Security Basics mailing list archives

Re: Windows patch mgmt.

From: Keith Cirelli <kcirelli1 () yahoo com>
Date: Tue, 22 Jun 2004 19:58:00 -0700 (PDT)

Microsoft has white papers and documents on patch management that may be helpful for you.
Information at the following should be helpful.

http://www.microsoft.com/security/guidance/topics/PatchManagement.mspx 

I believe the problem and solution may be your approach to patch management.

[snip][paste]
"the question has come up how do we test all desktops/servers --->after<--- a windows patch has
been installed." and "The concern is if the server isn't being used for testing, then we may push
a patch to a production server without it being "tested.""

Applying patches to any production server without testing it is an "Apply and Pray/Apply at your
own risk" approach to patch management. The first thing Microsoft would probably ask you if you
called them for support (if something did break), would be, "Did you test it first?" 

Never push a patch without testing. Period. The one time you get burned for NOT testing and things
go south and cost the company money, will be all the advice you need to adjust your approach to
patch management, if my advice doesn't. 

Reacting to a potential issues because something wasn't tested can be much more costly to your
time and your company's pocket.

Any OS build worth putting into production (especially servers) is worth having a duplicate in a
lab for testing against things....such as patches. Not knowing how a patch will effect your builds
is dangerous for an admin these days.

One can err to the side of "limited resources" as to why testing may not be performed PRIOR to
installing a patch, but try to imagine what happens when that one patch...that conflicts with
something, wasn't tested prior to installation, gets installed and blows up a standard service on
a critical machine/server and production is effected. That is not a fun scenario. Someone has to
be responsible if production is affected...correct? Who made the decision to apply the patch? Why?
Who tested it? See where I'm going? CYA is a reason to test, your own sanity is another,
operational uptime might be another?


Dedicating the time up front to apply a patch in a lab environment that, as exactly as possible
simulates ALL workstation and server builds is an essential part of the Patch Management process. 
Good workstations can be built as servers just fine for testing purposes in a lab.

Merely getting the patch installed to 350 machines is only a part of the process. Determining the
validity of a patch in your environment and thoroughly testing that patch BEFORE you deploy it is
just as important. 

It's essential to simulate all of the production builds you have in a lab, you do have standards
for builds, riiiiiight?)...make these lab builds as close as possible to production builds. That
way you will know if a patch that you have validated as necessary for your environment, works or
blows things up BEFORE you blindly apply it. OS services can break, applications can break,
network functions can break...when patch's go bad.

If a patch does cause adverse effects in your testing, Microsoft is pretty good about providing
work arounds that can be very helpful to closing the security hole a poorly written patch is
designed to fix until they fix it themselves.

Here's what is suggested for time-frames before applying patches...

Severity rating    Recommended patching time frame   Recommended maximum patching time frame       
Critical              Within 24 hours                Within two weeks      
Important             Within one month               Within two months     

Moderate
--Recommended patching time frame                   
  Depending on expected availability, wait for next service pack or patch rollup 
  that includes the patch or deploy the patch within 4 months. 
--Recommended maximum patching time frame
  Deploy the patch within six months       

Low 
--Recommended patching time frame
  Depending on expected availability, wait for next service pack or patch rollup 
  that includes the patch, or deploy the patch within 1 year    
--Recommended maximum patching time frame
  Deploy the patch within one year, or choose not to deploy at all       





Hope that helps

Keith








--- bob martin <bobmartin_613 () hotmail com> wrote:

Hello all.
Basic patching question for you.

We have a small environment (approx. 300 desktops and 50 servers) and the 
question has come up how do we test all desktops/servers after a windows 
patch has been installed.  Given that the networking/desktop team consists 
of 6 people, I'm a bit stumped on how we can do this efficiently.  We use 
St. Benard's Update Expert to push out the patches and to verify they've 
been installed.

Currently we push to a QA environment and let it soak for a week or two 
while it's being used for it's normal functions.  The concern is if the 
server isn't being used for testing, then we may push a patch to a 
production server without it being "tested."

Any suggestions would be very welcomed.  Any more, there's so many windows 
patches that it's almost a full time job for one person to manage them.

Thanks.
Bob

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Windows patch mgmt. bob martin (Jun 21)
- Re: Windows patch mgmt. steve (Jun 22)
  - Re: Windows patch mgmt. Joe Polk (Jun 23)
    - Test Lab Help sEc nErD (Jun 24)
- Re: Windows patch mgmt. Keith Cirelli (Jun 23)
- <Possible follow-ups>
- RE: Windows patch mgmt. Britton, Jeff B. (Jun 21)
- RE: Windows patch mgmt. Depp, Dennis M. (Jun 22)
  - Re: Windows patch mgmt. Murad Talukdar (Jun 23)
  - Re: Windows patch mgmt. pingywon MCSE (Jun 23)
    - RE: Windows patch mgmt. Paul Ryan (Jun 24)
- RE: Windows patch mgmt. Kymer, Daniel (Jun 23)
- RE: Windows patch mgmt. Depp, Dennis M. (Jun 23)
- Re: RE: Windows patch mgmt. Warren V Camp (Jun 23)
- RE: Windows patch mgmt. Depp, Dennis M. (Jun 23)
  - Re: Windows patch mgmt. Ansgar -59cobalt- Wiechers (Jun 25)

(Thread continues...)