Patching systems is often seen as a simple task but there is more to the patch management process than meets the eye. You don’t just get the patches and deploy them but you need to start planning and testing before even going near a live environment – what can be defined as the ‘patch management process’.
The first step is to establish an effective change management system within the organization. This is essential because the administrator needs to keep a test mirror of the different systems within the organization. The administrator will then be able to use this test network to test patches before deploying them to the live network. This step is essential as it can help the administrator determine if the patch will work properly in the live environment or if it will conflict with the existent setup causing stability issues.
A patch is essentially a change to an existent application, and which can have an impact on the behavior of the application and other applications which might use its interface. When this happens previously stable applications could stop working or, in some rare cases, prevent the operating system from running. This why it is so important for an administrator to identify possible issues before the patch is deployed to the live environment.
Even if a patch is thoroughly tested unexpected problems may surface. Therefore, the administrator must have a fallback plan and procedures to follow should a system start behaving erratically after the patch is deployed. The patch can either be rolled back or, in the extreme case that the system remains unresponsive, a full system restore. In this case, it is important that working backups are available for all systems that are about to be patched.
When the system administrator is ready to deploy the patches, she/he will need to decide when to do so. A patch process can be disruptive and require a system reboot; the method of deployment is also a key consideration.
If the administrator does not have any tools to deploy patches, she/he will have to do it manually. If Windows update is set to deploy patches automatically, then the administrator must keep in mind that the patches will deploy without allowing the administrator to test them beforehand. Other tools can give the administrator better control of the process by enabling him/her to deploy patches network-wide from a central location and to keep track of the patch status on all machines. It is also important to note that all applications generally require security patching – when choosing a patch management solution remember that not all solutions may offer patching for a wide ranging of third-party applications.
Once patches have been deployed there should be sensors in place that indicate if the patches were deployed successfully or not. A scan of the target machine or a good reporting mechanism is usually required. If a patch deployment has failed this should be investigated, fixed and the patch redeployed. Verification is an important step in the patch management process.
A proper patch management process takes time, however it is time well spent because a botched patch update can bring systems down for hours if not days.