11 Replies Latest reply on Oct 8, 2008 10:07 AM by Craig Williams

    Windows Security Patching

      All,

      Our environment contains about 600 Windows based servers. Most of them are 2003 with some 2000. We also have a lot of VM machines. I have been tasked with coordinating our security patching and have a few questions:

       

      1. Just an overview: How does each of you design your patching? Do you separate your 2000 and 2003 machines into Smart Groups and then run a Patch Analysis on each platform? Or do you subdivide your servers further by use?

       

      2. I hope I am wrong on this one, but in my testing it appears that BladeLogic does not have any way of preventing the deployment of an incorrect patch. Is this true, or will the software prevent this? For example if I were to package a patch that was intended for only Windows 2003 but accidentally sent it to a 2000 server. Would BL install it?

       

      3. If you have a similar or larger environment, how long does it take you to patch all of your windows servers?

       

      Any advice would be appreciated.

       

      Thanks,

      Tim Hayes

      Eon-us.

        • 1. Re: Windows Security Patching

          #1 - You must separate the groups you analyze by OS version. If you don't, when you select the "deploy all missing hotfixes" option an error is thrown. Re: Design - without being too long winded we have at least 6 server smart groups for patch targeting. Variables are: OS Version; VM Host, VM Guest, or Non-VM; x86 versus x64; and the time slot the owner allows the server to be patched.

           

          #2 - If the package is built via analyze then you won't have that problem. If you build the package manually, BL will not prevent the execution of a 2000 hotifx against a 2003 target. But when it's invoked the OS will know and not apply it.

           

          #3 - We patched 565 servers (about half our environment) last Saturday evening in about 4 hours.

           

          Also be wary that with the packages created by patch analysis, each item within the package is set to "ignore on failure". So the deploys will ALWAYS finish with a success status even if it failed. There is supposed to be an option in 7.4.2 to change this behavior.

          • 2. Re: Windows Security Patching
            Bill Robinson

            This also depends on the version of bladelogic - in 7.4+ the analysis engine is different then in 7.2-7.3 so #1 will be different if you are using 7.4

             

            #2 should be the same regardless of the version of bladelogic.

            • 3. Re: Windows Security Patching

              Apologies for resurrecting an old thread, but regarding this issue:

               

              Also be wary that with the packages created by patch

              analysis, each item within the package is set to

              "ignore on failure". So the deploys will ALWAYS

              finish with a success status even if it failed.

               

              Is there any way to change this default to "Continue"? We are running into frustration where a job is ended as "Successful" even though every patch may have failed to apply. Checked the docs and see how to change the setting on a hotfix-by-hotfix basis... but we want the default to be Continue so we have a visual indicator. In the midst of patching several hundred servers, the less stuff we have to tweak by hand, the better. :)

              • 4. Re: Windows Security Patching
                Bill Robinson

                w/ Unix patching I believe you can set this in the jython.conf or blvpc.conf file.

                 

                for windows, I'm not sure if you can do this. There are some defaults you can set for DeployJobs in the Property dictionary (DeployOptions), but I don't believe that will get you the 'continue' option.

                • 5. Re: Windows Security Patching

                  for windows, I'm not sure if you can do this. There

                  are some defaults you can set for DeployJobs in the

                  Property dictionary (DeployOptions), but I don't

                  believe that will get you the 'continue' option.

                   

                  I hate that answer. :)

                   

                  I did some poking around; as you suspected, there was nothing there for the DeployJobs/Packages/Patches in the Property Dictionary. However, what I found is that the patch items in the Depot have ACTION_ON_FAILURE as a property. (And, naturally, it is set to Ignore and I cannot change it.)

                   

                  If we were able to change this setting, do you think it would propagate through to the BLPackages auto-generated by the Patch Deployment? This is really kind of an annoyance for us, to see "Successful" job completion when patches failed, would like to see a solution without having to adjust every one by hand. (We do +/- 600 servers a week, so that's a lot of clicking in the middle of the night!)

                  • 6. Re: Windows Security Patching

                    A screen capture of the patch properties.

                    • 7. Re: Windows Security Patching

                      >Is there any way to change this default to "Continue"? We are running into

                      I've asked for this repeatedly to no avail.

                      Maybe with another customer asking for it the powers that be may consider making it available.

                      • 8. Re: Windows Security Patching
                        Bill Robinson

                        File 'enhancement requests' w/ our support people, and if you really need to get this in, give the BMC/BladeLogic rep who is responsible for your account a call.

                        • 9. Re: Windows Security Patching
                          Bill Robinson

                          oh, good find.

                           

                          so you might be able to make this 'ignore' in the 'Tools | Patch Analysis Configuration' menu. though i set it and it didn't change anything in the property dictionary.

                           

                          open up a ticket w/ support on this - maybe there is a way to change it. not sure about setting it to 'continue' - there might be something in the db you can do..or w/ the blcli...

                          • 10. Re: Windows Security Patching

                            The patch analysis configuration is already set to "Ignore", which makes sense. The only other option available is "Abort".

                             

                            Naturally, the one we want doesn't seem to be there. :)

                            • 11. Re: Windows Security Patching

                              I've been there and done that Bill