As many patch management tool vendors tout new product features and the wonders of automation, it's important to step away from the hype and understand the good and the bad points to automating patch management in Windows. Overall, the pros outweigh the cons.
The benefits are pretty obvious. Automation will always keep your systems up to date with the latest patches. An automated system means that the administrative burden is reduced significantly. And systems that are up to date tend to work better. This means that your overworked support staff might have an easier time keeping the users' machines up and running.
Although I just breezed through the benefits of automated patch management, the pluses shouldn't be taken lightly. Each of these benefits can have a significantly positive impact on an organization.
But there are some cons to keep in mind.
One of the most overlooked negative aspects of automated patch management? It tends to make an administrator's job a little too easy.
Suppose that an admin sets up an automated patch management system for a medium-sized organization. For the first few weeks, the admin likely will check the patch management system's logs diligently. After all, it's a new system, and the admin needs to ensure that it's working properly.
As time goes by, however, those logs become easier to ignore. Why? Because admins get busy -- there are always more important tasks than checking logs on a system that has always worked perfectly.
Eventually, patch management logs become as neglected as audit logs. I've seen countless administrators enable auditing but never check the logs unless something happens.
Sometimes, a patch can be a disease in prevention's clothing.
If the system is truly automated, then patches are deployed without your approval. If a patch happens to be buggy, then it could be distributed automatically across the entire organization, potentially crashing and crippling all the computers it touches by breaking applications or creating new vulnerabilities. Yes, many systems offer a rollback feature, but actually performing such a task on a large number of PCs can be very time consuming.
One final downside to automated patch management is that a malicious insider or hacker could use the system as a mechanism for distributing malicious code. I'll admit that Microsoft uses code signing and other safeguards to prevent anything other than authentic code from being distributed. But Microsoft is a big and tempting target, and I think it's only a matter of time before someone figures out how to spoof the company's code signature.
Even if you disagree with me, you must admit that almost all software companies occasionally release patches for their products, and there are many companies in addition to Microsoft that offer automated patch management solutions. From a security standpoint, some of these products are written better than others. It conceivably would be easy to use a low-end patch management solution as a distribution point for malicious code.
Despite the caveats, I personally believe automated patch management is a good idea as long as you use the solution responsibly. This means checking the logs on a daily basis and picking a product that has a reputation for security.
About the author: Brien M. Posey is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
More information from SearchWindowsSecurity.com
This was first published in June 2005