As information security awareness has grown over the past few years, the number of patches and updates being released by software vendors has increased considerably. Although this is a positive step in plugging security holes, all of the patches and updates can overwhelm administrators. To help you keep your network up to date, I’m going to outline a simple strategy for managing and deploying these security patches.

Stay updated
The first step in managing security patches is to be aware of what issues have been identified and what patches have been released. The best way to do this is to sign up for Microsoft’s Security Notification Service or to regularly visit the Windows Update site or the Security section of the TechNet site. I find the Notification Service the best alternative, since it automatically sends an e-mail when a new bulletin is released. Another advantage of the service is that it covers all Microsoft products, not just the operating systems. The Windows Update service covers only the Windows operating systems.

Let’s take a look at a typical security bulletin e-mail (Figure A) and examine its contents. The first section of the e-mail provides a quick summary of the issue. It identifies the title of the issue, the product affected, the impact, the maximum risk, and a bulletin number. Links are provided to the detailed bulletin posted on the Security section of Microsoft’s TechNet site. The TechNet page provides a FAQ section and additional details, including a link for downloading the patch.

Figure A
A security bulletin e-mail from Microsoft

Evaluate the risk
Read the issue section of the e-mail carefully to find out exactly what the issue is and what systems and/or applications are affected. After reading the bulletin, you can evaluate the risk to your organization. The mitigating factors section (Figure B) should help with this.

Figure B
Mitigating factors of a security risk

You should answer these questions about the issue:

  • Does it affect software you are using?
  • Do the proper circumstances exist to exploit the vulnerability?
  • If it affects a particular service, can the service be disabled, or can the software be removed without affecting your organization?

After answering these questions, you should be able to decide whether the patch needs to be deployed and to determine the urgency of deployment.

Test the patch
Once you have decided that the patch should be deployed, download and test it on a nonproduction machine. Microsoft has a history of releasing patches that end up causing other problems. Of course, a week or so later, a revised edition of the patch is released, but that doesn’t help you if the original patch has locked up a critical server.

At the bottom of the bulletin’s Web page is a list of revisions to each patch. If the patch will be installed on a critical workstation or server, read the bulletin carefully to ensure that no known hardware incompatibilities exist. Few things can ruin an admin’s day like a Blue Screen of Death (BSOD) on a critical server.

Deploy the patch
By far the most challenging aspect of security patch management is getting the patches installed. In a small organization with a few PCs, manual deployment may be the easiest method of installing patches. For a larger organization, the manual method can be extremely tedious and time consuming. Consider using patch deployment software. This software can remotely scan systems to identify currently installed and missing patches, remotely install patches, and perform reporting and tracking functions. In future articles, I’ll cover several patch management software packages.

Another headache with manual patch deployment is that a reboot is needed after installation of each patch. Microsoft’s QChain eliminates this problem. QChain is a command-line utility that can link multiple hot fixes together in a single reboot.

Author’s note

QChain is not needed on post-SP3 Windows 2000 or Windows XP machines, since the hotfix installer on these machines contains functionality to install multiple patches. Most patch deployment software also includes this feature.

Verify installation
After the patch is deployed, you can verify that it’s installed correctly by viewing the entry in the Add/Remove Programs applet (Figure C) or by rescanning the system using patch management software. Each installed patch should contain its own entry, as shown in Figure C.

Figure C
Deployed patches listed individually in the Add/Remove Programs applet

The task of managing security patches is not the most glamorous part of IT, but it is an important responsibility that administrators must confront. With a good strategy and the right tools, it can be managed effectively. Next time, we’ll look at some of the specific patch management products that can help streamline the deployment process.