I'm curious about how everyone updates their servers before going live. It's clear that servers shouldn't be exposed to the internet right after installation. For those not using tools like Config Manager, what's your approach to securing these servers? How do you make sure they are patched and ready without direct internet access?
4 Answers
If you're talking about an isolated system, downloading updates from the Microsoft Update Catalog on another computer works great. You can then transfer them via USB or a network share to install them.
Our deployment strategy includes a thorough workflow: requests, data flow diagrams, and compliance scans. By the time we onboard systems and install apps, they are already checked for compliance. Keeping our server templates updated is key too.
Exposing servers to the internet isn't the same as keeping them updated. You can receive updates without opening up for direct access. I usually keep servers online during deployment, unless there's a good reason not to. For offline updates, tools like WSUS can help, allowing you to patch without direct internet access.
When I mention servers shouldn't be exposed, I mean they shouldn't have direct access to the internet. Many of our internal servers connect to the web while being protected by firewalls. I set up a DMZ for updates, then move servers to a restricted VLAN after they’re patched. If offline, I switch to manual downloads for updates.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures