Ten Principles of Microsoft Patch Management. Published: May 4, 2.
By Christopher Budd, Security Program Manager, Microsoft Corporation. See other Viewpoint articles.
Chapter 2 23 Prepare End User Education Another prerequisite for implementing a patch management process is to determine the level of expertise within your end user. © SANS Institute 2003. Patch management is a subset of the overall configuration. A Practical Methodology for Implementing a Patch management Process. Project Management Methodology Guidebook Project Management Overview Successful project management is the art of bringing together the tasks, resources and. 1 Patch Management Best Practices Whitepaper by: Chris Roberge, MCSE; CCNA Product Manager Cressida Technology Ltd 1 Lammas Gate, 84a Meadrow.
Patch management is a critical part of maintaining the security of your systems and network. The patch management system that you build and maintain is.
Patch management is a critical part of maintaining the security of your systems and network. The patch management system that you build and maintain is, among other things, the channel through which you deploy security updates from Microsoft and other vendors. Although patch management is sometimes viewed as a systems management discipline rather than a security discipline, its role in addressing vulnerabilities through the deployment of updates makes it a vital component in an organization’s security operations.
Because the timely application of security updates is one of the most important and effective things you can do to protect your systems and network, your patch management system must be as efficient as possible. To help customers develop and maintain efficient patch management strategies, Microsoft provides information about tools and strategies on our patch management page on the Tech. Net Security site (http: //www. There, you will find a wealth of important information on the nuts- and- bolts aspects of building and maintaining a patch management system to support Microsoft products. This site is an excellent and valuable resource, but in helping customers with questions and concerns around security updates for some years I have found that although the resources provide excellent guidance from Microsoft on how we recommend you do patch management in your environment, they don’t always make clear why we make particular recommendations.
We have provided good resources concerning the practice of Microsoft patch management, but we haven’t outlined as fully as we could the principles of Microsoft patch management. To help address that shortcoming, in this article I will outline ten principles of Microsoft patch management. With a better understanding of these principles, you can better align your patch management strategy with Microsoft and thus improve the efficiency of your patch management system. You can also prevent unpleasant surprises that can result from pursuing a strategy or tactics that Microsoft doesn’t recommend or support.
Finally, with an understanding of the why behind how we recommend customers implement Microsoft patch management, often you will be able to answer questions that may arise in your day- to- day work managing security updates for Microsoft products. Service packs should form the foundation of your patch management strategy.
At Microsoft, we have consistently recommended that you view service packs as the primary vehicle for security maintenance and look at security updates as something that augments service packs. It’s true that security updates are comprehensive for the vulnerabilities they address, and they are only released when they reach an appropriate level of quality. But service packs are a broader vehicle, both in the scope of the updates they contain and the testing process they undergo.
A service pack includes as much as possible, all the security updates made available for that product before its release. The service pack also contains other updates and improvements from the ongoing work of code maintenance that individual security updates may not contain, so it always offers the overall protections you may need for you environment. Your patch management strategy should focus first on service packs and then on security updates, rather than the other way around. Make Product Support Lifecycle a key element in your strategy. Directly related to the central role of service packs should be the role of the Microsoft Product Support Lifecycle in your patch management strategy.
Like all technology companies, Microsoft products follow a timeline of life cycle support. For several years now, Microsoft has worked to make this process as predictable and transparent as possible by developing and posting information about our Product Support Lifecycle at this site: www. From a security point of view, one of the most important things Product Support Lifecycle governs is the timeline for how long security updates for a particular product will be made publicly available.
When a product is no longer publicly supported under the Product Support Lifecycle, Microsoft no longer publicly provides security updates for that product. The Product Support Lifecycle is also relevant to our first principle regarding service packs.
Security update support for products is specific to particular service packs for that product. This means that for as long as a product is publicly supported, security updates are made available only for those specific service packs of that product; updates are not made available for service packs of products that are no longer publicly supported. For example, at the time of this writing, Security Updates are publicly released for Windows XP Service Pack 1 and Service Pack 2.
Security updates are not publicly released for Windows XP Gold. The Product Support Lifecycle Web site calls out timelines for specific service pack support for publicly supported products. By keeping up to date with service packs, you ensure that your environment is always in conformity with the Product Support Lifecycle.
Doing so means that you are never in a situation where security updates are released and you have no information about the vulnerable state of your environment in the security bulletin because you’re on an unsupported version. To make your patch management strategy most effective, then, you should integrate the timelines from the Product Support Lifecycle into your patch management strategy.
Perform risk assessment using the Severity Rating System as a starting point. Microsoft Security Bulletins serve to make you aware that security updates are available for specific Microsoft products. Another goal of the bulletins is to help you with understanding issues in the security bulletin so that you can perform a risk assessment of the issues in your environment in accordance with your organization’s security policies.
Risk assessment is an important step in the practice of patch management because it helps to answer questions relevant to the prioritization, testing, and deployment of security updates. To help customers with risk assessment, Microsoft Security Bulletins use a Severity Rating System. With it, we evaluate each issue and quantify the issue’s impact objectively on a technical level using criteria that we have publicly posted on this site: http: //www.
In the “Executive Summary” of each Security Bulletin, you will find a table that lists each vulnerability addressed in the bulletin and a severity rating for that vulnerability for each product listed as affected. For bulletins that address multiple vulnerabilities, a maximum severity for all vulnerabilities is provided for each product listed as affected in the bulletin.
Finally, for ease of reference, a maximum severity for all vulnerabilities for all products is provided in the Summary at the top. In addition, we provide more technical information about the vulnerabilities addressed in the bulletin in the Vulnerability Details section. This information in the security bulletins is intended to support the risk assessment processes and procedures that customers have implemented as part of their patch management strategy. We provide our assessment and guidance regarding the issue that you can use as a starting point to make your own risk assessment of the issue in your individual environment.
Because the Severity Rating System evaluates the issue solely on technical grounds, it cannot account for specific aspects in customer environments. Therefore, it’s important to use the Severity Rating System as a starting point for your own risk assessment that can evaluate those elements specific to your environment. Use mitigating factors to determine applicability and priority. One of the pieces of technical information in the Security Bulletin pertains to mitigating factors for each vulnerability addressed in that bulletin. Provided for each specific vulnerability in the “Vulnerability Details” section of the bulletin, the information about mitigating factors explains how the impact of the vulnerability may be lessened or mitigated and is important for your own risk assessment in understanding the applicability, scope, and threat of the issue in your environment. Mitigating factors are used in the Security Bulletins as part of the criteria in determining the severity under the Severity Rating System.
For example, a mitigating factor where a particular vulnerable component is disabled by default will result in a lesser severity rating than if that component were enabled by default. One of the goals in explicitly calling out these mitigating factors is to help you understand why an issue has been rated with the severity that it has to help you with your own risk assessment process. Continuing the example, if in your environment you’ve chosen to enable the particular component by default, you will want your risk assessment to reflect that fact. Ultimately, you should use information about mitigating factors first to determine the applicability of an issue for your specific environment. If it is applicable, you then should incorporate the information about mitigating factors into your risk assessment for prioritization of the deployment of security updates.
A very important point is that information about mitigating factors is never meant to justify not deploying a security update. In looking at mitigating factors, if you determine that a vulnerability is applicable to your system, Microsoft recommends that you always apply the relevant security update. You should look at mitigating factors as data to answer the question of when you apply the security update not if you should apply the security update. Only use workarounds in conjunction with deployment.