Improve security by systematically addressing vulnerabilities in your Microsoft software and operating systems
Patch management consists of scanning computers, mobile devices or other machines on a network for missing software updates, known as “patches” and fixing the problem by deploying those patches as soon as they become available.
Windows patch management is the process of managing patches for Microsoft Windows. Patches are a type of code that is inserted (or patched) into the code of an existing software program. It is typically a stop-gap measure until a new full release of the software becomes available.
Windows Update is a Microsoft service for MS Windows operating systems that automates downloads of Windows software updates. The service not only delivers software updates, but also many Microsoft antivirus products. While Microsoft attempts to quickly release security patches, frequently applying patches to production-level servers can have a negative effect on productivity and stability.
Since 2003, Microsoft has released large numbers of patches for their operating systems and other software products on “Patch Tuesday” – the second Tuesday of every month. However, with the release of MS Windows 10, Microsoft has also started issuing cumulative updates for the new operating system.
Each of these patches contains fixes for one or more vulnerabilities that have been identified by numbers assigned via the Common Vulnerabilities and Exposures (CVE) system, maintained by the National Cybersecurity Federally Funded Research and Development Center (FFRDC).
Patch Tuesday lets systems administrators prepare for possible impacts patch applications might have and warn their users. When a serious problem with a patch is reported, it can affect the computers where the update will be installed. IT personnel can defer installing that patch, while still installing the rest of the them, so they don’t lose the protections from all those other vulnerabilities.
Updates that roll up all the current fixes into a single patch offer the convenience of an all-in-one solution, but also take away the admin’s ability to pick and choose which vulnerabilities to patch. This may increase the chances that an incompatibility with some particular system configuration or other software might cause the update to either fail or cause undesired behavior. Microsoft uses the cumulative rollup concept for their security updates for Internet Explorer and Edge web browsers.
Server patching acquires, tests and installs multiple code changes to administered computer systems to keep them updated. The process also determines the appropriate software patches for each program and schedules the installation of the patches across different systems.
Patching a server is more complex than patching a workstation. Workstation downtime isn’t as critical because workstations can be re-built if there’s a serious issue with a patch. In contrast, server patching includes not only the server, but also the applications running on it and the middleware between applications. Because the critical role servers play for an organization, downtime must be kept to an absolute minimum. Most administrators find it important to prioritize server patches.
As discussed earlier, Microsoft Windows Updates automates downloads of software updates. Businesses with only has a handful of Windows servers can use the Microsoft Windows Server Update tool to deploy Windows updates. But most organizations have a more multifaceted computer environment and end up using multiple tools for other work, such as Microsoft application software patches or Mac OS patches.
Using multiple tools is problematic because it obscures the operation team’s ability to understand the IT deployment’s level of risk. Many companies offer a single “do it all” tool for server patching – one that can process everything from Microsoft products and third-party software to PC-based hardware, Mac computers, client systems and servers.
Proper patch management can greatly improve an enterprise’s security by addressing the vulnerabilities in its software and operating systems. Here are a few reasons why patch management is a critical expenditure in almost any IT budget:
Security is the most critical benefit of patch management. Network security breaches are most commonly caused by missing patches in operating systems and other applications. For example, security breaches are regularly discovered in MS Windows ActiveX, IIS, Internet Explorer and .Net Framework. By installing security updates, you avoid damage to software, data loss and identity theft. It’s important to install updates quickly because malware can spread within hours after of introduction.
Computer crashes due to defective software can still happen and this eventually leads to lower productivity levels. A patch, on the other hand, reduces the possibility of crashes and downtime, thereby allowing workers to do their tasks without interruptions.
Patches are not always about fixing bugs. They can also include new features and functionality that can tap into the latest innovations of the software. Microsoft is constantly working on new features and sending new functionality in the form of software patches, so downloading and installing them can help you work better and smarter.
Cyberthreats have become commonplace and this is why regulatory bodies are mandating that businesses apply the latest patches to avoid these threats. Noncompliance can lead to stiff penalties, so a good patch management strategy is necessary to comply with these standards.
The emergence of “bring your own device,” or BYOD, has opened up a whole new avenue of opportunities for cyberattackers. Employees increasingly use their personal and office devices interchangeably to do their work – requiring personal devices to be protected as well. A good patch management software installs patches across all devices, regardless of their physical location. In the process, it addresses many of the challenges that come with using personal devices.
Installing the latest updates is not the most effective process of patch management. In fact, every tool should follow a detailed set of steps to ensure that the end result is economical, efficient and effective.
Here are some keys steps to developing an up-to-date inventory of the existing devices:
Create a patch management policy
Scan the network and devices on a regular basis to identify vulnerabilities and missing patches.
Validate the successful deployment of the downloaded patches in a testing environment and check for any incompatibilities or performance issues.
Apply the patch across the entire organization, if no issues were uncovered during the testing phase.
Create detailed documentation and reports about patch download, testing and installation for auditing and compliance.
Though these steps may vary, the larger point is the updates should not be installed as they become available. Instead, they should go through a process laid down by the organization. Such a process-oriented approach will also make it easy to follow some of the best practices of patch management.
For a slightly different take on patch management processes, review the blog: The best patch management strategy for 2019.
Windows patching is typically high on an administrator’s to-do list. If done incorrectly patch management can be a risk for the organization instead of a risk mitigator. A few simple best practices however easily eliminate all of these risks as well as ensure that the process is finished quickly and efficiently.
Here are some best practices specifically for MS Windows patching:
Here are a few general best practices for patch management to help an organization enhance its security and to stay updated on all the latest additions made to any software:
As stated previously, When deploying patches without properly testing them out, you risk that one of the patches might conflict and cause issues on the organization’s infrastructure. So, the overarching patch management strategy is to pinpoint what type of vulnerability a patch is supposed to fix. Then determine how much risk is involved in applying the patch, how you should apply the patch and when you should apply it.
Once you’ve done your risk evaluation there are different strategies to actually deal with the vulnerability.
Hold on until Microsoft releases a fix.
Microsoft may provide a way around the problem until a patch is available. Or you may have a stop-gap measure until you can evaluate a patch.
Insurance may be expensive, but risk can, in essence, be transferred to an insurance company and you can let them deal with any problems.
Go ahead with the patch, and hope that nothing goes sideways. Or completely remove the software or Windows component from the exposed systems.
Some administrators may assume that the Microsoft recommended patches provide security from most vulnerabilities. But most experts agree that you cannot solely rely on patches, updates and service packs supplied by Microsoft. Because of these unchecked vulnerabilities, many organizations have turned to automated patch management tools. Windows patch management software can take pressure off administrators and improve the overall efficiency of downloading and installing patches across different devices. As a result, every organization can update all its endpoints with the latest patches – and with little human interference, regardless of its hardware specifications and geographical locations.
But how do you choose the right patch management software, given the large number of patch management tools available today? Here are some capabilities that should be present in any good automated patch management software:
Microsoft Patch Tuesday has changed and now all patches are delivered at once
Discover why with the release of Windows 10, Microsoft now issues cumulative updates for the new operating system.
How we patch: by the numbers
Learn how a good patch management system goes a long way to address security problems.
The best patch management strategy for 2019
Learn six steps that can help you deploy an effective patch management strategy.
Exploring automated patch management solutions
Find out how automated patch management solutions go hand in hand with your vulnerability management program.
GFI LanGuard for patch management
Discover why thousands of IT admins worldwide use GFI LanGuard to scan networks for vulnerabilities, automate patching and achieve compliance.
GFI LanGuard Step by Step Guide
This step by step guide helps you understand how you can maintain a secure and compliant network with minimal IT effort.
GFI LanGuard free trial
Download a 30-day trial of GFI LanGuard that includes Patch Management for Windows®, Mac OS® and Linux®.
Patch management tool comparison: What are the best products?
Read this product comparison to see which tool is best for your company from TechTarget.
GFI LanGuard product features
Get an in-depth product understanding from this extensive library of videos and information.
How to deploy missing patches with GFI LanGuard
Watch this video and see how to quickly and easily deploy missing patches using GFI LanGuard.
6-step guide to effective patch management
Discover how an optimal patch management system helps to manage security and risk.