Know your environmentSubmitted by Jason Chan, Consulting Services Technical Lead, Symantec Professional Services Co-Moderator, patchmanagement.org mailing list
As with most IT problems, there is no silver bullet to solve the issue of patch management. Responsible administrators often want to rush to implement an automated solution for enterprise-wide patch deployment, but I recommend stepping back and surveying the situation first.
When implementing any patch management tool or process, you are looking for quick, successful deployments across your entire environment. Key to reaching this goal is understanding your entire network and all the systems that are under your responsibility. While I often find that the majority of an organization's computers are managed to some degree (or at least are in inventory management systems), there are many other systems touching your network that you likely have little control over, if you even know they exist. These systems are often found in labs, QA environments or as an employee's secondary machine.
Even if you are unable to manage these systems administratively, you must know where they are and whether or not they are increasing your environment's level of risk because they are behind on patches. Network management and discovery tools can often provide a primary means of identifying these unknown systems. Also, many security and vulnerability scanners can assist in this discovery. And, as they advance, some patch management solutions have the ability to locate unmanaged or undocumented systems on your network. However, before using these types of tools for discovery, first understand whether there are any holes in your existing asset management system or processes -- filling these gaps should be your first step in identifying the hosts that populate your environment.
Early notice is where it's atSubmitted by Mark Burnett, Windows security consultant and author of Hacking the Code: ASP.NET Application Security
Be sure to plan around Patch Tuesday, the second Tuesday of every month, when Microsoft releases their monthly updates. Although they will occasionally release updates on other days to address high priority issues, you can usually expect something to come out that second Tuesday. Be sure to schedule free time that day to research and deploy the new fixes. Microsoft now provides advanced notice of patches, available the Thursday before Patch Tuesday. The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings and the products that might be affected. This will help you better plan for the updates.
Once you have advance notification and know what products will be updated, you can prepare test systems and develop a test plan. You can also determine which of your critical systems will be affected by the updates.
Whenever Microsoft releases new updates, I carefully review the security bulletin and any third party advisories. I check to see what specific files the update will replace and determine what applications or services depend on these files. Next, if the issue is severe enough, I update any firewall or IDS rules. Finally, I try to find any alternative fixes that I can integrate with my hardening process.
More patch management resourcesCheck out SearchWindowsSecurity.com's Learning Center: Simplified patch management for more best practices, news, tips, book excerpts and resources.
How do you patch your systems? Submit a tip and we'll post it on the site.