The Sys Admin’s Guide to Patch Management Made Easy

GFI Languard

Patch management is one of the most important maintenance activities any sys admin can undertake. The number of vulnerabilities that an unpatched system has presents a huge risk to the network, while a fully patched and up-to-date system is very robust and secure, barring any configuration issues. Patch management can either be a constant pain point for sys admins, or it can be one of the easier and more enjoyable tasks. It all depends upon how you approach it, and what sort of management support you have.

In this post, we are going to provide you with a very simple and effective way to make patch management easy. And it all starts with….

Management support

The single most important thing you require to make patch management easy is the support from your leadership. With it, and the formal acknowledgement that patching is a critical and ongoing part of systems maintenance, you will be able to patch when necessary, obtain the resources needed to do this well, and make compliance mandatory. Without it, you are in big trouble.

Regular maintenance windows

One of the best ways to make patch management easy is to make it routine. Microsoft chose to release patches on a monthly schedule to help customers plan for patching, and this is something for you to embrace. When the business knows that, for example, the third weekend of each month is when regular patching occurs, they will plan around that any activities that might conflict with patching, and everyone can become accustomed to this routine.

Provisions for emergency patching

That’s not to say that patching will only ever be done during a maintenance window. Emergency patches to remediate exploits that are already in the wild will be necessary from time to time, and the business will have to understand that in these situations, security trumps all. That is when you need the management support most of all!

A patch management application

If you cannot count all of your systems without having to take off your shoes, then you have too many systems to patch by hand. Trying to maintain servers by staying up all night to patch them, and counting on users to patch their individual machines, guarantees failure. A good patch management application can automate most of the patching processes for you, so that you only need to decide what patches to deploy and when. A patch management application also enables you to do the next three things on our list.

Coverage for your third-party apps

There is much more to patch management than just updating Windows. Your office applications, PDF readers, antivirus software and all the dozens or hundreds of other applications must be patched. A good patch management application is one that can handle more than just the operating system.

Testing, deployment and roll-backs

And a patch management application also simplifies the entire patching lifecycle, from testing, to deployment, to the occasional roll-back.

Auditing and reporting

You want to be able to do two separate but related things with your patch management application. You first want to be able to assess, or audit all of the systems on your network to verify that they are fully patched, or to identify any that need remediation.

You also want to be able to run logs and generate reports to show the state of your network, what versions of operating system and application are out there, and how compliant they are with your patching requirements. A good patch management app makes this a task you can automate, or run with a few mouse clicks; rather than requiring you to “touch” every single system one by one to see if they are up to date or not.

Patch management is easy when you have the support, the right tools, and you make it a regularly scheduled part of your sys admin duties. With the list above, you have what you need to make it so.

This guest post was written by Casper Manes on behalf of GFI Software Ltd. Find out more about GFI’s award winning network scanner and patch management solution: GFI LanGuard.

All product and company names herein may be trademarks of their respective owners.

Advertisements

Why Patch Management Is Vital to Your Business Network Security

If your business has any IT resources at all and is connected to the Internet, it’s not a question of if you will suffer a security incident; it’s just a matter of when. Just how bad such an incident will be comes down to your patch management strategy. Patch management is critical in any size company, from the sole proprietorship to the international enterprise, and keeping up with the patching on every single server and workstation on your network is the most effective thing you can do to minimize your exposure to the threats facing your network.

There are several different ways that malicious attackers can compromise your network. Malware infected email attachments and downloads, worms that propagate from system to system, and compromised websites that deliver harmful scripts to browsers, all tend to take advantage of unpatched vulnerabilities in your operating systems, web browsers and other applications to do their damage. Guessing passwords and finding unsecured ways into networks are still out there, but it is much easier to probe for an unpatched webserver, and that same activity is usually much more difficult to detect. Once an attacker finds a flaw, they can easily exploit it with any number of canned attacks. There are even frameworks where people can create “hack in a box” type plug-ins that anyone can use, with no programming experience required.

These sorts of attacks rely on the victims to have unpatched systems running on their network. Patch management is the most effective, and the easiest way to defend against such threats. Operating system and software application vendors regularly release patches for their products, and notify their customers who have registered whenever an update is available. Some, but unfortunately not all, even provide ways for users to set their computers up to automatically download those updates to make it as easy as possible to receive and install the patches. Using patch management enables admins to deploy patches in a controlled fashion, testing them before wide scale deployment, and also to ensure that all systems are up-to-date on their patches. Patch management gives you the control you should have, to ensure that your systems are secured. Patch management also provides you a way to patch those applications that the vendors don’t provide an automated way to handle.

Patch management systems enable you to maintain full control of your systems’ patching activities. You can deploy security patches to test machines, and then push them out to all the rest of your machines, and also run reports to ensure that you have 100% compliance across all servers and workstations. You can use your patch management system to provide reports up to management and to auditors as well, so you can make sure management knows what is going on, and that auditors’ requests are easy to meet.

With patch management, you can also quickly and easily push emergency patches out to all your systems. While testing patches and deploying them in a planned manner is preferable, every so often a zero day exploit is discovered that necessitates pushing a patch out to all systems as quickly as possible. Without a patch management system, you may have to run from machine to machine, or worse still, rely upon your users to patch their own systems. With patch management, you can deploy an update from the comfort of your desk, and know that you have all your machines covered.

For the security of your network, and to ensure quick and efficient deployment of security patches to all workstations and servers, deploy a patch management application on your network today. The ease with which you can patch your systems, the reporting that it provides, and the peace of mind that comes with knowing that you are not subject to exploits of unpatched systems makes a patch management system a vital component of your network management suite.

About the author: Casper Manes writes for GFI Software Ltd, a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs.

All product and company names herein may be trademarks of their respective owners.

7 Tips to Improve Patch Management

As a security consultant, one complaint I hear frequently from my customers is that patching is a pain. The amount of time many companies spend on patching, the problems they have deploying patches, the perception that patching causes problems, and a general lack of understanding about what it takes to patch, all combine to make patching such a major issue. This generally means patching is not carried out for months and security is put at risk. However with proper planning and a patch management strategy, patch management is not such an issue after all. I have helped numerous customers implement patch management and there are seven tips that I adopt:

  1. Have senior management make patching a priority

If admins are allowed to patch (or not) as they see fit, and if you are expected to “do the best you can” with patching, you’re doomed to fail. Senior management must set the expectation that patching is critically important, mandatory, and they will need to support that.

  1. Implement a patch management solution

Part of that support from senior management will include implementing a patch management solution. The free ones are worth every penny you pay for them, which is not to say that they are not useful, but they typically focus on the operating system, and leave the applications out in the cold. A patch management solution is the best way to automate the testing, patching, auditing, and reporting steps that manual patching makes so painful.

  1. Include third party applications

Your patch management system must be able to deploy patches for your third party applications. Media players and readers, line of business applications, and the various utilities that are found on practically every workstation, and many servers, must also be patched.

  1. Testing is not optional

It’s better to deploy an untested patch than to not patch at all, but you roll the dice every time you do. Designate a sampling of key users and servers, and deploy patches to them early so that you can be sure that the patches play nicely in your environment before you patch all the systems.

  1. Create a patching window that is inviolate

Set a regular patching window that takes priority. Publish it so that other business units can plan around your patching activities, and make sure that the senior management support includes supporting the patching window so that you can get workstations and servers updated quickly.

  1. Ensure 100% compliance

Never assume a patch is deployed successfully to every system. Your patch management solution should be able to report on the status of all systems, that patches are deployed successfully, and you should spot audit systems to be absolutely certain you’ve covered everything.

  1. Ensure you can roll back

Even with testing, there’s a chance you will deploy a patch only to later find out that it causes a problem. Choose a patch management application that can roll back or uninstall patches that it pushes out, just in case a problem is discovered late in the game.

If you take these seven tips to heart and implement them in your environment, you will find patching to be an easy, straightforward, and enjoyable part of systems management.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.

All product and company names herein may be trademarks of their respective owners.

7 Reasons to Use a Patch Management Solution

Do you use a patch management solution? If your network is like many others out there, you probably have half a dozen or more different Windows operating system versions, two to four different Office suites, and dozens more software applications scattered throughout the various workstations and servers on your network. You say to yourself every Patch Tuesday that this is the month you will finally get a handle on patching, but then find yourself overwhelmed and not even sure where to begin. Take heart; you are not alone. Like so many of your peers, you simply need a patch management solution.

A patch management solution can make short work of what can be a Herculean task, simplifying and automating patch management. With the ability to go beyond just the operating system and your Office suite, a good patch management solution can also take care of all those vulnerabilities that things like Windows Updates and WSUS cannot. Here are seven reasons why you need a patch management solution today:

  1. Deploy patches quickly and easily

Patching should be a regular process, not a time consuming one. A day to review, a day to test, and a day to deploy sounds about right for most situations, and a good patch management solution will let you accomplish that. Anyone that needs a week or more to do patching should find a patch management solution provides positive ROI as soon as it is installed.

  1. Patch third party applications

One of the best reasons to invest in a patch management solution instead of using free Microsoft tools is that patch management software can patch third party applications. PDF readers, media players, FTP clients, compression utilities; the nearly endless list of apps on your users’ desktops can present huge risks to your network, but are easily kept up-to-date with a patch management solution. No more all-nighters every time there’s an Adobe zero-day.

  1. Deploy third party applications

Speaking of third party applications, did you know that the better ones are multitaskers? They don’t just patch, they can deploy, and that means that when you have to roll out a new piece of software, your patch management solution can do it for you. No more sneaker net or trying to write logon scripts for every type of machine on your network.

  1. Can manage non-domain members

We all have machines that are not joined to a domain. They can be in the DMZ, special purpose, or just for testing, but all are beyond the reach of the GPOs that WSUS uses to get domain members patching. Patch management solutions can use agents or simply a local administrative account to patch and maintain all those DMZ machines as easily as it does the internal systems.

  1. Auditing and reporting

It’s not enough to take patching on faith; you have to be able to confirm all systems are up-to-date. You also need to be able to budget for upgrades for both hardware and software. Auditing and reporting can confirm patch levels; ensure that your license counts are accurate, and also let you know how many machines need a RAM upgrade before you can deploy the next version of your Line Of Business application.

  1. Remove unauthorized applications

Patch management solutions can also remove unauthorized software, making it easy to keep machines in a supported state, to remove software that a user installed without a valid license, to uninstall software from every machine before you push the upgrade, or when you decide not to renew.

  1. Vulnerability reporting

Patch management isn’t just about pushing or pulling software, it’s also about managing your risk. Good patch management software can perform vulnerability assessments as well, generating reports of all your systems so you know which patches are needed, and which are not, and so you have a full understanding of just what’s out there.

So make the next Patch Tuesday the one where this time you really do get a handle on your patching needs, take care of all those third party applications and start reporting up to management on all the great work you do. Your new patch management solution is just the thing to let you look at both patching and compliance as easy.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.

All product and company names herein may be trademarks of their respective owners.