Patch Management Process Overview
One of the most tedious things an Administrator can ever be given as a task, is to manage Patch Deployment and having a suitable Patch Management Process in place. From monitoring various blogs, emails, rss feeds and forums to keep abreast of the latest vulnerabilities that have been discovered and the patches that remediate these issues, to gaining approval to deploy patches to your hundreds of servers and thousands of desktops, can be one of the most mundane tasks an administrator can ever perform. This is also one of the most important roles an administrator can do. Making sure that your environment is secure from any vulnerabilities and potential security holes that a hacker can exploit is the most critical. Most large enterprises are required to be ISO 27001, ISO 270012 or even SOX (Sarbanes-Oxley) compliant and having applications, hardware and systems not up to date wont look favourable to the auditor.
Having a defined Patch Management Process can be quite complex, but having the required resources and systems in place can aid the Administrator to make informed decisions and successfully patch systems without too much stress.
Patch Management Software
First and foremost, having a Patch Management System that can automate the download and the deployment of updates is the most valuable asset in your Patch Management Strategy. The best Patch Management software around for managing your server and desktop fleet is System Centre Configuration Manager (SCCM) from Microsoft. Not only is it a great tool for deploying updates, it can also deploy applications and operating systems, inventory all your systems and software and make general life for an Administrator looking after a large environment much easier. You should make sure that SCCM has an up to date inventory of your environment including Operating System types as this will make sure it is easier to specify which patches deploy and to which machines.
Now, if you are using Microsoft’s SCCM to deploy updates, and you are additionally monitoring blogs, feeds etc for patch vulnerabilities and their fixes you should look at automating the deployment of updates to your machines using an Automatic Deployment Rule within SCCM. Setting this rule to coincide when Microsoft release their monthly updates (Patch Tuesday as it is known, which happens every second Tuesday of the month) is good practice. Now that you have your updates schedule set and downloading ready for deployment, what would be the process for deployment? Naturally you will need to test, test and test again that a newly released update doesn’t break something in your environment and more often than not gaining approval to deployment will require some sort of rollback functionality.
Often we see the Patch Management Process for deployment of updates to follow these steps;
- SCCM downloads the latest updates from Microsoft. (Patch Tuesday)
- Updates are now available and ready for deployment. Administrator socialises the latest patch releases with relevant parties.
- CAB (Change Approval Board) approval is now required for deployment of the latest patches to the Pilot Group
- Administrator sets a maintenance window and schedules when that patches should be installed. (Be careful as most patches will require a reboot of the system. Often with deployment of updates to servers, this will be performed outside of business hours).
- Patches are deployed to the Pilot group.
- UAT (User Acceptance Testing) is performed to ensure there are no issues caused by the patch deployment.
- Once UAT approval has been gained, the Administrator then presents a new Change Request to CAB for approval of the deployment of patches to Production systems.
- Approval has been accepted and the Administrator then setups a new deployment package for deployment to Production systems
Now, what happens if like most corporations, you dont have the luxury of Pilot or Development and Test systems that mirror Production for you to gain the almighty CAB approval? A roll back position is often required before CAB will approve any update deployment as they see this as too risky. Whether that is ensuring there are adequate backups in place and these are successful or often requiring the Administrator to create a manual snapshot of the virtual servers prior to patch deployment. This normally will mean the Administrator is spending lots of late nights ensuring the Backups are successful, or creating Snapshots before allowing the updates to deploy.
SCCM Patch Management Addon Software – Reduce your effort and the risk
We developed SnaPatch exactly for this reason. SnaPatch is addon software for Microsoft’s System Centre Configuration Manager. SnaPatch interfaces with your existing SCCM and virtual environment (whether this is VMWare, with vCentre servers managing ESX hosts, or Microsoft’s System Centre Virtual Machine Manager (SCVVM) managing your HyperV hosts). SnaPatch will automate a snapshot of your virtual servers before allowing SCCM to then deploy the monthly updates. This will allow you to gain the auditors approval, for your ISO 27001, ISO 270012 or even SOX (Sarbanes-Oxley) patching compliance.