8.11.2004

Microsoft Security Patches

I am often asked for my recommendations regarding which Microsoft patches to deploy to a given server or network of computers. Having been involved with supporting and troubleshooting Microsoft operating systems for over 10 years, I have developed a conservative approach to applying security updates.

I can remember many times when applying a security patch has actually caused more problems than it solved. Therefore, I only apply security updates if they address a direct threat to a system in the role in which it is operating. For instance, if there is an update released for IIS (Microsoft's web server software) I don't recommend automatically applying this to a file server. Furthermore, if there is a server security update to patch a vulnerability that can only be exploited by opening a malicious e-mail attachment, or by visiting a malicious web site, I do not recommend applying this to servers. The reason being -- servers aren't surf boards! The only web surfing that should occur on a server is an occasional driver download, etc. However, the same update is probably appropriate for desktop PCs since end-users are likely to run into these situations.

So, as you can see, my patching philosophy is a little different than what you may be used to. If you agree with my approach, feel free to download my Microsoft Patch Baseline spreadsheet. This spreadsheet lists my recommended patches for all currently supported Microsoft operating systems. I update this spreadsheet at least once per month, or more often if patches are released out-of-cycle, or if a new threat is discovered in the wild.