Microsoft patch management policy. The Windows Patch Management Tutorial is designed to give you a one- stop comprehensive resource for all of your.. By submitting your email address, you agree to receive emails regarding relevant topic offers from Tech. Target and its partners. You can withdraw your consent at any time. Contact Tech. Target at 2. Grove Street, Newton, MA. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. Microsoft patching needs. In the first section of our tutorial, learn about setting patch management policy, prioritizing your patching process, managing a testing budget and the pros and cons of using third- party patch management tools. Windows patch management policy. 2 Stamford International University (“STIU”) Patch Management Policy Rationale Stamford International University (“STIU”) is responsible for ensuring the confidentiality, integrity, and availability its data and that. PATCH MANAGEMENT POLICY. The goal of vulnerability and patch Management is to keep the components that form part of. 4.2.6 Any system updates/patches for Linux operating systems must be done by the relevant. By not applying a patch you might be leaving the door open for. Software Patches & OS. By not applying a patch you might be leaving the door open for malware to come in. Malware exploits flaws in a system in order. Patch management: Fixing vulnerabilities before they are exploited. Patch management plays a critical role in ensuring that companies can keep their PC real estate. Purpose and Scope This Practice Directive defines requirements for patch management on all San Francisco State. Unless a security patch or update introduces. Are there any Patch Management Solution Best Practices? Windows patch maintenance and post- patch security. Windows patch management tools Windows patch management policy Prioritizing Windows desktop patches. This list covers the major categories of things that can be patched or updated in a typical desktop configuration and the order in which you should apply them whenever possible. Patch your systems in this order and your patch management policy will be stronger than ever. Patch Management Policy. Current patch status for all SOIC or. Bios: As with servers, start here. Managing BIOS updates across multiple systems is all the easier when they're of the same make and manufacturer, but it requires . Fortunately, many PC manufacturers now allow centralized updates to BIOSes through a management application - - Altiris, for instance, has a management solution for Dell desktops and notebooks that allows remote BIOS updates. Device BIOSes: These include things like BIOS updates for disk controllers, video cards or other devices. Device BIOS updates go into a separate category from regular BIOS updates for two reasons: One, they are easy to overlook and not often considered for desktops; two, you usually cannot update them en masse. For example: If you're administering a group of graphical workstations that need updates to their video card's BIOSes - - and the only way to do that is via a 1. DOS- based updater - - you'll probably have to do that by hand for each computer. However, if you could perform the update through a 3. Windows application, you could probably push out your Windows patches as you would any other update. Device drivers: As with servers, one of the more common hardware device- driver updates published for a desktop computer is for the network controller. Make sure you test the update ahead of time. If you automate patching on a whole slew of machines with such a driver and the end result is that they're all knocked off the network, your only choice might be to either re- image them from scratch or fix each one manually. The OS: Patching Windows OSes is the part almost everyone is directly familiar with and it needs relatively little elaboration here. One thing I'll add is something I also wrote about in the server version of this article: If there are device driver updates, they should be examined separately from other updates in case an OEM- provided version of the driver is more urgently needed. Middleware: This normally includes elements such as ODBC drivers but should also include things like the Microsoft . NET Framework. Note that with the . NET Framework, the 1. Application patches: As with the OS and its attendant patches, you can roll out application patches through the usual automated mechanisms, and it should be done only after everything else has already been applied. Managing your patch testing budget. The biggest Windows patch management costs related to creating a test lab are hardware and software. Although both are necessities, there are some ways that you can really hold down the costs. Let's talk about the hardware first. One way you can economize on hardware is to purchase PCs instead of servers. If all you do is test the impact of occasional patches, then you don't need things like multiple processors and RAID arrays. You can save an absolute fortune just by using a basic PC with plenty of disk space and memory for testing purposes. Another cost- saving technique is to use virtual machines. Products such as Microsoft's Virtual Server 2. VMware from VMware Inc. Microsoft offers 1. Therefore, if you are testing an entire patch management configuration, a single patch, an upgrade or whatever for less than 1. If you are going to be testing for an extended amount of time, one option is to get an MSDN subscription. A subscription to MSDN Universal costs about $2,0. That sounds like a lot of money but, along with the subscription, you receive multiple licenses for almost all of Microsoft's products. I don't know what Microsoft's official policy is regarding using MSDN software in testing labs, but because MSDN is intended for developers, I'm pretty sure that using MSDN software in a test lab would be allowed by the license agreement. Using third- party patches. Most of us have been there before. It's the beginning of the month, Patch Tuesday is about ten days away and we hear about a new exploit that we know we are susceptible to. At such a time, it's frustrating to know we have to wait for the second Tuesday of the month before a software fix arrives. You might think that deploying a third party patch is a good idea. Well, sometimes it is. And sometimes it isn't. The cons of third- party patches. IT administrators deploying off- cycle patches from third parties, in many instances, will have no idea what the patch contains. So before you consider deploying an off- cycle patch, you should ask yourself how much you trust the company that produced it. Even patches from a company without any malicious intent can inadvertently be infected by malicious code. In the worst case, if a company producing third- party patches has less than honorable intentions, it potentially could distribute a patch containing spyware or code that makes it easier to exploit the vulnerability that the patch supposedly addresses. Another potential problem with deploying third- party patches is that these patches might break parts of your system that are currently running just fine. After all, in the case of a Windows patch at least, many of these fixes are actually replacing operating system code. Even the slightest change to code could have catastrophic effects. The pros of third- party patches. In the opinion of some Windows security experts, the risk of accidentally introducing bugs or malicious code into a system, along with the risk of Microsoft not supporting the system, far outweighs the risk of having to wait for a legitimate Microsoft patch. After all, Microsoft does have a history of expediting patches for more serious security issues. At times, Microsoft even provides detailed instructions on how to protect a system against a newly discovered vulnerability until a patch can be produced. Essentially then, the debate between using third- party patches and waiting for Microsoft patches comes down to an issue of timing. If you feel you are facing a serious Windows security vulnerability and Patch Tuesday is weeks away, you might want to run the risk that the third- party patch could produce bugs just to protect yourself from greater danger. If the risk is not so great, you might want to just wait for Microsoft to release their own patches. The four myths of Windows patch management. Myth #1: You should always wait a month before applying a new patch. Perhaps the most common myth of patch management policy is that an organization is better off waiting for a few weeks after vendors release a patch before deploying it internally. The idea is that if you wait a month and don't hear any screaming on security mailing lists, it will be safe to apply the patch. The problem with this thinking is that you should be using the results of your own testing to decide whether or not a patch is safe. You shouldn't be using anecdotal evidence off the Internet. Sure, the anecdotal evidence might point to some problems, but these are problems that your own testing regimen would have found anyway. So why wait a month to hear what other people say when your own tests, which you should be running regardless of what you hear, would find any faults earlier? Myth #2: If a patch doesn't break most of your configurations, it will not break all of your configurations. You need to apply a newly released patch to all of the desktop computers in your organization. You test the patch on the Windows XP boxes in the IT department without encountering any problems. You test it on the workstation used by the CEO's administrative assistant without encountering any problems. You test it on five computers used by people in the HR department and everything works perfectly. You use your patch management software to deploy the new patch to all of the computers in your company. That's when you find out that the patch causes a problem with an application that is only installed on the accounting department computers. Myth #3: You only have to deploy a patch once. You automatically deploy patches to all the computers on your network. A week later, you do a scan to check that all computers have had the update applied. Unfortunately, you still can't assume that every computer in the organization has been patched. In my experience, there is always some computer in some remote branch office that has been switched off for a couple of weeks because it is broken or the person that regularly uses it has gone on leave. Eventually the computer is switched on, but remains unpatched because you've moved on to patching newer vulnerabilities. When checking that the current patch has been successfully applied, spend a little extra time verifying that other patches are also present. Myth #4: There is a one true method for patch management. Although there are some basic principles that should be kept in mind when developing a patch management plan, there is no one true method. Each organization is unique.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2017
Categories |