Is delayed restarting a security issue after updating a Windows Production Webserver?

windows-server-2008 update

The server needs to reboot to finish patching files that were in use during the patching process, leaving your machine in an inconsistent state (IE installing updates and then letting it run) leaves your machine at greater risk as you are between two states.

The first before you patched as a known good level of Microsoft updates.

The second state is your machine running the latest set of Microsoft patches.

What you are creating is a third state where some files are updated whilst others aren't, the question isn't really are you more at risk (Because the answer seems an obvious yes) its what steps would you take if your machine was comprimised during this inconsistent state? I would imagine Microsoft would say to you what they said to me in the past 'Oh dear I'm very sorry, rebuild your machine it wasn't in a configuration we support'

If you're patching your machine do it in one hit, apply the patches and immediately reboot it - even if it means staying around out of hours to do it. If your application is that critical that you cannot manage a 5 minute reboot outage then you ought to be looking at extending your infrastructure to cope with it (ie: Multiple load balanced servers).


Delaying the server restart after patches have been applied is something you really, really should avoid.

This would leave the server in an inconsistent state, where some parts of a patch have been applied and some not, and the problem here is not as much about security as about stability: after a patch installation and prior to rebooting you can have all sorts of incompatible DLLs around your system.

I had a really bad experience with a Windows Server 2003 domain controller which was patched (by someone else than me) and not restarted for a whole week. During that week, every authentication request processed by that DC failed because it was not working properly, and this created quite a big mess on the network. The problem has been somewhat mitigated since Windows Server 2008 (which does the "real" patching during the shutdown and boot phases), but I'd personally never leave a server online when a patch restart is pending.

Related

Reset Search Index in Exchange 2013
Copying large file to remote server causes it to run out of physical memory
SVN Commit Error
DNS settings on managed switches in LAN
Connect to a Tomcat Server from nginx as reverse proxy
How to add a web folder via command line (Windows)
FreeIPA : Installer not resolving domain name from hosts file
apparmor not working ubuntu 11.04 insize OpenVZ
How do i view / enable kernel logs on an ec2 instance (amazon linux)?
Yum doesn't update httpd past version 2.2.3 on centos
Advice for Hyper-v deployment on windows server
Linux ACL behaviour: settings the mask changes 'ls' output, but not actual permissions