In Ed's own words, "I’m that guy. You know the one. When things are broken, I fix them. When they don't make sense, I explain them. When nothing is getting done, I do it. When a void occurs, I fill it. When there is silence on the call, I state the necessary. An InfoTech professional, aficionado of capsaicin, and Coffea canephora (but not together,) I've been getting my geek on full-time since 1993, and have worked with information technology in some capacity since 1986. I've worked on global scale environments for Doosan, Ingersoll Rand, Microsoft(blue,) EDS/Bank of America, an international financial services firm, and as a consultant for numerous companies and various city, state, and federal government agencies."
Intro The care and feeding of your network includes the regular patching of all your servers and workstations. Whether Microsoft, Unix, Linux, or Mac, all computers need patches. Patches address bugs, fix compatibility or usability issues, and help defend against attacks and malware. Patch management is an ongoing responsibility for all systems administrators, and is easy to do with just a few guidelines.
Keeping up with patches The biggest challenge of patching is keeping up with the patches themselves. Vendor mailing lists including Microsoft Security bulletins, the SANS Institute mailings, and security bulletins from your vendors are all designed to keep you informed of security issues and new patch releases. Subscribe your IT Team’s distribution list to these, and review them each week during the team meeting to keep everyone informed and ensure that nothing is missed. See the end of this article for links to other security mailing lists.
Don’t forget applications Everyone thinks about operating systems, but just as important are patches for applications. Many applications interact with websites directly or through downloaded content, and are frequently exploited. Media players, antivirus software, document readers, and all others must be kept up to date. Maintaining and enforcing a list of approved software in your network, and subscribing to the vendors’ mailing lists will help you keep track of what patches need to be deployed and to which systems.
Testing patches While patches are intended to fix issues, occasionally they may introduce new ones through incompatibilities or other problems. Before deploying patches to production, it is critical that you test them on a representative group of workstations and servers in the environment. Enlist members of the helpdesk and personnel from other business units to help test with early deployments. Should a problem exist with a patch, you will detect it before it can affect the entire business.
Deploying patches The goals for patching should include 100% compliance, timely patching of all systems, and verification. Ensure management understands the importance of patching and supports it fully. Establish maintenance windows to deploy patches and reboot systems when necessary. Many patches are released to address publicly disclosed vulnerabilities; others may point to the existence of vulnerable code. Delays in applying patches increase your risks from malware and attacks, and also the chance that bugs in the unpatched code could lead to system instabilities and downtime. When choosing a patch management system, choose one that can push to systems on a timed basis, verify that the patch installed correctly, and generate reports across all systems. This provides great metrics for management, and helps ensure that no system was missed.
Reverting patches Even with testing, it may be necessary to uninstall a patch. Reporting on all patches deployed to a system, and all systems that received a particular patch are both critical, and having a system that can uninstall patches as well install them is a good safeguard against problems.
Wrap up Patching both operating systems and applications is a regular part of network maintenance. Having the right tools and procedures in place, and support from management, contribute towards making patch management a success.
Additional resources for keeping informed on patches
- Subscribe to the SANS Institute newletters
- Register to receive Microsoft’s security newsletter
- Register to receive Microsoft Technical Security Notifications
- CERT Mailing Lists and Feeds
- Bugtraq Mailing List
- SecLists.Org Security Mailing List Archive
- Mailing lists for specific Linux/Unix distros
- Apple Security Mailing List