This requires a lot of management. The first thing for anyone looking to manage their systems is to baseline what they have on their network. Too often people only focus on their Windows systems. But it is not just Microsoft that suffer from vulnerabilities – think how many patches (including security patches) other vendors like Cisco release over the course of the year, and Apache is still the most popular web server on the Internet (nearly 70% according to Netcraft’s December 2003 Survey). This baseline needs to include all pertinent information – what hardware and what software is loaded. It is important to know that you will not try and patch a Windows NT system with a Windows 2003 patch. You need to establish a minimum patch level for all the systems on your network. This minimum will be based upon the O/S being run – and software running on top of it. Not all patches released by a vendor will be relevant to everyone. Therefore the baseline will be different for different people.
Before rushing out and patching every system, when a new patch is released, a Network Manager must understand the patch and what it is doing (it may not be relevant to you). It also needs to be tested on a test network running the business applications prior to be rolled out. The roll out of a patch could compromise your business if it breaks the business software and stops everyone from working. It would not be the first time…
All patch management needs a full audit trail, which must include whether an installation has been successful. How many times have people been caught out when they thought they had updated software only to find the install did not complete.
The timescale issues will become more pressing. Network managers will need to be aware of what patches are being released, and will need to be on several mailing lists researching information pertinent to their environment. This research needs what commodity that is in short supply – time.
Once you have identified the need for a patch, deploying them can be very difficult – the first question is; do you have the manpower? If so, when do you deploy? If you are going to automate this process – and the industry is going this way – can you cope with cross platform patch management form a single tool? Can you delegate responsibility to other people within the team, or to other office locations?
The need for tools to deal with this issue has been highlighted. There are a number of vendors now appearing in this space. Before purchasing any tool it is important for the user to test it. Test it in a real environment, test across all the systems that you run. Think a little further than just patching Microsoft software – there will be worms for other systems and hackers exploit known holes in other O/S and applications. Make sure you receive full audit trails and reports.