Back to List

Patch Maddness

Skyline Blog  |  
Jan 13, 2015
 
With the New Year upon us and quickly gaining momentum, let’s pause and take a look back to November 2014.  The snow was flying and temps were dropping.  It was the time of year when it is dark for both morning and evening workday commutes, Sundays are filled with football, and the holidays are just around the corner. It’s the season for turkey and family and…security updates??  Yes, it is. In fact, it’s always security patching season for IT Administrators, and November brought a bunch.

On November 12th, Microsoft released a total of 15 updates. Not out of the ordinary for a monthly patch cycle.  However, what sets this apart from most others is that 5 of these updates were rated ‘critical’, 8 of them rated ‘important’, and 2 rated ‘moderate’.  Again, no earth-shattering news here, but let’s take a moment and look beyond the ratings and see what’s really going on.  Of the 5 critical releases, at least 2 of them (MS14-066 and MS14-068) affect key components within all supported versions of Windows.  Yep, ALL supported versions of Windows.  Another 2 updates address multiple vulnerabilities affecting Internet Explorer (MS14-064 - which is a follow-up to previously released MS14-060, and MS14-065).  This release cycle is atypical for Microsoft, as 1 of the critical updates was released out-of-band – MS14-068 was actually released after the normal “2nd Tuesday of the month” release date!

Why was this significant? Because these updates really needed to be applied to every system in your environment running a supported Windows operating system. Having worked in IT environments both large and small, I can say with certainty that this is no small undertaking.  

In my travels over the past 15 years as both a corporate IT employee and IT Consultant, I have had the opportunity to work with many skilled and knowledgeable people.  That second week in November, I sent out a notice to some of these IT colleagues about the critical update releases as a reminder, and this led to some on-going banter back and forth.  The conversations got me thinking about the patching processes and compliance requirements we all deal with, the prep work involved, and the scheduling sleight-of-hand we have all gone through to pull off a smooth update deployment.

Consider for a moment how many servers you have in your environment and how many are internet exposed.  Then add the number of workstations and laptops your organization supports, and how the users of those computers work.  Then factor in how many 2nd and 3rd party applications that may need addressing in addition to the Windows components.  Wow.  The number gets large in a hurry, doesn’t it?  Fortunately, we have apps for this.  

Leveraging the technologies of Windows Server Update Services (WSUS), and/or Microsoft System Center 2012 Configuration Manager (SCCM) can greatly reduce the amount of work and cost of deploying updates in general, and both come with unique strengths and weaknesses.  And like any other platform solution, these solutions ship with a slight learning curve and associated costs to configure, operate, and maintain.  However, when measured against the liability of not properly managing the installation of patches and security updates, these costs are a mere pittance. The deployment of SCCM and/or WSUS technologies alone or in conjunction with like technologies from other providers like Symantec, Gravity Storm, and Ecora to name a few – is a no brainer for well-connected corporate network environments.  Whether your user count is in the tens, hundreds, or thousands, successful management of patch deployment and regulatory compliance comes down to 3 basic things:

Strategic planning.
Timely execution.
The right tools.

That being said, here are some DOs and DON’Ts when it comes to considering whether or not your 3 basics are being addressed.  These are things to think about as you create or refresh your patch deployment model.  This should get the conversation going!
 
  • DON’T assume.
    • Don’t assume that systems behind your firewall will be okay.  
    • Don’t assume you will hear about issues before they become problems.
    • Don’t assume that just patching the operating system will ever be enough.
    • Don’t assume that your patch management solution can do it all.
  • DON’T forget the testing.
    • Always make sure you have a test plan.  Identify business application owners and subject matter experts and get them on-board to test their platforms as part of your deployment plan.
  • DON’T operate in a vacuum.
    • IT is not the only department participating in patching.  These deployments can have wide-spread impact and conversely, wide-spread benefit.  Communicate with and encourage others to take part.
  • DON’T ignore or neglect alerts.
    • Even if the main topic is not a technology within your area of responsibility, a missed application patch may still represent a liability for your organization.
  • DON’T wing it.
    • Having a well thought out strategy is the most important step towards a sustainable process.
  • DON’T rush, but don’t delay.
    • A hasty deployment can leave room for error or oversight.  Taking steps to ensure your deployment is accurate and effective may cost a few days’ time, and that’s okay.
  • DO have a plan
    • Establish regular outage windows, manage user expectations proactively, identify updates, identify test activity ownership, deploy. Plan plan plan.
  • DO change management.
    • Identifying and reviewing any significant changes to an environment is a responsible and measured approach. Documenting, challenging, and approval of changes allows for better peer review and effective identification of issues.
  • DO test the updates.
    • Deploy the updates in a test environment before going to production. Have a back-out plan prepared.
  • DO evaluate dependencies.
    • Does this patch break web services? Does this update replace a previous update? Poll the IT community for issues ahead of time, read about important or critical updates before deploying. Perform basic research to help mitigate the domino effect.
  • DO communicate.
    • Take steps to ensure that affected users and IT staff are in the loop, top-down.
  • DO test.
    • Did I mention testing?
  • DO deploy a patch management system
    • Perhaps the single most important mechanism in a successful patching strategy is the suite of tools you use.  Custom scripting or home-grown solutions are fine for small shops, but can get quickly out of hand as your organization grows and the threats increase across multiple platforms.  The need for a powerful and flexible solution is one of the most significant pain points among IT professionals throughout the industry.

Today, we all live in a cloud-centric world, and Skyline Technologies works with a wide variety of on premise and cloud environments every day.  Utilizing cloud-based solutions eases the burden of managing updates to an extent, which is a key point for many organizations.  However, I still see a considerable amount of technology deployed in on premise environments and the need for making sure these “on-prem” environments are kept up to date on applicable security patches, service packs, and hotfixes remains a critical task.  So which ever path you choose in 2015 for a deployment management strategy, keep the 3 key components in mind – planning, execution, and the toolkit.  Please seek assistance if you have questions about your solution or if you need help developing a roadmap with System Center 2012 Configuration Manager, Microsoft Intune, and/or Windows Server Update Services.

Happy New Year, and happy patching!
Windows Server

 

Love our Blogs?

Sign up to get notified of new Skyline posts.

 

Comments
Blog post currently doesn't have any comments.
 Security code

Related Content


Blog Article
Microsoft Build 2017 Day 3 Recap
Brandon MartinezBrandon Martinez  |  
May 13, 2017
Day three of Microsoft Build 2017 did not have a keynote, but that doesn’t mean it ends without content to fill the day. Today will be focused on sessions, “The Hub”, and catching some of the Channel 9 Live production happening right here at the conference. Here’s a...
Blog Article
Microsoft Azure RemoteApp Discontinued
Erik DempseyErik Dempsey  |  
Aug 12, 2016
Microsoft has announced on August 12, 2016 that they are beginning the process of discontinuing their Azure RemoteApp service in favor of virtualized application and desktop services provided by their partner Citrix.  The service from Citrix that is currently under development is called...
Blog Article
​Microsoft Software Assurance and Azure Virtual Machines
Erik DempseyErik Dempsey  |  
Jul 11, 2016
You know the adage “You learn something new every day”? Well, that is never more true in the context of the ever changing world of cloud computing. However, not everything you learn is brand new, some things just seem to go unnoticed.  I think that is mainly because of the gross...
Blog Article
Google I/O 2016 Recap
John PtacekJohn Ptacek  |  
May 24, 2016
In the Developer world, there are usually three big conferences each year; Microsoft’s Build, Google I/O and Apple’s World Wide Developer Conference (WWDC). Google’s I/O conference, its 10th, just wrapped up last week. Let us take a spin around some of the more interesting...
Blog Article
Build 2016 Recap
John PtacekJohn Ptacek  |  
Apr 05, 2016
Microsoft’s recent developer conference, Build, finished up last week in San Francisco. Every year, Skyline sends a team of people to Build to understand Microsoft’s direction for our customers in the coming year   Here are some of the key takeawaysXamarin – Microsoft...