Whether your servers run Windows or Linux, whether your workstations are Windows 7 or Macs, and no matter what vendor your network gear comes from, one of the most critical administrative tasks for admins of any system is patching. With new vulnerabilities announced every week, and with dozens, if not hundreds of different applications running on your network, having an effective patch management process in place is critical to maintaining the health and security of your systems.
When it comes to patching, one of the most important things for you to do is to be aware of what is out there. All the major vendors include mailing lists that you can subscribe to so that you receive notifications of patches. It won’t hurt to subscribe to some of the other mailing lists like those from SANS or Bugtraq that let you know when there are vulnerabilities, even when patches aren’t released yet. Subscribe your IT or security team’s distribution list to make sure nothing is missed while someone is on vacation. See the end of this post for links to some of the major mailing lists.
2. Include applications
A growing number of exploits take advantage of applications that open or execute file types. Windows Update can take care of your operating system and Microsoft applications, but almost every computer on your network will have third-party applications, including PDF readers, media players, and other line of business applications. Make sure you stay informed of patches for all the applications that are a part of your image.
3. Test before you deploy
All vendors test their patches before releasing them, but it is virtually impossible for a vendor to test every possible combination of hardware, application, and driver, and they cannot test your proprietary applications developed internally. Have a set of machines that you deploy patches to first and test to make sure you don’t introduce any problems to your systems. Take advantage of virtualisation technologies when you can, or use your IT department and secondary servers if you have to, but make sure you test all patches before you roll them out to the entire organization, or to key servers.
4. Schedule maintenance windows
Patching requires time, bandwidth, and reboots, and all of these can interrupt normal processes. Even companies that run their business 24×7 need to have some established maintenance windows for normal patching, and a process in place to push emergency patches in the event of a zero-day exploit. By having a scheduled maintenance window, business operations can plan around, or at least be prepared for, potential disruptions when key systems reboot after patching.
5. Use a patch management system
Manual patching is time and labor intensive, error prone, and impossible to report upon. There are several excellent low cost patching systems on the market that can push patches, audit systems, and generate reports for management and security assessments.
6. Include a roll-back plan
No matter how much vendors test their patches, and how thoroughly you test your systems, there may come a time when a patch causes an issue, and you will need to roll it back. Make sure that when you push patches, everyone is aware, and if problems crop up after deployment, be prepared to first check those patches to see if they are a possible cause, and to uninstall them if necessary. With these six concepts at the foundation of your patching plan, you are well on your way to making patching a routine part of your administration, instead of a painful process that causes disruptions to the network. Here’s a list of mailing lists that you may want to subscribe to so as to always be up-to-date:
- http://www.sans.org/newsletters/ – Subscribe to the SANS Institute newletters
- http://technet.microsoft.com/en-us/security/cc307424.aspx – Register to receive Microsoft’s security newsletter
- http://technet.microsoft.com/en-us/security/dd252948.aspx – Register to receive Microsoft Technical Security Notifications
- http://www.us-cert.gov/cas/signup.html – CERT Mailing Lists and Feeds
- http://seclists.org/bugtraq/ – Bugtraq Mailing List
- http://seclists.org/ – SecLists.Org Security Mailing List Archive
- http://www.linux-sec.net/ML_FAQS/ – Mailing lists for specific Linux/Unix distros
- http://lists.apple.com/mailman/listinfo/security-announce – Apple Security Mailing List