Practising Patch Pragmatism

Microsoft have a substantial problem, and one for which we have at least some sympathy.  Their operating systems are practically everywhere, and configured in a multitude of ways many of which surely they could never have predicted.  So providing a one-size fits all approach to patching is always going to be problematic, but that's exactly what Microsoft is forced to do.

This leaves competent administrators to bridge the gap and test patches, and indeed upgrades, in their own environments before deploying them widely.  However as we have seen from the problems arising from MS08-037 this doesn't always happen.

Schedule patching

There are very few occasions on which immediate patching will be either necessary or desirable.  Given many organisations now publish patches on a schedule of their own you can use this as a basic for yours.

User Transparency

Whilst it is generally considered best practice to inform users of impending changes, patches are potentially one exception to this rule.  Where patches are expected to make changes to user interface or require user interaction it's best to warn users.  However a difficulty can arise when users attribute problems they are experiencing to patches without foundation.  So whilst this possibility should not prevent you from informing users, consider carefully how much information to provide.

Patch Testing

While vendors will do everything they can to ensure patches work as intended, only you can confirm they work in your environment so testing before deployment is essential.  If you have a standard desktop build then you can test against this, either using a spare PC or virtually using one of the many virtualization tools available.

Even when patches have passed tests, it is still a good idea to apply them in waves.  If possible recruit a small number of users, preferably confident experienced users, to act as a last line of defence for patch issues.  Then you can push updates to these users first and gauge the response, if these users don't report problems then you're as safe as you can be to push patches to all users.

Above all rushing to patch may well cause more problems than it solves, that said don't fall too far behind the curve.

Digg This Bookmark with Delicious Stumble It Bookmark with Reddit  
posted on Monday, July 14, 2008  #    Comments [0]