In this two-part series, SearchWindowsSecurity.com contributor Serdar Yegulalp identifies tools and techniques for easing the pains of patch management. Part one discusses three different tools for automating processes and updating your systems. Part two below offers three techniques to simplify patch processes.
Many consider it a job in itself to keep dozens or hundreds of computers patched with the latest and greatest Microsoft udpates -- and it's not a fun job at that. You can alleviate some of your patching pains with three techniques below, from keeping a pre-patched machine image on hand to selecting the best service pack version. Use these techniques in conjunction with the tools discussed in my previous tip.
Have one authoritative source in your organization for patches
This should be obvious. Don't allow systems in your organization to get their updates from Microsoft Update and your central server and patches distributed by hand or CD or a hybrid of any of the above. Pick a source and a corresponding delivery mechanism and stick with it, whether it's a locally-administered patch server or Microsoft Update itself. Not only does this grant tighter control over what goes into your systems, but it also cuts down on bandwidth usage, especially if you're performing controlled patch management from inside your organization.
Keep a pre-patched machine image on hand
This works best when you have a great deal of consistency among computers in your organization. It helps to have a machine set aside dedicated to being nothing but the "Ur-Computer" -- the system from which all operating systems images will be built. Keep this machine patched and updated, and build a new image from it once a month or so. When it comes time to re-image a machine, you'll have something relatively recent to work from and won't be fumbling to get things up to date.
Use the network installation versions of service packs
The network installation version of a service pack is a complete download in one file. (Click for the network installation version of XP SP2.) As big as it is, it's one less thing to download over and over again, and even if you think you're only patching one system, it may come in handy later. Also, the full distribution of a service pack tends to do a slightly more complete job of patching a system than the incremental version (where individual files are downloaded as needed).
Return to part one for three tools to ease patching pains.
For More Information
This was first published in November 2004