Manage Learn to apply best practices and optimize your operations.

Expert how-tos: What you need in a patch management solution

This tip features two Windows-security experts' responses to the question, "How do you choose a patch management solution?" and provides additional resources on patching.

Look at any Windows administrator's calendar, and you'll see a big circle around the second Tuesday of every month. Now take out a pen and put a bigger circle around the Thursday before Patch Tuesday. That's the day Microsoft's advanced patch notices release. It's true that the early notice offers relief to many IT departments that were typically overwhelmed on Patch Tuesday -- but it's only effective for those with the right patch management tools and policies in place. Otherwise, they may just spend even more time trying to get the same patches working. Let these two patch management experts help you begin the process of choosing a patching product and maintaining a strong policy. Find out which questions you should ask and what factors to consider when assessing your organization's needs.

Choosing a patch management solution

Submitted by Jason Chan, Consulting Services Technical Lead, Symantec Professional Services, and Co-Moderator, mailing list

Choosing and implementing a patch management solution, whether developed in-house or purchased from a third-party vendor, is much like any significant IT implementation project. Requirements must be identified, timelines must be created, resources (financial and human) must be allocated and solutions must be examined for benefits and drawbacks. But, because the patch management market (including products, practitioners and best practices) is relatively new, I find that many IT and security professionals struggle with how to get started when choosing a solution for patch management.

There are certainly many factors to be considered in this decision, including:

  • Support for the operating systems and applications in use
  • Service level agreements tied to patch release
  • Cost of acquisition and maintenance
  • Solution complexity (and the skill needed to operate)

I argue, however, that while these issues are important, the most critical factor for selecting a patch management solution is the solution's ability to implement your organization's patch management policy. Much has been written on the key elements of patch management policy, and for good reason. A solid and comprehensive patch policy provides the foundation for successful patch management in your organization and spells out the criteria that your patch solution will be judged against.

Just as a firewall is simply a tool to enforce your organization's security policy, your patch management solution must be seen as a tool for the direct implementation of your patch management policy. Here are some important questions to ask:

  • Can the product roll out patches on the schedule that your policy dictates?

  • Can it support the rollback requirements that your policy requires?

  • Can it facilitate the pre-rollout testing that you need?

The closer the solution's capabilities match up to the requirements specified in your patch management policy, the greater the chance of your expectations being met.

Buy or build patching tools

Submitted by Mark Joseph Edwards, Senior Contributing Editor for Windows IT Pro and News Editor of the weekly e-mail-based Security UPDATE Newsletter. He has been involved in the computing industry since 1982.

When considering patch management solutions, administrators should determine whether a particular solution covers all of their needs or at least their most important needs. Here are some important questions to ask:

  • Does the solution handle your most prevalent and most important operating systems, applications and service platforms?

  • Can the solution handle patch management from various major vendors?

  • Can the solution audit which patches are installed against a database of patches that are available to install?

  • Is the solution prone to false detection of installed or missing patches?

  • Does the vendor provide reasonable support in the event of problems?

Even with a good patch management solution in place there still may be situations where you need to develop your own scripts or programs to make sure patches are installed adequately across all applications and platforms. The somewhat recent problem with the JPEG GDI+ vulnerability is a good case in point. Microsoft issued a patch and a tool that can scan systems to see if the patch is required. However, the particular DLL that contained the vulnerability is also distributed by many third-party vendors as part of their applications. Since Microsoft isn't in a position to know which of those third-party applications include the DLL, administrators found themselves scrambling to come up with ways to find all copies of the vulnerable DLL on their systems. Many resorted to writing their own scripts or programs to help with the discovery and DLL replacement process.

I recommend that all administrators charged with patch management consider joining's mailing list, or at least consider reading the Web-based archives from time to time. The mailing list is a fantastic resource where administrators share tips and know-how regarding their ongoing experiences with various patch management solutions, patch installation and troubleshooting, various related tools such as custom scripts and programs, and much more.

More patch management resources

Essentials of Patch management policy and practice - Jason Chan -
Whitepaper on patch management process - Microsoft -
Procedures for handling security patches - NIST -

Check out's Learning Center: Simplified patch management for more best practices, news, tips, book excerpts and resources.

Do you build or buy your patching tools? Submit your patching tricks, and we'll post them on the site.

Dig Deeper on Windows legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.