-3

A Windows Server 2012R2. It only serves the local net: file server and a SQL database. It is isolated from the Internet, except the update server, no ports are forwarded.

Question: Is it a good idea to have it download and install updates automatically, or should it rather be done manually?

(The reason why I'm asking this is that someone claims that no assistance is needed, since the server can download and install the updates automatically, whereas I claim that since it is an isolated machine, updates are not that critical, and they should be performed every now and then, bulk, and manually, in case they break something. The server also runs some legacy software - things that could break. I do realise that no approach is perfect.)

Can you advise? Can you elaborate?

Konrad Gajewski
  • 1,518
  • 3
  • 15
  • 29

2 Answers2

1

Generally the only reason I would say disabling auto updates is appropriate is when the application you're running won't persist after a reboot for some odd reason.

Too many security architectures depend upon securing the perimiter, but once this perimeter is breached the internal network is easy to compromise. This would include individual computers getting "Beachhead" malware installed, allowing further compromise of the network; compromised VPN credentials..etc etc.

I would enable auto updates unless there is a compelling reason not to do so -- e.g. the application run on the server does not reliably restart after reboots, which it doesn't sound like is the case here.

Herringbone Cat
  • 186
  • 4
  • Does, in you experience, a Win Server reboot automatically after an update? – Konrad Gajewski Jun 11 '15 at 19:57
  • Yes. Most "patch Tuesday" update rollups have a patch that requires a reboot. My Windows servers tend to reboot either every week or two weeks after auto installing updates. In WSUS or "Windows Update" Group Policy settings, you may specify whether to allow a reboot or not. However, if you do not reboot, many updates will not apply thus cancelling out the benefit of auto updates. – Herringbone Cat Jun 11 '15 at 20:04
  • Splendid. You just confirmed my earlier worst fears. :) – Konrad Gajewski Jun 11 '15 at 20:14
  • I humbly suggest that finding a way to make it persist is the better option. Disabling updates because of some nebulous "odd reason" sounds like a cop-out to me. – diz Jun 12 '15 at 00:16
-6

Unless the machine is disconnected from the network, it is never truly isolated. If there is a way to use any of its services from other machines, it is a potential target.

If it's connected to the network, enable automatic security updates on it. No exceptions.

EDIT: No exceptions except as a last resort when all other possible solutions have been evaluated, tested, and found to be unmanageable.

diz
  • 309
  • 1
  • 4
  • 1
    -1. See, sometimes there are exceptions - machines that are only allowed to reset at specific times for example. – TomTom Jun 11 '15 at 16:55
  • 4
    `If it's connected to the network, enable automatic security updates on it. No exceptions.` This is terrible advice. Every vendor, including MS, has a history of botched updates that create more problems then they solve. In some/many cases, you want to carefully check every update you install on the machine. – Sven Jun 11 '15 at 16:55
  • Well, the whole thing is just not that trivial, so that's why I asked. In my experience, I came across many situations in which an automatic update actually broke something. I think TomTom and Sven are right here. – Konrad Gajewski Jun 11 '15 at 18:55
  • It's not that trivial, but your question seeks to make it that trivial. Of course there may be extenuating circumstances, but I am adamant that security is priority #1. The handwaving over "isolated" is what I was attempting to draw attention to, but everyone seems to be drawn to my "No exceptions" statement, which I'll humbly admit can be excepted in rare circumstances. Fine by me if you wish to focus on that. I'll continue with my "no exceptions except as a last resort" policy because it's better to be safe than sorry. Don't call a machine isolated unless it's airgapped. – diz Jun 12 '15 at 00:25