2 Replies Latest reply on Jan 31, 2008 5:59 PM by Bill Robinson

    Windows Security Patching

      All,

      Our environment contains about 600 Windows based servers. Most of them are 2003 with some 2000. We also have a lot of VM machines. I have been tasked with coordinating our security patching and have a few questions:

       

      1. Just an overview: How does each of you design your patching? Do you separate your 2000 and 2003 machines into Smart Groups and then run a Patch Analysis on each platform? Or do you subdivide your servers further by use?

       

      2. I hope I am wrong on this one, but in my testing it appears that BladeLogic does not have any way of preventing the deployment of an incorrect patch. Is this true, or will the software prevent this? For example if I were to package a patch that was intended for only Windows 2003 but accidentally sent it to a 2000 server. Would BL install it?

       

      3. If you have a similar or larger environment, how long does it take you to patch all of your windows servers?

       

      Any advice would be appreciated.

       

      Thanks,

      Tim Hayes

      Eon-us.

        • 1. Re: Windows Security Patching

          #1 - You must separate the groups you analyze by OS version. If you don't, when you select the "deploy all missing hotfixes" option an error is thrown. Re: Design - without being too long winded we have at least 6 server smart groups for patch targeting. Variables are: OS Version; VM Host, VM Guest, or Non-VM; x86 versus x64; and the time slot the owner allows the server to be patched.

           

          #2 - If the package is built via analyze then you won't have that problem. If you build the package manually, BL will not prevent the execution of a 2000 hotifx against a 2003 target. But when it's invoked the OS will know and not apply it.

           

          #3 - We patched 565 servers (about half our environment) last Saturday evening in about 4 hours.

           

          Also be wary that with the packages created by patch analysis, each item within the package is set to "ignore on failure". So the deploys will ALWAYS finish with a success status even if it failed. There is supposed to be an option in 7.4.2 to change this behavior.

          • 2. Re: Windows Security Patching
            Bill Robinson

            This also depends on the version of bladelogic - in 7.4+ the analysis engine is different then in 7.2-7.3 so #1 will be different if you are using 7.4

             

            #2 should be the same regardless of the version of bladelogic.