|
Posted by Marlon Brown on August 6, 2005, 10:25 am
If you were Registered and logged in, you could reply and use other advanced thread options
130 servers organization, 3,500 PC's.
3 sysadmins.
So far each sysadmin has been responsible for patching respective servers
they maintain.
Do you agree that a more effective approach is elect one sysadmin to be
responsible to patch all servers and workstations ?
|
|
Posted by Shenan Stanley on August 6, 2005, 10:59 am
If you were Registered and logged in, you could reply and use other advanced thread options
Marlon Brown wrote:
> 130 servers organization, 3,500 PC's.
> 3 sysadmins.
> So far each sysadmin has been responsible for patching respective
> servers they maintain.
>
> Do you agree that a more effective approach is elect one sysadmin to
> be responsible to patch all servers and workstations ?
No. I do not agree.
The point would be to not only get the patching done as quickly as possible,
but to make sure each server comes back as it should.
With 130 servers, having ONE administrator do them all would be leaving not
only some servers vulnerable for extended periods of time (possibly) - but
relying on a single point of failure (that ONE admin) to get all of the
patches for all of the servers done and make sure all of the functions of
each of those servers come back up correctly. Those who maintain the
servers daily are more likely to know if something is not right and do
something about it quickly than the admin who before only touched 1/3 of the
servers.
As for workstation patch management - WSUS. If the 3500+ PCs are homogenous
enough - a set of them for the whole group - one main one perhaps - updating
all the others internally that the (assuming sites here) workstations
connect to. If heterogenous to a point that one patch could break this
third, but would do nothing to the other 2/3s (in way of destructiveness) -
then multiple WSUS servers each managed by the administrator who knows their
subsection of users and applications best and can better test if a certain
patch may damage their customers work...
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
|
|
Posted by Robert Moir on August 6, 2005, 6:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> 130 servers organization, 3,500 PC's.
> 3 sysadmins.
> So far each sysadmin has been responsible for patching respective
> servers they maintain.
>
> Do you agree that a more effective approach is elect one sysadmin to
> be responsible to patch all servers and workstations ?
I would suggest that one person has overall charge of the change /
deployment management, setting overall targets and frameworks, but that the
people responsible for the services running off the various servers should
be responsible for the operational aspects of getting the stuff deployed
within that framework.
It makes sense to have one centralised patch manager / patch management
system in order to simplify testing, deployment planning, reduce duplicated
work, etc.
From a business perspective, the people who "own" services need to be
involved in their availability and this arrangement allows that to happen,
so a sysadmin responsible for the email service, for example, might be told
"We need to put this Exchange server patch on the Exchange servers by
Thursday". They can then schedule that to be part of a planned outage
already set for Wednesday, minimising disruption to end users vs. the
planned outage going ahead on Wednesday and the security/patch manager also
disrupting the service on Monday to install patches.
--
--
Rob Moir
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
Kazaa - Software update services for your Viruses and Spyware.
|
|
Posted by Roger Abell on August 7, 2005, 7:01 pm
If you were Registered and logged in, you could reply and use other advanced thread options
The lead admin(s) of specific servers are best positioned to
assess impacts (of patch and of outage schedule), and so should
be the end-responsible party(s).
Like Robert, I also believe there needs to be a point-man that
sets the "urgency level" for released server service.
As to the client systems, set up a redundant WSUS environment
and charge someone in desktop support for ticketing clients that
indicate they are having trouble. With a representative set of
test clients receiving patches before the bulk when there is space
of time to inject the testing delay, all this can be pretty much
automated and delegated to not too highly experienced support
technician(s) under the oversight of the point-man or sysadmins.
--
Roger Abell
Microsoft MVP (Windows Security)
> 130 servers organization, 3,500 PC's.
> 3 sysadmins.
> So far each sysadmin has been responsible for patching respective servers
> they maintain.
>
> Do you agree that a more effective approach is elect one sysadmin to be
> responsible to patch all servers and workstations ?
>
>
|
| Similar Threads | Posted | | RE: Does we need a dedicated software to guard mIRC? | June 12, 2005, 11:05 pm |
| New site dedicated to security conferences : www.security-briefings.com | May 7, 2006, 4:40 am |
| Can't handle infected PC. Please Help! | April 15, 2006, 6:32 am |
| Invalid handle message | July 18, 2006, 10:27 pm |
| Re: lsass.exe - invalid HANDLE error | August 24, 2005, 3:54 am |
| Recurring problem (see "Can't handle infected PC from 15.Apr.) | April 17, 2006, 12:44 pm |
| Handle to PlugPlaySecurityObject was requested, over and over agai | December 19, 2008, 6:08 am |
| RE: School district and creative way to handle student passwords ? | June 22, 2005, 5:58 pm |
| Please advise on how to I can handle guests, volunteer accounts in my public institution | October 6, 2006, 11:13 am |
| KerberosToken constructor gives error - Kerberos credential handle could not be returned | June 4, 2007, 2:01 am |
|
XML site map