Patch testing on a budget

The idea was that no upgrade (hardware or software) was ever done to the production network unless it was first done to the test network and monitored for adverse effects. And that was actually pretty smart for the company to set things up that way, because doing so ensured that there were never any surprises on the production network after an upgrade. The thing that really made an impression on me, though, wasn't so much the testing procedure. Rather, it was the amount of money that the company spent on the lab.

The infinite resources method
Every time the company needed a new server, it would buy three of them. One would go into the production network, one would go into the lab and one would be kept in the box and saved in case of a catastrophic hardware failure on the production or test network. In addition to buying duplicate hardware, the company also purchased duplicate software licenses for the test network, although the test network didn't require nearly as many client access licenses.

More Information Learn how to test a patch Learn how to deploy a successful patch. Have a patching question? Submit a question here.

The point is that the company had a great system for testing patches and upgrades prior to deploying them, but between the cost of duplicate components, duplicate licenses and having to pay the IT staff for the extra hours spent maintaining the lab, the company spent an absolute fortune on testing.

A lot of years have passed since then, and today I work for myself. I have to admit that I would love to have a duplicate network set up for testing purposes, but doing so is, to say the least, a little beyond my budget. That doesn't mean I don't test patches prior to deploying them though. I don't have nearly as elaborate of a setup as my former employer, but I have found a few tricks for testing patches on a much more modest budget.

Reducing hardware costs
The biggest costs related to creating a test lab are hardware and software. Although both are necessities, there are some ways that you can really hold down the costs. Let's talk about the hardware first. One way you can economize on hardware is to purchase PCs instead of servers. If all you do is test the impact of occasional patches, then you don't need things like multiple processors and RAID arrays. You can save an absolute fortune just by using a basic PC with plenty of disk space and memory for testing purposes.

Another cost-saving technique is to use virtual machines. Products such as Microsoft's Virtual Server 2005 and VMware from VMware Inc. allow you to simultaneously run multiple virtual computers on a single physical computer. As you can imagine, running multiple virtual computers simultaneously requires a lot of computing power. Therefore, if you are thinking about using virtual machines, make sure that the physical computer on which you are hosting the virtual machines is as powerful as possible. Specifically, the physical computer will need lots of processing power and as much memory as possible.

Reducing software costs
So what about saving money on software? As I said, you can save money because you won't have to buy as many client access licenses for your test network as you would for the production network. Even so, the software can still be expensive.

There are some ways to cut cost though. If you are only doing a quick test, try using evaluation software in your lab. Microsoft offers 120-day evaluation copies of most of their products for free. Therefore, if you are testing a configuration, patch, upgrade or whatever for less than 120 days, you could just download some evaluation software and not have to worry about the cost.

If you are going to be testing for an extended amount of time, one option is to get an MSDN subscription. A subscription to MSDN Universal costs about $2,000. That sounds like a lot of money but, along with the subscription, you receive multiple licenses for almost all of Microsoft's products. I don't know what Microsoft's official policy is regarding using MSDN software in testing labs, but because MSDN is intended for developers, I'm pretty sure that using MSDN software in a test lab would be allowed by the license agreement.

As you can see, you don't have to have a huge budget to create a test lab. All you really need is a PC or two -- and some imagination.

About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

This tip originally appeared on SearchWindowsSecurity.com

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Writing Wireshark network traffic filters Screencast: Collecting metadata with Metagoofil Video: Setting up a secure wireless network How to implement and enforce a social networking security policy New blacklists: Highly predictive or hardly worth it? Smartphone security: The growing threat of mobile malware Screencast: How Tor improves Web surfing privacy and security audits Workstation hard drive encryption: Overdue or overkill? Wireshark tutorial: How to sniff network traffic IE 8 beta 2 security features may mark improvements for browser security Patch Management Microsoft learns of successful RPC worm infections Web app attacks grow, but developers may fight back How to ensure the validity of Microsoft Windows updates Critical SAP flaw leaves systems vulnerable to attack Microsoft patches critical XML Core Services flaw Inside MSRC: Microsoft addresses XML Core Services flaw, RPC flaw Attackers target critical Adobe PDF flaw Microsoft emergency bulletin Microsoft to patch critical Windows flaw Adobe issues warning for Reader, Acrobat flaws Budgeting for Information Security Security survey finds increase in security standards adoption Security spending driven by mergers, Web 2.0 and compliance Managed security services to climb as IT costs rise ISD 2007 Best in Show award winners announced Consolidation's impact on best-of-breed security Podcast: Security360 -- Industry Consolidation Microsoft users sticking with third-party security vendors Information Security announces finalists for 2007 Readers' Choice awards Survey: Data breach costs surge What is the average cost of an MSSP? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.