Sounds like you're running quite a large scale environment there with your "web portal".

How do you justify the risks associated with deploying these patches? What kind of testing, lab environment, staffing, etc do you use to mitigate the risks? How many SYSTEMS do you use with unique applications? How do you suggest a company with, say, 10,000 web servers running different applications test these patches?

Tim's article holds water for only the smallest companies that have simplistic configurations. Microsoft's patches DO break servers, and unless we're dealing with a Nimda or Code Red, the cure is worse than the disease most of the time. The best thing is to isolate these systems on a DMZ, monitor the hell out of them, and wait until FORMAL testing can be done for all crucial systems before deploying them.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/74/11893#11893