[tradu81]

Hi,

I was hoping I could get some recommendations on whether automatic updates should be enabled or disabled on Servers in a large enterprise environment? I personally would have it disabled on servers but would like to get other opinions and the risks and benefits of having it disabled and enabled on servers. (I'm not worried about workstations).

There is no software distribution server in the environment and automatic updates is anebled in the whole domain.

Thanks

[hazey]

IMO it would be best to implement a WSUS solution, very easy to setup and maintain. It doesn't even need to be on its own server just some space for updates is necessary. The benefits being you can choose what to download (critical updates, optional etc, etc) and test them before unleashing on your production environment. Windows update as far as i am concerned is more for a SOHO environment not enterprise. You don't really want you production servers wandering off to Microsoft on their own accord and downloading updates.

just my opinion.

[tehcamel]

Quote:

Originally Posted by hazey

IMO it would be best to implement a WSUS solution, very easy to setup and maintain. It doesnt even need to be on its own server just some space for updates is necessary. The benefits being you can choose what to download (critical updates, optional etc, etc) and test them before unleashing on your production environment. Windows update as far as i am concerned is more for a SOHO environment not enterprise. You don't particiuly want you production servers wandering off to Microsoft on their own accord and downloading updates.

just my opinion.

I concur with your response - I also suggest the use of WSUS. This gives you control over when patches are installed, which patches are installed (for instance, you may not want to install dotnet3.5 framework patches in a server that runs a dotnet1.1 application only..)
It also allows you to setup test groups and deploy patches in a staged manner.
It also means that you only download the patches and updates once.. and at an offpeak time, rather than having X number of srvers all downloading the same thing.

[joeqwerty]

I would also recommend WSUS as a way to control the updates for your servers. If you're unable to implement WSUS then I recommend setting the Automatic Updates service to disabled on your servers and implementing a regular maintenance schedule for you to assess and install updates on your servers.

Just an off topic side note: The .NET frameworks are independent of each other. 1, 2, and 3 (and their accompanying service packs) can be installed on the same machine without affecting applications that require a particular framework.

[Ossian]

Even with WSUS, I always set servers to "download and notify to install" rather than automatic install. This is in an environment with approaching 50 servers. As it gets bigger, I will have to set up a test area.

[tradu81]

Hi,

I appreciate all your reponses. I'm aware of WSUS or even 3rd Party distribution servers but I'm not looking for a solution but a recommendation as there is no distribution server in an environment. My client does not have a distribution server and are not willing to spend on additional hardware\software.
Basically, they have automatic updates enabled on the Default domain policy. From experience, having automatic updates on servers is not the way to go because the way I look at it is if it ain't broken there is no need for updates on servers unless it's a critical update. In saying that, having automatic updates on does not provide me with a platform in which I can test the patches\updates as with a product like WSUS for example.
Correct me if I'm wrong but I don't think there is any harm with having it on considering the option is set to 'Notify me but don't automatically download them or install them'? I would like to put forward a recommendation to have this GPO disabled purely so that servers do not get the prompt that there are updates available. Can you think of any good reason to disable this on the servers? Are there security risks if this is enabled or is there a best practice\ recommendation by a higher party such as Microsoft to disable this on servers?
Again thank you all for your efforts.

[tehcamel]

they shouldn't have to spend money on additional hardware or software.. if you've got some spare disk space, you can just install WSUS. It's free.

I'd recommend they go this direction. WSUS load is relatively low, depending on your environment of course..

[Nonapeptide]

This reminds of a thread I started some time back. I think the consensus is to not have your servers update automatically. I don't even link to download them automatically. Every few months I review the list of updates that are waiting and then I download and install them if any are particularly necessary. If none are necessary, I don't even have the server download them. I try to reboot servers as little as possible and prefer to see uptime measured in months and not days. Of course, certain servers and circumstances do not permit this, but that's a general rule.

[tradu81]

Thank you.