Prioritizing critical Windows patches

Every Patch Tuesday, Windows administrators are faced with a daunting task -- in what order should they patch all those vulnerabilities? SearchWindowsSecurity.com contributor Serdar Yegulalp offers the following steps to help you prioritize your patch order.

One of the most bewildering responsibilities that can fall on the shoulders of any administrator is how to prioritize the application of service packs, post-service-pack hotfixes and critical updates. Service packs are Microsoft's distribution of product updates; post-service-pack hotfixes are files designed to fix specific problems in software that has already been installed; and critical updates help resolve known issues and protect your computer from security vulnerabilities. The trouble comes when you have to prioritize and apply one patch over another.

Each service pack and post-service-pack hotfix is tracked with a Knowledge Base document number describing what problems it repairs and whether or not it has been superseded by another. To a high degree, Microsoft has lessened confusion by insuring that any patch eclipsed by another patch is removed, both from Microsoft's own site and from the systems it's been installed on.

That said, a certain order should be followed when patching a system.

1. Add the most recent service pack for your operating system
Use the full-download version of the service pack whenever possible. It replaces every single component "touched" by the previous service pack, and enables the option to uninstall the service pack if needed. Make sure the computer has enough free space to allow for a rollback of the service pack in case something goes wrong. The amount of free space will vary, but for Windows XP Service Pack 2 it's a good idea to have at least 1 GB of free space on the system partition.

2. Update hardware drivers as needed
Some service pack revisions break driver compatibility, or they may only be compatible with higher-revision service packs in some versions of Windows. Some of these drivers are upgraded by a service pack, but not all -- so it's best not to chance it. Network controllers, video cards and disk controllers are three of the most common types of hardware affected by this sort of thing. This may require some research, since devices that require updated drivers may not be sniffed out by Windows Update.

3. Update DirectX if needed
It's easy to forget about DirectX, Windows' multimedia subsystem, especially since many programs use it in an indirect way. The latest revision of DirectX is 9.0c; use the dxdiag utility to find out if a given system needs to be updated.

4. Use Windows Update to obtain any remaining security patches
Microsoft recommends setting a computer to automatically obtain and install upgrades silently, although you can just as easily run Windows Update by hand to get the latest updates. It's probably good to do this the first time with a system that's being managed closely (i.e., a server), and then set it to be updated automatically. Scheduled automatic updates should be done at a time when they're not likely to interfere with work, since they will almost always require a restart.

5. Run a program like Qfecheck or the Microsoft Baseline Security Analyzer to poll the system(s) in question
Qfecheck is a Microsoft-provided command-line tool that enumerates all of the installed fixes in a given system by Knowledge Base article number. The Microsoft Baseline Security Analyzer is even more detailed, allowing you to scan one or more systems for needed updates among a broad range of Microsoft products -- not just Windows itself, but SQL Server, Internet Information Services, etc.

6. Run updates for third-party programs, if any
LiveUpdate for the Symantec line of products downloads upgrades specifically for its software; don't forget to make sure that's up to date as well.

If you're setting up a new installation of Windows Small Business Server 2003, the patch order and the installation are pretty tightly coupled. Click here for an overview of the patch order for SBS2K3.

Find out which vulnerabilities were named in Microsoft's Patch Tuesday record-breaking month

Check out MVP Laura Hunter's article on why you should use MBSA

Go to the Patch Management Tips section for additional advice

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Patches, alerts and critical updates Microsoft releases six patches for November Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.