• Training news
  • 2009 news archive
  • 2008 news archive
  • 2007 news archive
  • 2006 news archive
  • 2005 news archive
  • 2004 news archive
  • 2010
  • 2011
  • 2012

• Bookmark and share
  • Technorati favourite
  • Delicious
  • Digg
  • Reddit
  • Facebook
  • Stumble Upon

• Recent pages
  • Understanding changes in the new ITIL version 3 training and certification
  • Trainer development
  • ASP, HTML and CSS
  • Desktop Publishing
  • Crystal Reports

Patch management

Don't do today what you can put off until tomorrow - unless that thing is patching your systems. You can't defer it, you can't ignore - you've got to patch it.

29 June 2004

Gone are the days when an operating system or application, once deployed, can be left alone until a major update comes along. As software has got more sophisticated, so have hackers - and just as developers close one vulnerability, another one is discovered.

It's easy to blame the software companies - and Microsoft, in particular, comes in for a lot of flack in this area.

The fact is, creating defect-free software is an unattainable goal - but at least when defects are spotted they tend to be quickly patched.

The process in itself has become one dreaded by IT teams everywhere. The sheer logistical issues of rolling out a patch to hundreds of machines one day is only matched by the annoyance when you need to roll out another patch the next day.

But this is an area of support that is ignored at your peril. It's tempting to just patch 'mission-critical' servers, but the fact is that most malicious software (or malware, as it is often called) doesn't care what type of machine it's infecting.

At a technical level, most newer versions of Windows share much of the same code. You can have most of your server patched and your network can still be brought to its knees. Until fairly recently, many people dismissed patch management, claiming that the issues outweighed the benefits.

One of these issues was that many patches introduced new issues in themselves - something that really has (mostly) ceased to be true. The general trend with patches is that they are usually solid when released and cause few problems. The other issue was that it was time-consuming to deploy patches - true enough when there was no automated means of doing this.

There are few things more soul-destroying than spending all day, walking from workstation to workstation, pressing the same buttons. Again, this has ceased to be the issue it was.

Smaller organisations can rely on Windows Update, running in automatic or semi-automatic mode, with the odd manual check and confirmation.

Bigger organisations can choose from some sophisticated tools to manage the process on an enterprise-wide basis.

Many organisations concentrate their efforts on their servers - but as we said, most malware doesn't care where it lives. Workstations dramatically outnumber servers, so the network traffic alone from infected workstations can cripple a network. Also, many workstations, once logged in, have pretty unrestricted access to data sat on so-called secure servers, giving malware a nice easy route in.

The fact is, all of your machines need to be kept patched, up to date, end of story. And, although patches have got better, they still need testing. Ideally you can use a quarantined machine for this, or at least one that is under close control - it certainly needs to have some use, or issues with the patches won't be discovered.

A good way to do this is to patch the machines of a controlled group of 'super users' first and have a process for them to report bugs. Because the time taken between a patching being made available and malware going mainstream is shrinking, you can only test for a day or so. In terms of deployment, there are a few choices - three from Microsoft. Window Update comes with Windows 2000/XP/2003 and is, for the most part, pretty good.

However, it's only really suitable for small numbers of machines, and you can hardly call it a managed service. Software Update Services (SUS; soon to be renamed Windows Update Services, or, rather unfortunately, WUS, which will also boast an extended feature set) is available free from Microsoft and provides far better control.

SUS is server based, but also checks the Windows Updates server for patches, and then downloads these as needed. The administrator can see available patches by logging into the server, and, assuming these have been verified and tested, the administrator can set a patch to be installed. Network PCs and servers then downloaded the patch from the SUS server, using a technology called Background Intelligent Transfer, which ensures that the network is not swamped by this extra network traffic.

Companies wanting even more control can turn to Microsoft's Systems Management Server, which provides a higher degree of automation, control and reporting. And, of course, there is now a growing range of such tools, which provide excellent control over the patching process. So the malware might exist, but so do the patches and tools to defend against it.

Don't get caught out - get patching!