Updated: December 20, 2004
Streamlining Patch Management: The Checklist
1. Assess your current environment.
| • | Complete an inventory of all your computing assets and software. |
| • | Baseline and standardize software to minimize risk. |
| • | Identify threats and vulnerabilities to your infrastructure. |
| • | Use a tool like Microsoft Baseline Security Analyzer or the Microsoft Office Update Inventory Tool to identify missing security updates on your systems. |
| • | Make sure you have a solution such as SUS or SMS in place to distribute patches and updates to all the computers in your environment. |
| • | Identify the people responsible for performing patch management and establish operational processes for deploying updates. |
For more information on the assessment process, take a look at Chapter 1 of the Patch Management Process Guide - http://www.microsoft.com/security/guidance/topics/PatchManagement.mspx.
2. Identify new updates.
| • | Visit the support Web sites for your applications and operating system, and sign up to be notified whenever new Microsoft Security Bulletins are released and patches, updates, or service packs are available for download. |
| • | When you learn about a new update, make sure it is relevant to your computing systems. |
| • | Verify the source of an update. This is a critical step, but it does not need to be overly complex. For example, you can identify the source alias of Microsoft updates and then create an Inbox rule for that source to make sure you are not being spoofed. |
| • | Download and isolate valid updates so you can examine them for viruses or other malicious code. |
3. Evaluate and plan the deployment.
| • | Prioritize your systems. Identify which systems are vulnerable, and which of those systems are most critical to day-to-day operations. |
| • | Build and test your release on those critical systems. |
| • | While you’re testing, make a plan for accommodating system downtime during the rollout. |
Chapter 3 of the Patch Management Process Guide provides excellent guidelines for how to maintain IT operational processes while deploying critical updates. Again, you can access the Patch Management Process Guide from the Security360 Web site at http://www.microsoft.com/security/guidance/topics/PatchManagement.mspx
4. Deploy the security release.
| • | Get the important patches on your critical machines first, then rollout to other computers. |
| • | Limit the deployment to computers affected by the security issue. |
| • | Verify that the security update is working after deployment. |
Systems Management Server 2003 can help you implement all four stages of the patch management process. You can also evaluate the beta release of Windows Update Services. This service recently won the bronze medal in the patch management category of this year’s Information Security Magazine Product of the Year awards. WUS can play a vital role in your organization’s patch management processes. In fact, Microsoft Security Baseline Analyzer and SMS will soon utilize the WUS infrastructure to streamline patch management technologies from Microsoft.
Related Resources
