Microsoft is constantly working on new features and sending new functionality in the form of software patches, so downloading and installing them can help you work better and smarter. Cyberthreats have become commonplace and this is why regulatory bodies are mandating that businesses apply the latest patches to avoid these threats.
Noncompliance can lead to stiff penalties, so a good patch management strategy is necessary to comply with these standards. Employees increasingly use their personal and office devices interchangeably to do their work — requiring personal devices to be protected as well.
A good patch management software installs patches across all devices, regardless of their physical location. In the process, it addresses many of the challenges that come with using personal devices.
Installing the latest updates is not the most effective process of patch management. In fact, every tool should follow a detailed set of steps to ensure that the end result is economical, efficient and effective. Here are some keys steps to developing an up-to-date inventory of the existing devices:. Validate the successful deployment of the downloaded patches in a testing environment and check for any incompatibilities or performance issues. Apply the patch across the entire organization, if no issues were uncovered during the testing phase.
Create detailed documentation and reports about patch download, testing and installation for auditing and compliance. Though these steps may vary, the larger point is the updates should not be installed as they become available. Instead, they should go through a process laid down by the organization. Such a process-oriented approach will also make it easy to follow some of the best practices of patch management.
For a slightly different take on patch management processes, review the blog: The best patch management strategy for If done incorrectly patch management can be a risk for the organization instead of a risk mitigator. A few simple best practices however easily eliminate all of these risks as well as ensure that the process is finished quickly and efficiently.
Here are some best practices specifically for MS Windows patching:. Here are a few general best practices for patch management to help an organization enhance its security and to stay updated on all the latest additions made to any software:.
So, the overarching patch management strategy is to pinpoint what type of vulnerability a patch is supposed to fix. Then determine how much risk is involved in applying the patch, how you should apply the patch and when you should apply it. Microsoft may provide a way around the problem until a patch is available. Or you may have a stop-gap measure until you can evaluate a patch. Insurance may be expensive, but risk can, in essence, be transferred to an insurance company and you can let them deal with any problems.
Go ahead with the patch, and hope that nothing goes sideways. Or completely remove the software or Windows component from the exposed systems. Change management is also one of the important factors in patching. This gives awareness about the upcoming changes in the environment and also help from an audit point of view. Every organization will have defined process based on business needs. It's recommended using Standard Change Template since patching activity is one of the mandatory activities which will be performed on a monthly basis.
Measuring the implanted work is always beneficial to the organization from the security audit point of view. For example — if you have four hours of downtime, then perform the patching compliance scan on second of third hours so that you can re-patch the servers within the same downtime under approved change. If you missed checking compliance within the same downtime window, then you may need to request for new downtime for business and also need to raise a separate change ticket.
Do not keep a backlog for a longer time. This impact on the overall compliance by end of month cycle. Microsoft recommends deploying OOB patches as soon as possible to avoid the external attack. For example, If the vulnerability is identified in Internet Explorer 9, then we have to identify how many servers in the environment are running with IE9. Data can be fetched by the compliance tool which you are using in your environment. If you are using Microsoft SCCM , then you can create a custom report with a custom query to fetch this data.
Assume after assessment, you have servers running with IE9 out of servers. In this case, you have to plan to patch these servers on priority. Completing that transformation with Azure Update Management required the Manageability Team to achieve three main goals:. Microsoft Digital enhanced reporting capabilities by creating a Power BI report that married compliance scan results with the necessary configuration management database details.
This provided a view on both current and past patch cycle compliance, setting a point-in-time measure within the broader context of historic trends. Engineers were now able to quickly and accurately remediate without wasting time and resources.
The report also included day trend tracking and knowledge base KB -level reporting. The Manageability Team also gathered feedback from engineering groups to make dashboard enhancements like adding pending KB numbers on noncompliant servers and information about how long a patch was pending on a server.
With Configuration Manager consistently landing patches each cycle, engineering teams began to consistently meet the 95 percent goal. Finally, as a native Azure solution available directly through the Azure portal, Azure Update Management provided the flexibility and features needed for engineering teams to remediate vulnerabilities while satisfying these conditions at scale. I would like to know Microsoft patching strategy to confirm we have right compliance on patching. Hi SanjSub ,.
For KB and K, first, these two patches are inclusive, includes , so we just need to install one of the patches and do not need to install two. Second, so for a system that has not been patched, just install Third, the patch system has been installed, please confirm, as long as the installation of any one of the patches, solved the worm problem.
Each operating system can be installed as long as one of the four updates. If you have installed one of the other updates, you may have an error indicating that it cannot be installed. Hope it will be helpful to you. Please remember to mark the replies as answers if they help.
0コメント