Reminder: The Principles of Patch Management

Most IT departments realize that operating system patching can be the difference between continuation and total systems failure.  Patching provides 2 major advantages to the IT department.  It helps reduce end user dissatisfaction as bugs get fixed and delivered via patches.  Secondly, it secures the operating system from hackers and malware.  Holes in the security infrastructure get plugged and the system maintains its integrity.

Now that both Faronics Core and Deep Freeze provide Windows Updates functionality to IT, it seems fitting to provide some cliff notes of a very good technet article written by Microsoft Security Program Manager, Christopher Budd entitled “Ten Principles of Microsoft Patch Management”.  Here is the upshot:

  1. Service packs should form the foundation of your patch management strategy.  Service packs undergo a much broader scope of testing and include more than just security concerns.  Focus first on service packs and then on security updates.
  2. Make product support lifecycle a key element in your strategy.  When a product is not longer supported, Microsoft no longer publically provides security updates for that product.
  3. Perform risk assessment using the Severity Rating System. This helps you to prioritize deployment of security updates.
  4. Use mitigating factors to determine applicability and priority.  These are part of the Severity Rating System and help you to determine applicability of an issue for your specific environment.
  5. Only use workarounds in conjunction with deployment.  This gives you an option to protect your environment right away while you put the security update through the appropriate testing.
  6. Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article.  Check the caveats section of the bulletin to make sure that the update does not contains a compromise you are not willing to live with.
  7. Test updates before deployment.  Sometimes there is only one way to find incompatibilities!
  8. Contact Microsoft Product Support Services if you encounter problems in testing or deployment.  It is the most efficient way to identify genuine issues.
  9. Use only methods and information recommended for detection and deployment.   All of these are clearly written in the Security Bulletin.
  10. The Security Bulletin is always authorative.   Microsoft’s procedure is to place official documentation uniquely in the bulletins.  To get the official MS stance on an issue, you need not look any farther.

So install the latest versions of Faronics Core and Deep Freeze to deploy security patches and utilize the above 10 principles as guidelines to ensure an user-friendly and secure operating environment.

Scott Cornell

When he’s not knee deep in blogging and all things tech, Scott spends his free time playing ultimate Frisbee and watching foreign films. An expert in emerging tech trends, Scott always has his ear to ground for breaking news related to IT security.