsibility of the developers to be aware of >> fixes, maintain a testing environment and identify what to do if a fix >> breaks their software. They would then need to deploy their own patch >> within >> a week or two. If they object to having to test, it demonstrates that it >> is >> really an argument about who should do the work rather than whether it >> should be done. >> The only way to avoid patching, or to postpone it till the developers are >> ready, is to maintain a sealed environment. You can do this as follows: >> - run the application on terminal services >> - allow no other applications to run: no IE, no Word, no iTunes etc, just >> the application. >> - run a firewall between the LAN and the terminal servers and allow no >> other >> connections to the terminal servers. >> Apart from that, you just have to live with patching. What problems >> exactly >> does it cause? Rebooting should be addressed either by patching >> out-of-hours, or by a resilient service (e.g more than one application >> server). What are the miscellaneous problems? You should probably >> identify >> what they are and try to resolve them rather than prevent patching. >> Hope that helps, >> Anthony, http://www.airdesk.co.uk >> >> >> >> "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message >> news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com... >> > Hello. >> > I am a developer, and have been having an ongoing battle with our >> > Network >> > Admins, and would like advice here. >> > >> > They have Microsoft Windows Auto-Updates turned on for all production >> > servers. This has caused numerous problems, because patches get >> > applied, >> > then cause servers to reboot, or other miscellaneous problems. >> > >> > I keep trying to tell them it is not a 'best practice' to have >> > auto-updates >> > on for production servers, but rather they should push them out with >> > admin >> > tools on a regular scheduled basis. They assure me they 'know what >> > they >> > are >> > doing', and auto updates 'are required to prevent viruses and hackers'. >> > They >> > have assured me that Microsoft strongly recommends auto updates for all >> > production servers. >> > >> > The amount of problems alone this has causes ought to be proof enough >> > this >> > is a bad idea, but can anyone point me to 'official' statements from >> > Microsoft as to 'auto-updates' for production servers? I am having >> > trouble >> > finding an official statement from Microsoft either way. >> >> >>
Guest SBS Rocker Posted October 30, 2007 Posted October 30, 2007 Re: Auto-Updates for production servers I think your misunderstanding Brian's problem here. Apparently he has no issues with servers being updated. His issues are with servers being updated during business hours where it affects production time and work if I understand correctly. Brian I find it hard to believe that management would not work with you on this especially if it affects yours and ohters work. Why not propose they schedule their auto updates say like every evening at midnight? "Anthony" <anthony.spam@spammedout.com> wrote in message news:%23KQHyzsGIHA.3548@TK2MSFTNGP06.phx.gbl... > OK, so you have a specific problem with the update options. I would take a > look at the Group Policies for Windows Updates and suggest to them which > ones would make your life easier. > http://technet2.microsoft.com/windowsserver/en/library/51c8a814-6665-4d50-a0d8-2ae27e69ca7c1033.mspx?mfr=true > > It sounds as though the one that is affecting you is "No auto-restart for > scheduled Automatic Updates installation". That reboot prompt would only > happen if: > - the production server was switched off at the scheduled time, and so the > installation happens when it restarts, or > - a user is logged in either at the scheduled time (but it's supposed to > be out-of-hours). > So I would talk to them about the specific update options: when is the > scheduled time, and what options are they using? > Hope that helps, > Anthony, http://www.airdesk.co.uk > > > "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message > news:1548528A-3E6A-460E-AF22-5FD215FBC738@microsoft.com... >> Sorry Anthony, you misunderstand the problem. I totally agree with >> keeping >> the servers up to date. Every Friday night, or whatever, is perfect. >> >> HOWEVER, that is not what I am asking about. >> >> They have the actual Windows Auto-Update on which applies all updates on >> an >> 'as released basis' from Microsoft. In other words, updates go on >> production >> servers, and nobody, not even them, have any idea which updates went on >> or >> when. Since auto-updates are on, the 'you need to reboot your server >> now' >> function keeps trying to reboot servers. For example, every time we log >> on >> to terminal services, we are prompted to reboot because of auto-updates. >> However, we don't have authority to reboot, so the box is grayed out. We >> just >> have to cancel the prompt. This prompt comes up every 10 or 15 minutes. >> There are days when I will work for 10 hours through terminal services, >> for >> every day of the week, so there are times, that for 40 or 50 hour work >> week, >> I am canceling that dang prompt every 10 minutes. It is not unusual that >> I >> may have to tunnel through 2 or 3 levels of terminal services, so take >> the >> every 10 or 15 minutes times 2 or 3. >> >> To me, this is down and out wreckless to just apply updates to production >> without any knowledge whatsoever of what is being applied. >> >> "Anthony" wrote: >> >>> Hi Brian, >>> I hope you won't mind advice that contradicts your presumed views. >>> When Microsoft or any software vendor discovers a flaw that can be >>> exploited, they need to fix it. >>> If you don't apply the fix, you are vulnerable from that time on because >>> everyone knows what the flaw is. >>> You can test the fix to see if it breaks anything, but you still need to >>> apply it even if it does. >>> So really it could be a responsibility of the developers to be aware of >>> fixes, maintain a testing environment and identify what to do if a fix >>> breaks their software. They would then need to deploy their own patch >>> within >>> a week or two. If they object to having to test, it demonstrates that it >>> is >>> really an argument about who should do the work rather than whether it >>> should be done. >>> The only way to avoid patching, or to postpone it till the developers >>> are >>> ready, is to maintain a sealed environment. You can do this as follows: >>> - run the application on terminal services >>> - allow no other applications to run: no IE, no Word, no iTunes etc, >>> just >>> the application. >>> - run a firewall between the LAN and the terminal servers and allow no >>> other >>> connections to the terminal servers. >>> Apart from that, you just have to live with patching. What problems >>> exactly >>> does it cause? Rebooting should be addressed either by patching >>> out-of-hours, or by a resilient service (e.g more than one application >>> server). What are the miscellaneous problems? You should probably >>> identify >>> what they are and try to resolve them rather than prevent patching. >>> Hope that helps, >>> Anthony, http://www.airdesk.co.uk >>> >>> >>> >>> "Brian Kitt" <BrianKitt@discussions.microsoft.com> wrote in message >>> news:FB252A39-79A5-4522-9113-71C1A1303DBB@microsoft.com... >>> > Hello. >>> > I am a developer, and have been having an ongoing battle with our >>> > Network >>> > Admins, and would like advice here. >>> > >>> > They have Microsoft Windows Auto-Updates turned on for all production >>> > servers. This has caused numerous problems, because patches get >>> > applied, >>> > then cause servers to reboot, or other miscellaneous problems. >>> > >>> > I keep trying to tell them it is not a 'best practice' to have >>> > auto-updates >>> > on for production servers, but rather they should push them out with >>> > admin >>> > tools on a regular scheduled basis. They assure me they 'know what >>> > they >>> > are >>> > doing', and auto updates 'are required to prevent viruses and >>> > hackers'. >>> > They >>> > have assured me that Microsoft strongly recommends auto updates for >>> > all >>> > production servers. >>> > >>> > The amount of problems alone this has causes ought to be proof enough >>> > this >>> > is a bad idea, but can anyone point me to 'official' statements from >>> > Microsoft as to 'auto-updates' for production servers? I am having >>> > trouble >>> > finding an official statement from Microsoft either way. >>> >>> >>> > >
Recommended Posts