We've started using VMware which allows us to take a snapshot of a running server, copy that snapshot to a testing server, and apply patches to the test copy without taking our production machines down. Using WSUS, we can then roll out the patches to the live machines once we're sure they don't break anything.
This obviously only works when the hardware can be virtualized, though you might be able to achieve a similar result by restoring your backups to a test server and patching that. This would have the bonus of testing your backup/restore procedures regularly. Once the patch is approved, we install it manually during a weekly downtime window. For some servers we can afford to be a bit opportunistic, so if the patch is critical and server usage is low, we'll inform the users and apply it early. -seren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 08, 2006 7:02 AM To: [email protected] Subject: Patch Management on Critical Servers (Healthcare) Hello I'm just curious to hear how people in the field have been handling patch management with critical servers. Have you setup maintenance windows? If, so how did you manage the down time? What have people been doing if the device or server has an approved FDA configuration? Are you using thing like WSUS? Thanks, Matthew Security Engineer ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
