Server and Workstation Patch Management

The following article is being reposted from our friends at GFI software. We currently use GFI software to scan and report on systems for our clients. For most small organizations, manual patch management, with regular quarterly maintenance and installation of critical must install patches will prevent most malware problems. As an organization grows, you should look into a centralized patching and monitoring setup. Don’t limit it to just your Antivirus and Windows update patching, all applications have patches available to address security flaws.

Here are the highlights of Ed Fisher’s article:

Intro The care and feeding of your network includes the regular patching of all your servers and workstations. Whether Microsoft, Unix, Linux, or Mac, all computers need patches. Patches address bugs, fix compatibility or usability issues, and help defend against attacks and malware. Patch management is an ongoing responsibility for all systems administrators, and is easy to do with just a few guidelines.

Keeping up with patches The biggest challenge of patching is keeping up with the patches themselves. Vendor mailing lists including Microsoft Security bulletins, the SANS Institute mailings, and security bulletins from your vendors are all designed to keep you informed of security issues and new patch releases. Subscribe your IT Team’s distribution list to these, and review them each week during the team meeting to keep everyone informed and ensure that nothing is missed. See the end of this article for links to other security mailing lists.

Don’t forget applications Everyone thinks about operating systems, but just as important are patches for applications. Many applications interact with websites directly or through downloaded content, and are frequently exploited. Media players, antivirus software, document readers, and all others must be kept up to date. Maintaining and enforcing a list of approved software in your network, and subscribing to the vendors’ mailing lists will help you keep track of what patches need to be deployed and to which systems.

Testing patches While patches are intended to fix issues, occasionally they may introduce new ones through incompatibilities or other problems. Before deploying patches to production, it is critical that you test them on a representative group of workstations and servers in the environment. Enlist members of the helpdesk and personnel from other business units to help test with early deployments. Should a problem exist with a patch, you will detect it before it can affect the entire business.

Deploying patches The goals for patching should include 100% compliance, timely patching of all systems, and verification. Ensure management understands the importance of patching and supports it fully. Establish maintenance windows to deploy patches and reboot systems when necessary. Many patches are released to address publicly disclosed vulnerabilities; others may point to the existence of vulnerable code. Delays in applying patches increase your risks from malware and attacks, and also the chance that bugs in the unpatched code could lead to system instabilities and downtime. When choosing a patch management system, choose one that can push to systems on a timed basis, verify that the patch installed correctly, and generate reports across all systems. This provides great metrics for management, and helps ensure that no system was missed.

Reverting patches Even with testing, it may be necessary to uninstall a patch. Reporting on all patches deployed to a system, and all systems that received a particular patch are both critical, and having a system that can uninstall patches as well install them is a good safeguard against problems.

Wrap up Patching both operating systems and applications is a regular part of network maintenance. Having the right tools and procedures in place, and support from management, contribute towards making patch management a success.


About SCB Enterprises
System Solutions and Integration

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: