Friday, January 20, 2012

Patch Management

Windows patching


Each time when we talk about system patching , from the security point of view it will become a serious security liability as it leave the network vulnerable attack. But when the auditor or the security administrator have a lot of findings and said you have a lot of of system that is not been patched. Are you not committing to a serious due diligence issues?. I guess this answer is depend on how you want to interpret it. If you have a such good perimeter security, although there is a system that have not yet been patched, the risk will be lower. If we just patch all, mean for some reason we might lack of understanding what security really mean and what are we trying to protect.

Periodically applying patches is the only way to keep our vulnerable systems from been attack. I know this sound dramatic, but its true.What I will like to share with you will be some of the best practices for business security.I think all of the readers who read my blogs do have a lot of server to maintain. Patching 5 to 10 server, it might not a big deal. But let said you have 100 or more, how do you maintain it?.

1. Automated patching - this is important as it can ensure all the system get the patches on a time. On top of that you also can have an overview of your environment on where are we now in term of patching. The tools also have a great reporting. You can find more info on the automated patching on

2. Testing - Each time when we want to deploy a patch.There always a question how we can do it. Just to share with you , on some of the environment.It would be better to have a development server which are identical to the production server. This is important as when we apply the patches, we know whether there is any impact on the application. Even though you have a development server, you must make sure you did do a backup on the server before applying patches. Mostly you must take note when you are applying service pack for the operating system or application.

3. Maintenance windows - Across all the comment by the system administrator, why they can't patch the windows. Mostly the comment will be they don't have the maintenance for the windows as the system can't be shutdown and it is critical for the business. Well for this matter, there is few way we can do it. We need to justify why we do it and if we don't do it.System get compromise someone need to responsible for it. The 2nd way will be have a cluster aware system so the interruption can be minimize. This is a good way to maintain all the system too. You can have more information on the cluster at

4. Vulnerability scanner - This might not sound like patch management, but this can help you a lot in findings loophole that need to be close. At the moment I will share the opensource way which I have blogged this since last year at the following url.
Part 2 : Openvas

I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

No comments:

Post a Comment