Security Patch Management Tip
Sep 12th 2008Desmond LeeSystemCenter & Windows & Security
Although “Automatic (recommended)” is the suggested option for Automatic Updates, this little convenience also means that you lose complete control over what kind of Microsoft hotfixes or patches will be downloaded and automatically installed on your Windows-based server and desktop systems.
This is especially true in an unmanaged environment where patch management systems such as WSUS or SMS/SCCM are not deployed to centrally manage or administer the approval of tested patches before widespread rollout. As a result, you may be unnecessary affected by incidents such as the Exchange 2007 SP1 Update Rollup 4 (KB952580) blunder here which is largely beyond your control.
Best practice would be to configure “Notify me but don’t automatically download or install them” for Automatic Updates. Better still, deploy the free WSUS 3.0 SP1 solution with Active Directory Group Policy to regain control of your patch management needs if budget is a constraint.
Technorati tags: WSUS, Security
No Comments »
Leave a Reply
You must be logged in to post a comment.