Patch Management

Server Patch Management

Got servers? Then you need to perform server patch management. Not annually, not once a quarter, not when you feel like getting around to it. Microsoft releases patches on a monthly basis to make it easier for IT professionals to plan their server patch management activities on a predictable cycle, but those out of band patches mean you have to be prepared to do server patch management on very short notice. Remaining completely reactive is not the way to go; it will lead to errors, failures, and missed patches, and that can lead to compromised servers. Here are five fundamental tips for server patch management that will help you do things the right way:

  • Stay Informed
  • Stick to a Schedule
  • Test
  • Automate, Automate, Automate
  • Verify, Verify, Verify
  • Redundancy Is Your Friend
Microsoft releases patches on a predictable schedule to facilitate server patch management strategies, but they also release out of band patches when necessary. Your application vendors (and other o/s vendors if you are not a pure MS shop) tend to release patches when they will. Subscribe to all of your vendors’ notification lists, and use a distribution list to make sure nothing is missed because someone is on vacation. Also subscribe to one or more of the leading independent security bulletins so you stay aware of needed patches.
Remember that schedule? Use it to make your own server patch management schedule with predictable, published, and inviolate maintenance windows. Patching is not an optional activity, and when the rest of the business knows you patch on the third Thursday of the month, they won’t schedule conflicting tasks. Well, some of them will try, but patching trumps all.
Patching goes badly only when patches are deployed to production without testing. Whether you maintain a DR facility that can be used for testing, a scaled down physical environment, or you just take snapshots of your production VMs and test patches in a sandbox, make sure your server patch management strategy includes testing. Vendors test against their vanilla deployments, and against as many combinations as they can of things that follow supported scenarios and best practices. Unless you know for absolute certainty that your systems are ‘pure’, testing is the only way to be sure you won’t run into production issues.
Even the smallest shops on a shoe string budget can use the free WSUS for the server patch management, but there are very affordable third party applications that can also handle third party applications in the patching process, which you can also leverage when patching your workstations. Even the most expensive, top of the line server patch management applications will be less expensive than the recovery costs associated with that one server that was exploited because it was missing a critical patch.
Review your server patch management application logs, spot check individual machines, and then run periodic scans with MBSA or a vulnerability assessment tool to make sure that all servers were patched, and any new systems added to your network are fully up to date.
Nobody wants to spend an entire evening to patch. Having redundancy for all critical services enables you to patch during the day. This improves work life balance sure, but it also means that if a patch does go awry, all hands are already on deck, wide awake, and able to lend a hand, rather than leaving the guy who drew the short straw trying to figure it out alone in the middle of the night, or having to wake everyone else up to assist. Look for redundant domain controllers, overlapping DHCP scopes, using FRS shares instead of relying on a single file server, NLB or clustered applications, etc., to keep single instance services to a minimum.

Desktop Patch Management

24HRS Network helps customers and their IT teams with one of the most challenging problems facing businesses today: Keeping remote workstations current. Without this maintenance the entire company is put at risk and simply relying on built-in updates is not sufficient when you're dealing with lots of workstations. We implement solutions tailored to your needs in accordance with standards like the SANS® Institute's InfoSec Methodology that has been the standard since 2003. This takes the monitoring and enforcement over allowing your IT staff to focus on the revenue-generating part of your business.