I caught the end of Steve Riley talking about the urgency of patching and a solution for VM’s. He recommended patching as soon as possible. His thoughts were the risks of not patching while waiting for testing were greater than the risks of something going wrong with a patch. Rather simplistic point of view. If an admin follows process of testing then he won’t get fired for an attack. If he deploys an update without testing then …. ouch.
Steve’s suggested process was:
- Snapshot your VM’s.
- Patch
- If something goes wrong, rollback the VM.
- If it goes well, remove the snapshot.
There’s two problems here:
- In my fun’n’games with PSS, I’ve learned that PSS do not support snapshots in a production environment in Hyper-V. You must use bare metal backups using a Hyper-V VSS writer certified backup solution, e.g. DPM 2007.
- You need to be careful about rollbacks to snapshots/bare metal backups. Active Directory domain controllers should never be recovered in this manner in a network with more than one domain controller. There is a risk of a USN rollback.
Personally, I won’t be giving up my 3 phase process: virtual lab test, pilot deployment and live deployment.