What's your patch management policy?

S

Sometwo

Limp Gawd
Joined
Nov 7, 2004
Messages
202
Hey guys, I have a few questions on patch management...

1. How are you guys assessing risk posed by vulnerabilities?
2. How quickly are you patching low medium and severe vulnerabilities?
3. How are you testing patches before you roll them out?

I'm curious as to how you guys are handling vulnerabilities. So what are you doing?
 
One company I worked for, we would use WSUS to deploy update to our Dev, then Testing, the Production environments. We would push the patches on a one week interval. On patch tuesday, Dev would go first. Next week we would to Testing. Then finally Production the following week. That was a fairly large environment with 3000+ machines.

Most of my customers now are small businesses with under 100 users. I automatically push down the updates as they are released. I only push down security updates though. I don't really do any testing because that typically takes more time than cleaning up from an error once in a while. My customers pay by the hour so it makes more sense to do this.
 
Wow, you mean you used to go 3 weeks without patching vulnerabilities on the computers that were probably the most vulnerable? It makes sense to test the patches thoroughly, but I'm surprised that management didn't want the vulnerabilities patched sooner. Is this policy typical of most medium to large sized networks?
 
Sometwo said:
Wow, you mean you used to go 3 weeks without patching vulnerabilities on the computers that were probably the most vulnerable? It makes sense to test the patches thoroughly, but I'm surprised that management didn't want the vulnerabilities patched sooner. Is this policy typical of most medium to large sized networks?
Click to expand...

What's worse? Waiting 3 weeks to patch systems that are protected by firewalls, AV, anti-malware, users not running with admin rights, and users only allowed to run approved applications (through policy); or push patches through untested that could cripple a mission critical app and lose more than $1mil a day?
 
Good point, but I wasn't advocating completely abandoning testing the patches, just doing it quicker for vulnerabilities that pose a moderate risk even if you take into account your countermeasures. What do you use to assess risk? Do you use the CVSS, or something else?
 
MorfiusX said:
One company I worked for, we would use WSUS to deploy update to our Dev, then Testing, the Production environments. We would push the patches on a one week interval. On patch tuesday, Dev would go first. Next week we would to Testing. Then finally Production the following week. That was a fairly large environment with 3000+ machines.

Most of my customers now are small businesses with under 100 users. I automatically push down the updates as they are released. I only push down security updates though. I don't really do any testing because that typically takes more time than cleaning up from an error once in a while. My customers pay by the hour so it makes more sense to do this.
Click to expand...


Thats what we do for our 3500+ workstations and 500+ windows servers. This month because of the holiday AUG patches are going out this sun. Our fast track is usualy 2 weeks for patches that should be deployed as fast as possible.
 
I guess it's normal then. Looks like I underestimated how important thoroughly testing patches is. :eek:
 
Sometwo said:
I guess it's normal then. Looks like I underestimated how important thoroughly testing patches is. :eek:
Click to expand...

yeah, ever since one incident that took down a road crew from the w2k security rollup 1 patch, we test test test, then staggered deploy.
 
The company that i used to work for had a 4 week patch testing interval on non-security patches\updates, security updates were 1 week of testing before rolling onto WSUS, and new software packages had to be checked for 1 montth or even more, even for silly things like adobe reader 5 to version 6.

But now where i am the company is a lot more lenient and only requires us to do testing until we are happy that the update are okay. We only install security updates now anyway (we are pretty lazy admins, we still have no service pack 1 rolled out to on windows 2003 servers because we cant be asked testing it lol)
 
priteshvarsani said:
We only install security updates now anyway (we are pretty lazy admins, we still have no service pack 1 rolled out to on windows 2003 servers because we cant be asked testing it lol)
Click to expand...

Wow. You do realize that SP1 added new functionality to AD (especially for securing things from LDAP searches), and has really significant WAN transfer optimizations...
 
You must log in or register to reply here.
Back
Top