• No results found

PATCHING WINDOWS SERVER 2012 DOMAIN CONTROLLERS. Prepared By: Sainath K.E.V MVP Directory Services

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "PATCHING WINDOWS SERVER 2012 DOMAIN CONTROLLERS. Prepared By: Sainath K.E.V MVP Directory Services"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

P

ATCHING WINDOWS SERVER

2012

DOMAIN CONTROLLERS

Prepared By: Sainath K.E.V MVP –Directory Services

(2)

TABLE OF CONTENTS

1 Introduction: ... 3

2 Patch management process ... 4

3 Patching active directory domain controllers ... 7

(3)

1 I

NTRODUCTION

:

Patch Management is one of the critical risk associated activity of day-day System Engineer / System Administrators managing 100’s to 1000’s of Servers every day. Its challenge which involves risk , complexities, outages and escalations. Over the years, there has been proven methodologies to patch Windows Servers and every organization would follow different testing strategies to apply Patches to their Servers.

Microsoft stems Windows updates into different category each of them affect Windows components upon upgrade which leaves Organizations to carefully test their applications against the Windows updates. Microsoft releases the following types of windows updates

Security Update : These are important updates and must be installed on Windows Servers

Recommended Updates: These are sometimes optional updates but requires careful

understanding of the update

Service Packs: Combination of hotfixes bundled together which assist Administrators /

Developers to test their Apps / build their Apps based on the Service Pack levels.

Language Pack: Low impact optional updates which may be required by Application developers

who build multi language applications to run on Operating Systems.

This article lists the Patch management process which highlights the different phases involved before a patch is installed and list the recommended permissions required to install Windows Updates on Domain Controllers.

(4)

2 P

ATCH MANAGEMENT PROCESS

I have written the framework based on proven methodology implemented by Enterprise Organizations to install patch on the Windows Servers.

Following are the critical phases on Patch Management Process Phase 1: Receive Patch Notifications

Phase 2: Patch Management Plan

Phase 3: Release the Patch

Phase 4: Evaluate the Patch

Phase 5: Systems to be Patched

Phase 6: Acquire the Patch

Phase 7 : User Acceptance Test

Phase 8: Schedule Patch Deployment

Phase 9: Deploy the Patch

Phase 10: Confirm Patch Deployment

Phase 11: Document Changes

(5)

Release The Patch

Evaluate The Patch

Systems To Be Patched

Acquire The Patch

User Acceptance Test Receive Patch Notifications

Critical/Important/ Low Software/Driver Hardware/Network Desktops/ Servers/ Applications Network Appliances/ Hardware Patch Management Framework

WSUS/BigFix Altiris PatchLink/CA/Foxit Risk Assesment Risk Treatment Risk Acceptance Risk Monitoring

Schedule Patch Deployment Patch Mitigation Plan

Patch Unavailable

Deploying Patches on Slow Links Patch available but device is out of NW Patch requires application code change

Deploy The Patch

Confirm Deployment

How To verify ? Same site / Diff

Site

Document The Changes

(6)
(7)

3 P

ATCHING ACTIVE DIRECTORY DOMAIN CONTROLLERS

By following the Patch management process implemented in any Organization, there are certain requirements and checks needs to be in place before patching Domain controllers. When Windows Server gets promoted to Active Directory Domain Controller, the local groups get migrated to Active Directory owned groups and the conventional way of adding Users / Group to local administrator group no longer valid.

The above scenario holds valid for the cases where Organizations employ Vendors to perform Patch Management and have to accommodate Vendors to be part of Builtin Administrators group on the Domain Controllers.

Before listing down the permissions required, I would like to list out the Domain Administrators vs Builtin Administrator privileges which gives good level of understanding on the groups on Domain Controllers.

Groups User Rights

Administrators Access this computer from the network; Adjust

memory quotas for a process; Allow log on locally; Allow log on through Terminal Services; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Force shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Manage auditing and security log; Modify firmware environment variables; Perform volume maintenance tasks; Profile single process; Profile system

performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects

Domain Admins Access this computer from the network; Adjust

memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and

(8)

directories; Shut down the system; Take ownership of files or other objects

3.1 P

ERMISSION

R

EQUIREMENT

Administrator group has full access to AD objects which is close to / equivalent to Domain

Administrators group, along with the full System level permissions on the Domain Controllers. Active directory Administrators / Architects should evaluate before adding Vendors to Builtin Administrators group.

The one notable difference between Domain Administrators and Builtin \ Domain Local Administrators is that , Domain Administrators are part of Local Administrators group on Non Domain Computers ( both domain Joined Client and Server Operating Systems ) where as Builtin\ domain local Administrators group doesn’t have the permission on Non Domain Controllers.

One of the requirement for installing patches is to have Administrator access on the Windows Server / Clients Operating Systems and Vendor accounts should be added to Builtin\administrators group on the Domain Controller.

Is it safe to allow Vendors to Patch :

It is always not safe to allow Vendors to perform Patch Management activity on the Production Domain Controllers as they have complete access to Active Directory objects. But a strict monitoring in place can allow Vendors account to allow patching Domain Controllers for the update schedule time and disable the account.

The other alternate and possible safe approach is to allow Domain Administrators to patch the Domain Controllers.

Note: The above procedure is for the environments where there are no automated Patch management

References

Download now ( PDF - 8 Page - 378.91 KB )

Related documents

TTMIK Workbook Level 3 Lesson 1~ 10

Thank you for downloading this workbook from TalkToMeInKorean .com. This WORKBOOK has been made to help you reinforce what you have learned from our lessons number 1 to 10 in

The contribution of work engagement to self-perceived health, work ability, and sickness absence beyond health behaviors and work-related factors

Table 2: Adjusted association between health behaviors, work-related characteristics, and work engagement and self-perceived health, work ability, and sickness absence at

Transcending History’s Heavy Hand: The Future in Economic Action

Extending the micro-foundations of economic sociology and political economy with a sociological concept of expectations can help to specify how and when social structures

Securing Your Network Environment. Software Distribution & Patch Management

Patch Patch Management Management Process Process Guidance Guidance Automatic Updates Automatic Updates (AU) feature in (AU) feature in Windows Windows Windows Windows

Dr Victor Zhitomirsky. Patenting in the UK Master Report. UK Patent Attorneys

The main competitors for private UK patent attorney firms are corporate patent attorneys (who reduce the volume of domestic patent applications for private patent attorney firms) and

Active Directory Installation on Windows Server 2012

So we have now learned how to install Active Directory on Windows Server 2012 from the Active Directory Domain Services Configuration Wizard by tapping or clicking the Promote

HP Application Lifecycle Management

Verify that you have the database permissions required to install ALM Platform on the Microsoft SQL database server (not applicable for Windows Authentication). For a list

The Economic Impact of the Health Sector on the Economy of St. James Parish, Louisiana. Other Services

James Parish Hospital; Employment data provided from local sources; All local labor income data (except the hospital) calculated based on state average incomes for occupation