Patch management is one of the most important maintenance activities any sys admin can undertake. The number of vulnerabilities that an unpatched system has presents a huge risk to the network, while a fully patched and up-to-date system is very robust and secure, barring any configuration issues. Patch management can either be a constant pain point for sys admins, or it can be one of the easier and more enjoyable tasks. It all depends upon how you approach it, and what sort of management support you have.
In this post, we are going to provide you with a very simple and effective way to make patch management easy. And it all starts with….
The single most important thing you require to make patch management easy is the support from your leadership. With it, and the formal acknowledgement that patching is a critical and ongoing part of systems maintenance, you will be able to patch when necessary, obtain the resources needed to do this well, and make compliance mandatory. Without it, you are in big trouble.
Regular maintenance windows
One of the best ways to make patch management easy is to make it routine. Microsoft chose to release patches on a monthly schedule to help customers plan for patching, and this is something for you to embrace. When the business knows that, for example, the third weekend of each month is when regular patching occurs, they will plan around that any activities that might conflict with patching, and everyone can become accustomed to this routine.
Provisions for emergency patching
That’s not to say that patching will only ever be done during a maintenance window. Emergency patches to remediate exploits that are already in the wild will be necessary from time to time, and the business will have to understand that in these situations, security trumps all. That is when you need the management support most of all!
A patch management application
If you cannot count all of your systems without having to take off your shoes, then you have too many systems to patch by hand. Trying to maintain servers by staying up all night to patch them, and counting on users to patch their individual machines, guarantees failure. A good patch management application can automate most of the patching processes for you, so that you only need to decide what patches to deploy and when. A patch management application also enables you to do the next three things on our list.
Coverage for your third-party apps
There is much more to patch management than just updating Windows. Your office applications, PDF readers, antivirus software and all the dozens or hundreds of other applications must be patched. A good patch management application is one that can handle more than just the operating system.
Testing, deployment and roll-backs
And a patch management application also simplifies the entire patching lifecycle, from testing, to deployment, to the occasional roll-back.
Auditing and reporting
You want to be able to do two separate but related things with your patch management application. You first want to be able to assess, or audit all of the systems on your network to verify that they are fully patched, or to identify any that need remediation.
You also want to be able to run logs and generate reports to show the state of your network, what versions of operating system and application are out there, and how compliant they are with your patching requirements. A good patch management app makes this a task you can automate, or run with a few mouse clicks; rather than requiring you to “touch” every single system one by one to see if they are up to date or not.
Patch management is easy when you have the support, the right tools, and you make it a regularly scheduled part of your sys admin duties. With the list above, you have what you need to make it so.
This guest post was written by Casper Manes on behalf of GFI Software Ltd. Find out more about GFI’s award winning network scanner and patch management solution: GFI LanGuard.
All product and company names herein may be trademarks of their respective owners.