Patch Management

How to prevent downtime while updating your company systems.

Introduction:

Gather and consolidate inventory data on every system

Understand the consequences of making changes

Scan for vulnerabilities

Create a full backup of all data and server configuration information

Deploy patches to the test group

Document test results and present for review by internal system owners

Notify internal system owners of any downtime or alerts they will experience

Roll out patch enterprise-wide

Sources:

Related checklists:

Introduction:

Patch management is a careful process. It'd be reckless to deploy untested patches across your whole organization, so it's often done with a test group beforehand.

A vulnerability scanner will highlight the need for patching automatically, but the reporting and deploying needs human intervention.

In this process, you'll be able to structure your patch testing and deployment in a way that reduces the risk of error. It can also link into our scheduled maintenance process, so you can issue notifications of any expected disruptions.

Gather and consolidate inventory data on every system

Although this information can be collected manually, ideally an automated tool linked to a database should be used.

1

Hostname
2

Location
3

IP address
4

MAC address
5

Operating system
6

Current revision level

Understand the consequences of making changes

Make sure that the consequences of making changes to a system are fully understood and in any event, only implement changes one or two at a time and only on test systems first.

Scan for vulnerabilities

You can use a vulnerability scanning tool like Nessus to manage this step.

Depending on the importance of the systems and the priority of the vulnerabilities, scanning helps you decide which patches to apply where.

Store your scan report in the widget below to keep track of it.

Create a full backup of all data and server configuration information

Exactly how you create a backup of server config data varies based on the kind of server you're running. Below you'll find documentation for common options:

Deploy patches to the test group

A test group is a limited number of users who receive patches before anybody else. This way, if anything goes wrong the damage is limited to just the test users. Test users should be technicians, or at least staff familiar with reporting bugs and finding errors.

Document test results and present for review by internal system owners

Using the logs from your test group, create a summary of the patch results.

Check here (part one, part two) for a guide on generating a report for SCCM systems. Alternatively, here is a guide for managing configuring with Symantec.

Attach the summary below.

Notify internal system owners of any downtime or alerts they will experience

Use the scheduled maintenance notification process to make this easier by generating a report.

Roll out patch enterprise-wide

The best time to schedule patching is the early hours of the morning. Microsoft schedules updates for Tuesdays and even though there's an (unscheduled) "Recall Thursday", it's best to make patching a predictable and regular event.

Make sure to monitor the systems closely after roll-out.