An Introduction to Windows Patch Management
Advancements in patch management have made it easier to keep Windows environments secure. Our new Windows Patch Management series kicks off with some recent history about patch-related technologies and an overview of general patch management concepts.
Patch management is without a doubt one of the most critical and complex Windows security-related issues these days. The problem has become more serious in recent months due to the increased frequency of new patches Microsoft has rated as critical, which followed documented exploits that take advantage of underlying vulnerabilities in Windows and Windows-related products (for a full list of patches, refer to the Security area of Microsoft's Web site).
This is especially troubling when one realizes that Microsoft altered its security rating system in early 2003 with the introduction of the "important" category (as an addition to the existing critical, moderate, and low categories), to reflect more accurately the level of urgency that should be considered when deploying patches. Thus, the "critical" label was to be reserved only for vulnerabilities that could be exploited by allowing malicious Internet worms to spread without user action.
Pressure from customers forced to conduct emergency software deployments across hundreds or even thousands of computers compelled Microsoft to search for means of mitigating such efforts. This resulted in a new patch release cycle that began in November 2003. Rather then being published on a weekly schedule (every Wednesday), new patches would now be made available for download on the second Tuesday of every month (with the obvious exception of emergency critical releases).
While this change makes it easier for corporate IT departments to coordinate their deployment schedules, they must also choose a methodology to enable them to inventory and install patches across all managed Windows systems with extreme accuracy and speed (particularly important, as past examples prove even a few worm-infected computers can seriously impact how the entire network functions).
This series will examine the options currently available as we attempt to make the selection and patch management process easier. We will cover free deployment methods (based on Microsoft operating system enhancements, third-party tools, and scripted solutions) as well as fee-based products. This first article will overview developments in patch-related technologies made in the past few years and will discuss general patch management concepts.