Patch Management Automation

Patch management is a critical but often tedious task that must be carried out in every environment to protect systems from Trojans, worms and other viruses that contain malicious code and also to comply with government regulations.

We asked IT professionals from several universities across the country to share their best tips for simplifying and automating patch management for tighter IT control.

Tip 1: What’s the Damage?

“The critical nature of the patch is all important,” says Robert Henderson, director of cyber infrastructure at the University of the Pacific (UP) in Stockton, Calif.

Administrators must research the critical level of the patch first, he notes, to determine the amount of testing that’s required for each patch and to estimate the deployment timeline.

“When we receive the vendor patches,” says Henderson, “we establish how critical the patch is to the security of our systems, then test them accordingly and schedule them for deployment.” UP uses Windows desktop patches implemented through a local Windows Server Update Services (WSUS) solution, then requires that all of its systems be connected to it through group policy.

“Critical security patches should be deployed as soon as they are available. The security exposure incurred by delaying these patches is unacceptable,” says Arthur Jacobson, senior support systems analyst in the University Information Technology Services Department at the University of Arizona in Tucson (UA).

UA also uses its WSUS server to manage computer patches. “With this product,” says Jacobson, “we can use Windows Domain policies to control the distribution of patches to various functional groups in a customized manner.”

According to Jacobson, the distribution of critical security patches is automatic, but the distribution of noncritical patches is controlled by the WSUS system manager.

Noncritical patches can be tested and scheduled for distribution to functional groups as needed. The system manager can review the status of computers regarding the success or failure of, or need for, patches that have been or need to be distributed through WSUS.

Tip 2: If It Isn’t Broken, Don’t Fix It

Install only what is needed in a timely manner and patching will be far less painful, says Craig Kleine, support systems analyst in the Office of Economic Development at UA. This allows some leeway in managing the network’s bandwidth.

“One of the things I find helpful is to monitor what’s going to be available for patching,” says Kleine. Universities can even subscribe to RSS feeds to streamline the process further. This allows system managers to decide ahead of time whether or not a patch should be installed. Many times, patches are installed for products that are either not used or not installed. Ensuring that computers don’t have unnecessary software and services, however, can reduce patching, as well as the overall security footprint.

Kleine has 75 computers to patch, with 10 offsite on different subnets. Smaller departments, like Kleine’s, use WSUS. “Using a modern workstation,” Kleine adds, “I can virtualize a domain with the appropriate sites and services that we use here, which allows me to test for any unwanted patch interferences or problems with patches before accepting them for our client computers to download and install.”

Tip 3: Routine Is Your Friend

“We have an established routine that allows us to test and deploy all patches within 72 hours to two weeks, based on the critical priority of the patch,” says UP’s Henderson.

“We follow a strict procedure, which includes maintaining a configuration-management database for servers,” says Ryan Rose, director of core services for the Information Technology Department at the University of Northern Colorado (UNC) in Greeley. This database includes the server name, location, priority and function within the UNC network. The system administrator follows a prioritized application process.

Prior to completing the change-management forms, all patches are verified on specific test servers and PCs for no less than one week, adds Rose. This is typically performed during the first week after “patch Tuesday.” All production systems and PCs are patched the following week. The change-management form specifies what patches are applied and any exceptions that may apply. Once all the servers are patched, the IT security analyst performs audits on random systems to verify the installations.

Tip 4: It’s All in the Planning

“We started with a process before the technology, to ensure that we would be successful with any tool that we would use,” says Mark Fitzgerald, manager for user services in the Office of Information Technology at Boise State University (BSU). In other words, figure out the process first, then determine which technology will accomplish the tasks.

After establishing a good process, continues Fitzgerald, BSU introduced WSUS to manage its Windows desktops. Ninety percent of the university’s desktops run a Microsoft OS. The administrators also use Novell Desktop Management Suite to package and deploy critical patches outside of the desktop operating system. ZENworks inventory services identifies which computers have particular hardware or software that may require patching. The advanced package, called ZENworks Patch Management, would automate the process further, but BSU does not currently own that product. “We also use Symantec Console to patch our antivirus software,” adds Fitzgerald.

Tip 5: Know Your Gear

“We have found the Microsoft patch-management tools to be cost-effective and reliable. We also use the reporting and monitoring tools to alert system managers as to the status of every computer within the management scope,” says UA’s Jacobson.

UA is also using Microsoft System Center as an enhancement to WSUS. According to Jacobson, the Microsoft System Center application has enhanced monitoring and reporting features and the ability to patch not just Microsoft products but third-party applications as well.

“We have recently acquired LANDesk for our asset management,” says Tracy Schroeder, vice president for information technology at the University of San Francisco (USF). “We hope to use that system’s tools for more automated patching in the future. However, we are not yet at that point and plan to proceed with caution,” she says.

The USF administrators enable Microsoft Windows auto-updates on most of their Windows servers, but on some systems running more critical applications, the administrators set them to “hold” until they can verify that they do not disrupt or degrade service before moving them into production.