Windows Patch Management Best Practices

Improve security by systematically addressing vulnerabilities in your Microsoft software and operating systems

  1. What is Microsoft Windows Patch Management?
  2. Handling Windows server patching
  3. Why is patch management in Windows important?
  4. Patch management for Windows step by step
  5. Windows patch management best practices
  6. Windows patch management strategies
  7. Choosing patch management software tools for Windows
  8. Blog posts
  9. Additional resources

What is patch management and specifically, Microsoft Windows Patch Management?

 

 

Patch management consists of scanning computers, mobile devices or other machines on a network for missing software updates, known as “patches” and fixing the problem by deploying those patches as soon as they become available.

Windows patch management is the process of managing patches for Microsoft Windows. Patches are a type of code that is inserted (or patched) into the code of an existing software program. It is typically a stop-gap measure until a new full release of the software becomes available.

Windows Update is a Microsoft service for MS Windows operating systems that automates downloads of Windows software updates. The service not only delivers software updates, but also many Microsoft antivirus products. While Microsoft attempts to quickly release security patches, frequently applying patches to production-level servers can have a negative effect on productivity and stability.

Since 2003, Microsoft has released large numbers of patches for their operating systems and other software products on “Patch Tuesday” – the second Tuesday of every month. However, with the release of MS Windows 10, Microsoft has also started issuing cumulative updates for the new operating system. 

Each of these patches contains fixes for one or more vulnerabilities that have been identified by numbers assigned via the Common Vulnerabilities and Exposures (CVE) system, maintained by the National Cybersecurity Federally Funded Research and Development Center (FFRDC).

Patch Tuesday lets systems administrators prepare for possible impacts patch applications might have and warn their users. When a serious problem with a patch is reported, it can affect the computers where the update will be installed. IT personnel can defer installing that patch, while still installing the rest of the them, so they don’t lose the protections from all those other vulnerabilities.

Updates that roll up all the current fixes into a single patch offer the convenience of an all-in-one solution, but also take away the admin’s ability to pick and choose which vulnerabilities to patch. This may increase the chances that an incompatibility with some particular system configuration or other software might cause the update to either fail or cause undesired behavior. Microsoft uses the cumulative rollup concept for their security updates for Internet Explorer and Edge web browsers.

Handling Windows server patching

Server patching acquires, tests and installs multiple code changes to administered computer systems to keep them updated. The process also determines the appropriate software patches for each program and schedules the installation of the patches across different systems.

Patching a server is more complex than patching a workstation. Workstation downtime isn’t as critical because workstations can be re-built if there’s a serious issue with a patch. In contrast, server patching includes not only the server, but also the applications running on it and the middleware between applications. Because the critical role servers play for an organization, downtime must be kept to an absolute minimum. Most administrators find it important to prioritize server patches.

As discussed earlier, Microsoft Windows Updates automates downloads of software updates. Businesses with only has a handful of Windows servers can use the Microsoft Windows Server Update tool to deploy Windows updates. But most organizations have a more multifaceted computer environment and end up using multiple tools for other work, such as Microsoft application software patches or Mac OS patches.

Using multiple tools is problematic because it obscures the operation team’s ability to understand the IT deployment’s level of risk. Many companies offer a single “do it all” tool for server patching – one that can process everything from Microsoft products and third-party software to PC-based hardware, Mac computers, client systems and servers.

Why is patch management in Windows important?

Proper patch management can greatly improve an enterprise’s security by addressing the vulnerabilities in its software and operating systems. Here are a few reasons why patch management is a critical expenditure in almost any IT budget:

image

Security

Security is the most critical benefit of patch management. Network security breaches are most commonly caused by missing patches in operating systems and other applications. For example, security breaches are regularly discovered in MS Windows ActiveX, IIS, Internet Explorer and .Net Framework. By installing security updates, you avoid damage to software, data loss and identity theft. It’s important to install updates quickly because malware can spread within hours after of introduction.

Productivity

Computer crashes due to defective software can still happen and this eventually leads to lower productivity levels. A patch, on the other hand, reduces the possibility of crashes and downtime, thereby allowing workers to do their tasks without interruptions.

Feature updates

Patches are not always about fixing bugs. They can also include new features and functionality that can tap into the latest innovations of the software. Microsoft is constantly working on new features and sending new functionality in the form of software patches, so downloading and installing them can help you work better and smarter.

Compliance

Cyberthreats have become commonplace and this is why regulatory bodies are mandating that businesses apply the latest patches to avoid these threats. Noncompliance can lead to stiff penalties, so a good patch management strategy is necessary to comply with these standards.

BYOD

The emergence of “bring your own device,” or BYOD, has opened up a whole new avenue of opportunities for cyberattackers. Employees increasingly use their personal and office devices interchangeably to do their work – requiring personal devices to be protected as well. A good patch management software installs patches across all devices, regardless of their physical location. In the process, it addresses many of the challenges that come with using personal devices.

Patch management for Windows and other third-party apps – step by step

Installing the latest updates is not the most effective process of patch management. In fact, every tool should follow a detailed set of steps to ensure that the end result is economical, efficient and effective.

Here are some keys steps to developing an up-to-date inventory of the existing devices:

  1. Create a patch management policy

  2. Scan the network and devices on a regular basis to identify vulnerabilities and missing patches.

  3. Validate the successful deployment of the downloaded patches in a testing environment and check for any incompatibilities or performance issues.

  4. Apply the patch across the entire organization, if no issues were uncovered during the testing phase.

  5. Create detailed documentation and reports about patch download, testing and installation for auditing and compliance.

Though these steps may vary, the larger point is the updates should not be installed as they become available. Instead, they should go through a process laid down by the organization. Such a process-oriented approach will also make it easy to follow some of the best practices of patch management.

For a slightly different take on patch management processes, review the blog: The best patch management strategy for 2019.

Windows patch management best practices

Windows patching is typically high on an administrator’s to-do list. If done incorrectly patch management can be a risk for the organization instead of a risk mitigator. A few simple best practices however easily eliminate all of these risks as well as ensure that the process is finished quickly and efficiently.

Here are some best practices specifically for MS Windows patching:

image
  • Test before applying updates
    Windows patches may work well in isolation. But in the real world, there is always a possibility for incompatibilities between a patch and other software. When deploying software patches without properly testing them out, you risk that one of the patches might conflict and cause issues on the organization’s infrastructure. It’s a good idea time to test the consequences of the update by applying it first in a test environment or on a handful of computers before applying it to the entire network.
  • Keep up with news from third-party patch monitoring sites
    It may be difficult to take in the large amount of information released by Microsoft about new patches – and patches to patch previous patches! One shortcut is to review tech news sites that feature discussions about organizations’ experiences attempting to apply new Microsoft software updates.
  • Check the issues that Microsoft knows about for each patch
    When you receive emails from Microsoft about a new security update, look for any information they include about any issues they have identified. For instance, Microsoft may release a software patch that finally resolves a vulnerability missed by earlier updates.
  • Wait to patch – it won’t hurt, but it may hurt if you don’t
    A good rule of thumb is to allow a week for testing after patches are released on Microsoft’s Patch Tuesday. Even if your business is too small to perform extensive testing, the extra week gives you time to review Microsoft and third-party resources about whether there could be negative consequences to the patch application. For server patching to key servers and other critical systems, you may want to even add an extra week of testing and reviewing.

Here are a few general best practices for patch management to help an organization enhance its security and to stay updated on all the latest additions made to any software:

  • Know why you’re doing it
    Patch management is an essential part of the software world and it is important for the management as well as the admin team to understand its benefits for the organization as a whole. Communicating the essential nature of patch management will help to make it an integral part of IT activities.
  • Monitor the patch status of all your applications
    Always be aware when new patches are needed. The easiest way to accomplish this is by employing a solution that monitors your network patch status and notifies you automatically when patches are available. If budget is an issue another possibility is to keep track of what applications you use and periodically check the respective websites for new issued updates.
  • Work with your managed service providers
    Many managed service providers offer patch management services to suit the needs of different businesses. If you’re pressed for time or resources, consider this option so you can focus on your core business while patches will be handled by these providers.
  • Establish a disaster recovery plan
    Another important, yet often overlooked, best practice is to have a disaster recovery plan should your patch management fail and cause problems. Backups are the easiest option and they can also be used to mitigate other risks such as a virus infection or intrusion.

Windows patch management strategies

As stated previously, When deploying patches without properly testing them out, you risk that one of the patches might conflict and cause issues on the organization’s infrastructure. So, the overarching patch management strategy is to pinpoint what type of vulnerability a patch is supposed to fix. Then determine how much risk is involved in applying the patch, how you should apply the patch and when you should apply it.

Once you’ve done your risk evaluation there are different strategies to actually deal with the vulnerability.

Accept the risk

Hold on until Microsoft releases a fix.

Use a workaround

Microsoft may provide a way around the problem until a patch is available. Or you may have a stop-gap measure until you can evaluate a patch.

Rely on insurance

Insurance may be expensive, but risk can, in essence, be transferred to an insurance company and you can let them deal with any problems.

Simply patch now – or remove the potentially-affected software

Go ahead with the patch, and hope that nothing goes sideways. Or completely remove the software or Windows component from the exposed systems.

Choosing automated patch management software tools for Windows

 

Some administrators may assume that the Microsoft recommended patches provide security from most vulnerabilities. But most experts agree that you cannot solely rely on patches, updates and service packs supplied by Microsoft. Because of these unchecked vulnerabilities, many organizations have turned to automated patch management tools. Windows patch management software can take pressure off administrators and improve the overall efficiency of downloading and installing patches across different devices. As a result, every organization can update all its endpoints with the latest patches – and with little human interference, regardless of its hardware specifications and geographical locations.

But how do you choose the right patch management software, given the large number of patch management tools available today? Here are some capabilities that should be present in any good automated patch management software:

 

Blogs

Microsoft Patch Tuesday has changed and now all patches are delivered at once
Discover why with the release of Windows 10, Microsoft now issues cumulative updates for the new operating system. 

How we patch: by the numbers
Learn how a good patch management system goes a long way to address security problems.

The best patch management strategy for 2019
Learn six steps that can help you deploy an effective patch management strategy.

Exploring automated patch management solutions
Find out how automated patch management solutions go hand in hand with your vulnerability management program.

GFI LanGuard free trial

Download a 30-day trial of GFI LanGuard that includes Patch Management for Windows®, Mac OS® and Linux®

GFI resources for Windows patch management software

GFI LanGuard for patch management
Discover why thousands of IT admins worldwide use GFI LanGuard to scan networks for vulnerabilities, automate patching and achieve compliance.

GFI LanGuard Step by Step Guide
This step by step guide helps you understand how you can maintain a secure and compliant network with minimal IT effort.

GFI LanGuard free trial
Download a 30-day trial of GFI LanGuard that includes Patch Management for Windows®, Mac OS® and Linux®.

Patch management tool comparison: What are the best products?
Read this product comparison to see which tool is best for your company from TechTarget.

GFI LanGuard product features
Get an in-depth product understanding from this extensive library of videos and information.

How to deploy missing patches with GFI LanGuard
Watch this video and see how to quickly and easily deploy missing patches using GFI LanGuard.

6-step guide to effective patch management
Discover how an optimal patch management system helps to manage security and risk.