So which is better? Install a hotfix which will definitely cause downtime
or just let the system run so there is no downtime?

My thinking is a hotfix install should only really cause at most 2 minutes
of downtime that the web server isn't available which if the security
vulnerability is exploited could cause much more downtime. But then there
is the chance that the hotfix causes problems on the system causing even
more downtime and/or loss of data. Plus there is the chance no one would
exploit the hole so there was no reason to patch it.

There is also the issue of installing hotfixes on 30 or so servers easily
and quickly. With a workstation its easy since those are logged in and out
of all the time allowing a script to be run at one of those times to install
hotfixes but with a server you hardly ever log into them. One way around
that is to run the installer remotely by use of WMI, but then you have no
idea if the install was successful or not since you can't see the screen.
The other problem with scripting it like that is how do you know if you need
to reset after a hotfix is installed before you install the next one or if
you can install them all at once and reset once they are all done? Why not
allow remote installation like the way SQL server can be installed?

There also seem to be MS supported hotfixes and non-supported hotfixes.
Should MS be more clear about that in the bulletin e-mails? Supported
hotfixes should have a lower risk of causing problems, right?
--
Eli Allen
eallen@bcpl.net

it really depends on the risks of downtime vs the risks of a security breach.
my take is always to apply critical security fixes. by critical, i mean fixes
to protect against remote attacks which could lead to disclosure/integrity/elev.
of priv. next i apply 'script-kiddie' denial of service fixes. the last fixes
i would apply are those which require local access to the computer or use
a technology that you don't use.

does that sound reasonable to you?

"Eli Allen" <eallen@bcpl.net> wrote:
>So which is better? Install a hotfix which will definitely cause downtime
>or just let the system run so there is no downtime?
>
>My thinking is a hotfix install should only really cause at most 2 minutes
>of downtime that the web server isn't available which if the security
>vulnerability is exploited could cause much more downtime. But then there
>is the chance that the hotfix causes problems on the system causing even
>more downtime and/or loss of data. Plus there is the chance no one would
>exploit the hole so there was no reason to patch it.
>
>There is also the issue of installing hotfixes on 30 or so servers easily
>and quickly. With a workstation its easy since those are logged in and
out
>of all the time allowing a script to be run at one of those times to install
>hotfixes but with a server you hardly ever log into them. One way around
>that is to run the installer remotely by use of WMI, but then you have no
>idea if the install was successful or not since you can't see the screen.
>The other problem with scripting it like that is how do you know if you
need
>to reset after a hotfix is installed before you install the next one or
if
>you can install them all at once and reset once they are all done? Why
not
>allow remote installation like the way SQL server can be installed?
>
>There also seem to be MS supported hotfixes and non-supported hotfixes.
>Should MS be more clear about that in the bulletin e-mails? Supported
>hotfixes should have a lower risk of causing problems, right?
>--
>Eli Allen
>eallen@bcpl.net
>
>

I guess so. I was never planning on installing patches for stuff that isn't
used/installed/enabled. So you basically are saying downtime to patch the
OS is more important then a higher system availability?

Now the problem is making the install of the hotfixes easier since doing it
by hand on each one is ****.
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:3a4a68ed$1@news.devx.com...
>
> it really depends on the risks of downtime vs the risks of a security
breach.
> my take is always to apply critical security fixes. by critical, i mean
fixes
> to protect against remote attacks which could lead to
disclosure/integrity/elev.
> of priv. next i apply 'script-kiddie' denial of service fixes. the last
fixes
> i would apply are those which require local access to the computer or use
> a technology that you don't use.
>
> does that sound reasonable to you?
>
> "Eli Allen" <eallen@bcpl.net> wrote:
> >So which is better? Install a hotfix which will definitely cause
downtime
> >or just let the system run so there is no downtime?
> >
> >My thinking is a hotfix install should only really cause at most 2
minutes
> >of downtime that the web server isn't available which if the security
> >vulnerability is exploited could cause much more downtime. But then
there
> >is the chance that the hotfix causes problems on the system causing even
> >more downtime and/or loss of data. Plus there is the chance no one would
> >exploit the hole so there was no reason to patch it.
> >
> >There is also the issue of installing hotfixes on 30 or so servers easily
> >and quickly. With a workstation its easy since those are logged in and
> out
> >of all the time allowing a script to be run at one of those times to
install
> >hotfixes but with a server you hardly ever log into them. One way around
> >that is to run the installer remotely by use of WMI, but then you have no
> >idea if the install was successful or not since you can't see the screen.
> >The other problem with scripting it like that is how do you know if you
> need
> >to reset after a hotfix is installed before you install the next one or
> if
> >you can install them all at once and reset once they are all done? Why
> not
> >allow remote installation like the way SQL server can be installed?
> >
> >There also seem to be MS supported hotfixes and non-supported hotfixes.
> >Should MS be more clear about that in the bulletin e-mails? Supported
> >hotfixes should have a lower risk of causing problems, right?
> >--
> >Eli Allen
> >eallen@bcpl.net
> >
> >
>

the problem is we have seen unpatched servers get whacked. imho, critical,
remotely exploitable issues should be patched asap. otherwise you WILL have
forced downtime when some kiddie takes out your servers :-)

"Eli Allen" <eallen@bcpl.net> wrote:
>I guess so. I was never planning on installing patches for stuff that isn't
>used/installed/enabled. So you basically are saying downtime to patch the
>OS is more important then a higher system availability?
>
>Now the problem is making the install of the hotfixes easier since doing
it
>by hand on each one is ****.
>--
>Eli Allen
>eallen@bcpl.net
>
>"Michael Howard" <mikehow@microsoft.com> wrote in message
>news:3a4a68ed$1@news.devx.com...
>>
>> it really depends on the risks of downtime vs the risks of a security
>breach.
>> my take is always to apply critical security fixes. by critical, i mean
>fixes
>> to protect against remote attacks which could lead to
>disclosure/integrity/elev.
>> of priv. next i apply 'script-kiddie' denial of service fixes. the last
>fixes
>> i would apply are those which require local access to the computer or
use
>> a technology that you don't use.
>>
>> does that sound reasonable to you?
>>
>> "Eli Allen" <eallen@bcpl.net> wrote:
>> >So which is better? Install a hotfix which will definitely cause
>downtime
>> >or just let the system run so there is no downtime?
>> >
>> >My thinking is a hotfix install should only really cause at most 2
>minutes
>> >of downtime that the web server isn't available which if the security
>> >vulnerability is exploited could cause much more downtime. But then
>there
>> >is the chance that the hotfix causes problems on the system causing even
>> >more downtime and/or loss of data. Plus there is the chance no one would
>> >exploit the hole so there was no reason to patch it.
>> >
>> >There is also the issue of installing hotfixes on 30 or so servers easily
>> >and quickly. With a workstation its easy since those are logged in and
>> out
>> >of all the time allowing a script to be run at one of those times to
>install
>> >hotfixes but with a server you hardly ever log into them. One way around
>> >that is to run the installer remotely by use of WMI, but then you have
no
>> >idea if the install was successful or not since you can't see the screen.
>> >The other problem with scripting it like that is how do you know if you
>> need
>> >to reset after a hotfix is installed before you install the next one
or
>> if
>> >you can install them all at once and reset once they are all done? Why
>> not
>> >allow remote installation like the way SQL server can be installed?
>> >
>> >There also seem to be MS supported hotfixes and non-supported hotfixes.
>> >Should MS be more clear about that in the bulletin e-mails? Supported
>> >hotfixes should have a lower risk of causing problems, right?
>> >--
>> >Eli Allen
>> >eallen@bcpl.net
>> >
>> >
>>
>
>

So why doesn't MS put them in Windows update? It seems like the only
updates there are for the local stuff like IE and the like. Shouldn't fixes
for IIS be there too?

Its kind of hard to install each hotfix individually on each computer and
then remember what servers were done when you have a large number of
servers.

I created a WSH program that should in theory make it easy by using WMI to
check whats already installed, install what is not already installed, and
then rest the machine but there are some issues I'm not sure about.

Does the order hotfixes get installed in matter anymore?

What happens if the hotfix fails to install? Since hotfixes weren't
designed for remote deployment when would probably prompt at the local
screen which won't help me any since I'm doing it remotely.

Related to that one is why would a hotfix fail? It shouldn't matter what
services are running, right? And since the machine is most likely sitting
at a login prompt no one has any open programs.

When do I reset? After each hotfix installer runs or can I wait till they
are all installed?
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:3a5258a2$1@news.devx.com...
>
> the problem is we have seen unpatched servers get whacked. imho, critical,
> remotely exploitable issues should be patched asap. otherwise you WILL
have
> forced downtime when some kiddie takes out your servers :-)
>
> "Eli Allen" <eallen@bcpl.net> wrote:
> >I guess so. I was never planning on installing patches for stuff that
isn't
> >used/installed/enabled. So you basically are saying downtime to patch
the
> >OS is more important then a higher system availability?
> >
> >Now the problem is making the install of the hotfixes easier since doing
> it
> >by hand on each one is ****.
> >--
> >Eli Allen
> >eallen@bcpl.net
> >
> >"Michael Howard" <mikehow@microsoft.com> wrote in message
> >news:3a4a68ed$1@news.devx.com...
> >>
> >> it really depends on the risks of downtime vs the risks of a security
> >breach.
> >> my take is always to apply critical security fixes. by critical, i mean
> >fixes
> >> to protect against remote attacks which could lead to
> >disclosure/integrity/elev.
> >> of priv. next i apply 'script-kiddie' denial of service fixes. the last
> >fixes
> >> i would apply are those which require local access to the computer or
> use
> >> a technology that you don't use.
> >>
> >> does that sound reasonable to you?
> >>
> >> "Eli Allen" <eallen@bcpl.net> wrote:
> >> >So which is better? Install a hotfix which will definitely cause
> >downtime
> >> >or just let the system run so there is no downtime?
> >> >
> >> >My thinking is a hotfix install should only really cause at most 2
> >minutes
> >> >of downtime that the web server isn't available which if the security
> >> >vulnerability is exploited could cause much more downtime. But then
> >there
> >> >is the chance that the hotfix causes problems on the system causing
even
> >> >more downtime and/or loss of data. Plus there is the chance no one
would
> >> >exploit the hole so there was no reason to patch it.
> >> >
> >> >There is also the issue of installing hotfixes on 30 or so servers
easily
> >> >and quickly. With a workstation its easy since those are logged in
and
> >> out
> >> >of all the time allowing a script to be run at one of those times to
> >install
> >> >hotfixes but with a server you hardly ever log into them. One way
around
> >> >that is to run the installer remotely by use of WMI, but then you have
> no
> >> >idea if the install was successful or not since you can't see the
screen.
> >> >The other problem with scripting it like that is how do you know if
you
> >> need
> >> >to reset after a hotfix is installed before you install the next one
> or
> >> if
> >> >you can install them all at once and reset once they are all done?
Why
> >> not
> >> >allow remote installation like the way SQL server can be installed?
> >> >
> >> >There also seem to be MS supported hotfixes and non-supported
hotfixes.
> >> >Should MS be more clear about that in the bulletin e-mails? Supported
> >> >hotfixes should have a lower risk of causing problems, right?
> >> >--
> >> >Eli Allen
> >> >eallen@bcpl.net
> >> >
> >> >
> >>
> >
> >
>

i think (note, i said, think!) that WinUpdate is targeted primarily at the
desktop user, rather than servers. that doesn't mean there are no server-like
updates in WinUpdate. That said, there ARE plans to roll all updates into
a single, simple app. You'll see this soon :-)

Hello.

|Subject: Re: hotfixes vs. avalibility
|From: Michael Howard <mikehow@microsoft.com>
|Date: 10 Jan 2001 14:33:29 -0800
|Message-Id: <3a5ce339$1@news.devx.com>

|i think (note, i said, think!) that WinUpdate is targeted primarily at the
|desktop user, rather than servers. that doesn't mean there are no server-like
|updates in WinUpdate. That said, there ARE plans to roll all updates into
|a single, simple app. You'll see this soon :-)

Are you mentioning about this site?
http://corporate.windowsupdate.microsoft.com/

As your Japanese Server team might have mentioned, the site
cannot be utilized so often, as the update of the contents there
occurs only once a month, and even if we choose Japanese modules,
the documents are written in English, nevertheless. I think it would
be better if contents and documents are fully localized. In
that way many of administrators whose mother tongue is not
English.

So I am curious on what you mentioned. I hope every
administrator can make it easy for the patches to be applied for
the production servers.

Regards,

Kenji Yamamoto

Sub chief-editor, Japan Windows NT Users Group Newsletter
Workshop
http://www.jwntug.or.jp/services/newsletter/
--
Can't you hear our heartbeat? Why don't you join us?
GOTO: SQL PASS-J (ALL THE CONTENTS ARE AVAILABLE IN JAPANESE)
http://www.sqlpassj.org/

I hope not, that site sucks. If I'm running a web server why should it
matter which version of IE is installed? I know that the IE version matters
for some patches but not things like IIS.

What hotfix you can install usually depends on what service park is
installed. So they need to make it easy for you to select what service pack
you are using and then what hotfixes are valid.

They also need to update the site at the same time the security bulletin
comes out about the patch. Or at least within a few days to make sure the
patch doesn't cause major problems. I mean they have a patch called
"Security Update, November 9, 2000" but it was just posted on Monday,
January 22, 2001.

They also need to make the installer work remotely like the way you can with
SQL server's installer.

--
Eli Allen
eallen@bcpl.net

"Kenji Yamamoto" <ethernet@par.allnet.ne.jp> wrote in message
news:3a692e91@news.devx.com...
> Are you mentioning about this site?
> http://corporate.windowsupdate.microsoft.com/
>
> As your Japanese Server team might have mentioned, the site
> cannot be utilized so often, as the update of the contents there
> occurs only once a month, and even if we choose Japanese modules,
> the documents are written in English, nevertheless. I think it would
> be better if contents and documents are fully localized. In
> that way many of administrators whose mother tongue is not
> English.
>
> So I am curious on what you mentioned. I hope every
> administrator can make it easy for the patches to be applied for
> the production servers.
>
> Regards,
>
> Kenji Yamamoto
>
> Sub chief-editor, Japan Windows NT Users Group Newsletter
> Workshop
> http://www.jwntug.or.jp/services/newsletter/
> --
> Can't you hear our heartbeat? Why don't you join us?
> GOTO: SQL PASS-J (ALL THE CONTENTS ARE AVAILABLE IN JAPANESE)
> http://www.sqlpassj.org/
>

Hello.

|Subject: Re: hotfixes vs. avalibility
|From: Eli Allen <eallen@bcpl.net>
|Date: Mon, 22 Jan 2001 19:24:28 -0500
|Message-Id: <3a6cce6f@news.devx.com>
|X-NewsReader: Microsoft Outlook Express 5.50.4133.2400

|I hope not, that site sucks. If I'm running a web server why should it
|matter which version of IE is installed? I know that the IE version matters
|for some patches but not things like IIS.
|
|What hotfix you can install usually depends on what service park is
|installed. So they need to make it easy for you to select what service pack
|you are using and then what hotfixes are valid.

Yeah, that holds true.
Modules like SPQuery should be made available from Microsoft.
cf.SPQuery
http://www.stbernard.com/

I raised the wish to their Japanese Information Centre several
times since the last April. But unfortunately they do not seem
to be doing something on it, perhaps it is because the US
Headquarter does not or cannot recognize our needs.
So we have to post the wish several times, via several channels
including Premium Support, FeedBack, Incident Support, or
whatever we can use.

They should understand what it is now for an average
administrator to handle these stuffs.

|They also need to update the site at the same time the security bulletin
|comes out about the patch. Or at least within a few days to make sure the
|patch doesn't cause major problems. I mean they have a patch called
|"Security Update, November 9, 2000" but it was just posted on Monday,
|January 22, 2001.

So, for the English version of the operating system, I use
SPQuery to gather the modules. But I do not think it is a normal
situation to buy such a thing to administer the network/server.
This kind of product should be made available free from
Microsoft, I think.

For update frequency, I am in the same opinion as yours. Also,
they should fully localize the stuff and contents of the site as
not every administrator understands English. They have localized
modules, so explanation and the interface should also be
localized, as well.

Regards,

Kenji Yamamoto
--
Can't you hear our heartbeat? Why don't you join us?
GOTO: SQL PASS-J
http://www.sqlpassj.org/

Hi,
I know this response is a little late... but just a word of caution regarding
hotfixes, rollups etc...
You should **ALWAYS** try out the patches on a pre-production machine which
mirrors your production config, else you risk the BSoDs which are sooo dreaded...
also look at how the patch interacts with the application at hand in terms
of permissions etc.
As far as the ease of application goes, I think MS is doing a decent job
out of fixing up these Security rollups.

Regards,

Arvind S
BrainBench MVP - Internet Security.

"Michael Howard" <mikehow@microsoft.com> wrote:
>
>the problem is we have seen unpatched servers get whacked. imho, critical,
>remotely exploitable issues should be patched asap. otherwise you WILL have
>forced downtime when some kiddie takes out your servers :-)
>
>"Eli Allen" <eallen@bcpl.net> wrote:
>>I guess so. I was never planning on installing patches for stuff that
isn't
>>used/installed/enabled. So you basically are saying downtime to patch
the
>>OS is more important then a higher system availability?
>>
>>Now the problem is making the install of the hotfixes easier since doing
>it
>>by hand on each one is ****.
>>--
>>Eli Allen
>>eallen@bcpl.net
>>
>>"Michael Howard" <mikehow@microsoft.com> wrote in message
>>news:3a4a68ed$1@news.devx.com...
>>>
>>> it really depends on the risks of downtime vs the risks of a security
>>breach.
>>> my take is always to apply critical security fixes. by critical, i mean
>>fixes
>>> to protect against remote attacks which could lead to
>>disclosure/integrity/elev.
>>> of priv. next i apply 'script-kiddie' denial of service fixes. the last
>>fixes
>>> i would apply are those which require local access to the computer or
>use
>>> a technology that you don't use.
>>>
>>> does that sound reasonable to you?
>>>
>>> "Eli Allen" <eallen@bcpl.net> wrote:
>>> >So which is better? Install a hotfix which will definitely cause
>>downtime
>>> >or just let the system run so there is no downtime?
>>> >
>>> >My thinking is a hotfix install should only really cause at most 2
>>minutes
>>> >of downtime that the web server isn't available which if the security
>>> >vulnerability is exploited could cause much more downtime. But then
>>there
>>> >is the chance that the hotfix causes problems on the system causing
even
>>> >more downtime and/or loss of data. Plus there is the chance no one
would
>>> >exploit the hole so there was no reason to patch it.
>>> >
>>> >There is also the issue of installing hotfixes on 30 or so servers easily
>>> >and quickly. With a workstation its easy since those are logged in
and
>>> out
>>> >of all the time allowing a script to be run at one of those times to
>>install
>>> >hotfixes but with a server you hardly ever log into them. One way around
>>> >that is to run the installer remotely by use of WMI, but then you have
>no
>>> >idea if the install was successful or not since you can't see the screen.
>>> >The other problem with scripting it like that is how do you know if
you
>>> need
>>> >to reset after a hotfix is installed before you install the next one
>or
>>> if
>>> >you can install them all at once and reset once they are all done?
Why
>>> not
>>> >allow remote installation like the way SQL server can be installed?
>>> >
>>> >There also seem to be MS supported hotfixes and non-supported hotfixes.
>>> >Should MS be more clear about that in the bulletin e-mails? Supported
>>> >hotfixes should have a lower risk of causing problems, right?
>>> >--
>>> >Eli Allen
>>> >eallen@bcpl.net
>>> >
>>> >
>>>
>>
>>
>