If you spend more than a few hours a month doing patching; if you stay up until the middle of the night one Saturday each month doing patching; if you just flip on automatic updates and hope for the best; or if you email your users instructions on how to update their machines – then you're doing it wrong.
Patching shouldn't be something that takes multiple days, nor is it something that should ruin one weekend a month. But it is critical and needs to be done right. If you think you're spending way too much time on patching, and have actually considered skipping a month because things didn't sound "that bad," then here's a post just for you. In it, we'll look at seven tips to save you time (and money) taking care of patch management.
1. Have a plan: First of all, you have to have a plan. Management has to support it, and you need to make sure it covers all the systems on your network. You don't want to patch at random, or try to remember every system that you have. Create a plan that includes getting the updates, testing the updates, deploying the updates, and confirming that everything is covered.
2. Set aside a maintenance window: Whether you patch at 2am on Saturday, or Friday at 9am, you need a maintenance window that others cannot supersede. I prefer to patch during the day. Everyone is already awake and onsite, vendor supports' top tier personnel are available should the worst happen, redundancy in your systems should allow you to take down a node at a time, and there's no reason why IT has to work a zombie shift every month. Nobody else does!
3. Test "in production": No, I don't mean that you should just patch every system without testing and hope for the best, but I do mean that you should have a subset of servers and workstations that people actually use, and patch them before the rest of the network. That way, patches are actually being used for more than a few minutes. If there is something that causes issues, you are either going to find it in the first 30 seconds, or not for hours. Running a handful of production machines with a new patch helps make sure you're good to go.
4. But be able to roll back: When you do patch, you want to make sure you can roll back. Testing a handful of machines should help you avoid a case where you have to touch everything twice, but you do want to be able to roll back a patch even after you've done all your testing, because sometimes things take a while to show up
If there's one thing you can do to save more time than anything else regarding patching, it's getting patch management software for your network. Seriously, the time it will save you every month will pay for the cost of the patch management software in less than a year. How's that for ROI? Patch management software can help you develop and execute your plan, test your patches, roll them back when needed, and two more things on top of that to save you time.
5. Cover third party software too: Patch management software has something that Windows Updates will never have… the ability to patch non-Microsoft software. Everybody has software from third parties like Adobe, Mozilla, Sun, and Apple, and all of those need patching as often as or more so than operating systems and office suites. Patch management software has you covered, patching popular third party applications so you don't have to invent login scripts and hope for the best.
6. Use reporting: Trust, but verify is the mantra of patch management. Trust that the patch deployed to all your systems, but then go verify it. You can either log on to each machine one at a time, spend hours coming up with a WMI query to check, or you can use the reporting built right into your patch management software to see the status of every system. Better still, you can provide those reports to your boss to show her what a great job you're doing patching.
Seven tips that can save you hours each month, let you take back your weekends, and actually put you in a far more secure position than you were before. If that's not a great thing, I don't know what is! Remember, patch management is critical, but that doesn't mean it has to be painful.
Use a thorough approach to patching, make sure you cover the third party software, and use patch management software to automate and report on as much as you possibly can.
This blog post was written by Peter Williams on behalf of GFI Software. Learn more on how you can benefit from good patch management software.