Problem solve Get help with specific problems with your technologies, process and projects.

Expert how-tos: Preparing for enterprise-wide patch deployment

This tip features two Windows-security experts' responses to the question, "What are your top patch management tips?" and a list of top patching resources.

A strong patch management plan is a must for Windows security professionals whose chore it is to keep up with the latest updates and fixes. To get you on track, this tip offers best practices from two patch management experts. While their advice isn't designed to make patching any more fun, it will make the patching process smoother. Learn about one expert's approach to an enterprise-wide patching strategy and another's insights on how to best take advantage of Microsoft's new early notice on patches. Then check out the latest patch management news and tips in our Learning Center.

Know your environment

Submitted by Jason Chan, Consulting Services Technical Lead, Symantec Professional Services Co-Moderator, mailing list

As with most IT problems, there is no silver bullet to solve the issue of patch management. Responsible administrators often want to rush to implement an automated solution for enterprise-wide patch deployment, but I recommend stepping back and surveying the situation first.

When implementing any patch management tool or process, you are looking for quick, successful deployments across your entire environment. Key to reaching this goal is understanding your entire network and all the systems that are under your responsibility. While I often find that the majority of an organization's computers are managed to some degree (or at least are in inventory management systems), there are many other systems touching your network that you likely have little control over, if you even know they exist. These systems are often found in labs, QA environments or as an employee's secondary machine.

Even if you are unable to manage these systems administratively, you must know where they are and whether or not they are increasing your environment's level of risk because they are behind on patches. Network management and discovery tools can often provide a primary means of identifying these unknown systems. Also, many security and vulnerability scanners can assist in this discovery. And, as they advance, some patch management solutions have the ability to locate unmanaged or undocumented systems on your network. However, before using these types of tools for discovery, first understand whether there are any holes in your existing asset management system or processes -- filling these gaps should be your first step in identifying the hosts that populate your environment.

Early notice is where it's at

Submitted by Mark Burnett, Windows security consultant and author of Hacking the Code: ASP.NET Application Security

Be sure to plan around Patch Tuesday, the second Tuesday of every month, when Microsoft releases their monthly updates. Although they will occasionally release updates on other days to address high priority issues, you can usually expect something to come out that second Tuesday. Be sure to schedule free time that day to research and deploy the new fixes. Microsoft now provides advanced notice of patches, available the Thursday before Patch Tuesday. The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings and the products that might be affected. This will help you better plan for the updates.

Once you have advance notification and know what products will be updated, you can prepare test systems and develop a test plan. You can also determine which of your critical systems will be affected by the updates.

Whenever Microsoft releases new updates, I carefully review the security bulletin and any third party advisories. I check to see what specific files the update will replace and determine what applications or services depend on these files. Next, if the issue is severe enough, I update any firewall or IDS rules. Finally, I try to find any alternative fixes that I can integrate with my hardening process.

More patch management resources

Check out's Learning Center: Simplified patch management for more best practices, news, tips, book excerpts and resources.

How do you patch your systems? Submit a tip and we'll post it on the site.

Dig Deeper on Windows legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.