Hi,
Not a native English speaker, so I apologize for grammar.
Do you guys have any recommendation on what should be the minimum acceptable patching level for Windows servers.
What I’m looking for is to setup a guideline internally at our company.
So is this is something some have suggested internally at our company but others point out that to attain this goal would be labor costly and expensive to maintain (see note below)
- 100% of all servers should be patched 100% with critical and important OS patches
- These patches should be 100% deployed within 30 days from release
Have you or your company set any guidelines on the minimum patching level for servers?
Any ideas or recommendation on this issue?
(note)
The main reason give why it’s not cost effective is that even if the our patching software would patch automatically there are often servers that fail installing some patches. To be able to patch 100% would then require an investigation by an sysadmin and that is expensive labor.
In larger, distributed companies what I find usually makes sense is to have a goal of 100% patches, 30 days at most.
That’s the goal, but often not the reality. We use percentages to gauge which team is usually responsible for finding a resolution.
If one server fails one patch, we assign that server owner to figure out why and get it resolved. That often means insufficient disk space, manual patch install to see error messages, or something along those lines. Checking for whether that particular matching is failing multiple patches is important too.
If we get into something more like a 15% failure rate, maybe the troubleshooting gets escalated to a higher team to look for patterns, such as prerequisites, nonstandard configurations, corrupt source OS images, or security policies that might block something from installing.
In the 30-50% failure range, we might check the fixlet relevances in the BES Console to determine what makes the patch relevant, and start looking for things like an error in the content introducing a false-positive. At that point we want to check whether the fixlet itself is correct.
I don’t think there’s really a case for “how much unpatched stuff is acceptable”, it’s more a matter of finding the right amount of effort to throw at fixing it.
1 Like
Thank you for the answer, this is they way we’ve been doing it.
Great to see your answers, it reaffirms our current path.