Patching internet facing MS systems

["Dan Lynch" <DLynch () placer ca gov>]

Greetings group,

I'm looking for current best practice recommendations regarding the
maintenance and patching of internet-facing Windows servers. In my
environment, these are hardened, stand-alone (i.e., non-domain member)
servers, mainly running IIS, and in at least one case, MS SQL Server.
They reside on a network segregated behind a firewall from the internet,
and from our core network. At this time, no connections are allowed from
them to the private network. All unnecessary services are disabled,
including the Server Service. 

Currently, Remote Desktop is used for many maintenance tasks, but
patching remains a problem. Applicable patches are copied to a USB
memory stick, and an administrator at the server console manually
installs. This sneaker-net solution is the source of much wailing and
gnashing of teeth among our sysadmins. 

A number of options are available that run the gamut from turning on
automatic updates and allowing them to make outbound HTTP connections to
microsoft.com, to making them domain member servers and using SMS to
push patches. 

How do _you_ do it?



Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA