Got servers? Then you need to perform server patch management. Not annually, not once a quarter, not when you feel like getting around to it. Microsoft releases patches on a monthly basis to make it easier for IT professionals to plan their server patch management activities on a predictable cycle, but those out of band patches mean you have to be prepared to do server patch management on very short notice. Remaining completely reactive is not the way to go; it will lead to errors, failures, and missed patches, and that can lead to compromised servers. Here are five fundamental tips for server patch management that will help you do things the right way:
1. Stay informed
Microsoft releases patches on a predictable schedule to facilitate server patch management strategies, but they also release out of band patches when necessary. Your application vendors (and other o/s vendors if you are not a pure MS shop) tend to release patches when they will. Subscribe to all of your vendors’ notification lists, and use a distribution list to make sure nothing is missed because someone is on vacation. Also subscribe to one or more of the leading independent security bulletins so you stay aware of needed patches.
2. Stick to a schedule
Remember that schedule? Use it to make your own server patch management schedule with predictable, published, and inviolate maintenance windows. Patching is not an optional activity, and when the rest of the business knows you patch on the third Thursday of the month, they won’t schedule conflicting tasks. Well, some of them will try, but patching trumps all.
Patching goes badly only when patches are deployed to production without testing. Whether you maintain a DR facility that can be used for testing, a scaled down physical environment, or you just take snapshots of your production VMs and test patches in a sandbox, make sure your server patch management strategy includes testing. Vendors test against their vanilla deployments, and against as many combinations as they can of things that follow supported scenarios and best practices. Unless you know for absolute certainty that your systems are ‘pure’, testing is the only way to be sure you won’t run into production issues.
4. Automate automate automate
Even the smallest shops on a shoe string budget can use the free WSUS for the server patch management, but there are very affordable third party applications that can also handle third party applications in the patching process, which you can also leverage when patching your workstations. Even the most expensive, top of the line server patch management applications will be less expensive than the recovery costs associated with that one server that was exploited because it was missing a critical patch.
5. Verify verify verify
Review your server patch management application logs, spot check individual machines, and then run periodic scans with MBSA or a vulnerability assessment tool to make sure that all servers were patched, and any new systems added to your network are fully up to date.
Bonus tip: redundancy is your friend
Nobody wants to spend an entire evening to patch. Having redundancy for all critical services enables you to patch during the day. This improves work life balance sure, but it also means that if a patch does go awry, all hands are already on deck, wide awake, and able to lend a hand, rather than leaving the guy who drew the short straw trying to figure it out alone in the middle of the night, or having to wake everyone else up to assist. Look for redundant domain controllers, overlapping DHCP scopes, using FRS shares instead of relying on a single file server, NLB or clustered applications, etc., to keep single instance services to a minimum.
Use these fundamental tips to make your server patch management strategy the best it can be. Your server uptime and performance will reap the benefits, your users will never suffer from outages, and you might just get to experience some of that work life balance you keep hearing about. Server patch management doesn’t have to be painful; these six tips are the way to go.