1 00:00:00,480 --> 00:00:02,890 What is patch management? 2 00:00:02,890 --> 00:00:05,630 Patch management is the planning, testing, 3 00:00:05,630 --> 00:00:08,820 implementing, and auditing of software patches. 4 00:00:08,820 --> 00:00:11,010 Why is patch management so important? 5 00:00:11,010 --> 00:00:13,390 Well, there are a lot of patches out there. 6 00:00:13,390 --> 00:00:14,860 Each manufacturer is going to create 7 00:00:14,860 --> 00:00:17,670 their own patches for their own applications. 8 00:00:17,670 --> 00:00:20,010 Part of patch management is keeping track of all 9 00:00:20,010 --> 00:00:22,410 of the various updates and ensuring that they get installed 10 00:00:22,410 --> 00:00:24,710 properly throughout your environment. 11 00:00:24,710 --> 00:00:27,440 But it's also important to have a patch management system 12 00:00:27,440 --> 00:00:29,780 in place to ensure that a patch that is designed 13 00:00:29,780 --> 00:00:32,270 to fix one problem doesn't create multiple, 14 00:00:32,270 --> 00:00:34,160 new problems for you as well. 15 00:00:34,160 --> 00:00:37,440 After all, patches can have bugs in them too. 16 00:00:37,440 --> 00:00:39,950 There are four steps to patch management. 17 00:00:39,950 --> 00:00:44,000 Planning, testing, implementing, and auditing. 18 00:00:44,000 --> 00:00:46,590 Planning consists of creating policies, procedures, 19 00:00:46,590 --> 00:00:49,320 and systems to track available patches and updates, 20 00:00:49,320 --> 00:00:51,120 and a method to verify that they 21 00:00:51,120 --> 00:00:53,220 are compatible with your systems. 22 00:00:53,220 --> 00:00:54,880 Planning is also used to determine 23 00:00:54,880 --> 00:00:57,560 how you're going to test and deploy each patch. 24 00:00:57,560 --> 00:01:00,100 Microsoft actually provides a useful tool 25 00:01:00,100 --> 00:01:02,690 that can help us in determining the status of our system, 26 00:01:02,690 --> 00:01:05,240 and whether or not a patch needs to be applied. 27 00:01:05,240 --> 00:01:06,250 This is known as the 28 00:01:06,250 --> 00:01:10,530 Microsoft Baseline Security Analyzer or MBSA. 29 00:01:10,530 --> 00:01:13,420 This tool can help identify security misconfigurations 30 00:01:13,420 --> 00:01:15,420 within your network's workstations. 31 00:01:15,420 --> 00:01:17,770 After planning, the next thing is testing. 32 00:01:17,770 --> 00:01:20,410 It's important to test any patch you receive prior 33 00:01:20,410 --> 00:01:23,090 to automating its deployment throughout the network. 34 00:01:23,090 --> 00:01:25,330 As I said before, while a patch is designed 35 00:01:25,330 --> 00:01:28,890 to solve one problem, it can often create new ones for you. 36 00:01:28,890 --> 00:01:30,840 Within your organization, you should have 37 00:01:30,840 --> 00:01:34,420 a small test network or lab or, at the very least, 38 00:01:34,420 --> 00:01:36,740 a single machine that you use for testing 39 00:01:36,740 --> 00:01:38,350 where you deploy the patch first 40 00:01:38,350 --> 00:01:40,330 and ensure it's working properly. 41 00:01:40,330 --> 00:01:42,370 After all, many of our organizations 42 00:01:42,370 --> 00:01:44,900 have unique configurations within our networks. 43 00:01:44,900 --> 00:01:47,520 And while manufacturers attempt to ensure patches will not 44 00:01:47,520 --> 00:01:50,870 cause harm to our systems, this can't be guaranteed. 45 00:01:50,870 --> 00:01:52,540 It's better to find out in your lab 46 00:01:52,540 --> 00:01:54,070 that a patch is causing issues 47 00:01:54,070 --> 00:01:56,800 than to push it out across 10,000 workstations 48 00:01:56,800 --> 00:01:59,560 and then have all your end users yelling and screaming 49 00:01:59,560 --> 00:02:00,930 when their systems crashed. 50 00:02:00,930 --> 00:02:03,480 After testing the patch, it's time to deploy it 51 00:02:03,480 --> 00:02:06,100 to all of the workstations that might require it. 52 00:02:06,100 --> 00:02:08,360 You can do this manually or automatically 53 00:02:08,360 --> 00:02:09,750 by deploying that patch to your 54 00:02:09,750 --> 00:02:11,860 clients' workstations to implement it. 55 00:02:11,860 --> 00:02:13,980 If you have a small network, you may choose 56 00:02:13,980 --> 00:02:16,380 to manually install the patch across the network. 57 00:02:16,380 --> 00:02:18,040 If you have a large network, though, 58 00:02:18,040 --> 00:02:20,610 you're going to want to use some sort of a tool. 59 00:02:20,610 --> 00:02:22,010 Microsoft provides us with the 60 00:02:22,010 --> 00:02:24,920 Microsoft System Center Configuration Manager, 61 00:02:24,920 --> 00:02:28,440 but you can use third-party patch management tools as well. 62 00:02:28,440 --> 00:02:30,800 Some organizations rely on automatic updates 63 00:02:30,800 --> 00:02:32,520 from the Windows Update system, 64 00:02:32,520 --> 00:02:34,910 while others decide they want to have complete control 65 00:02:34,910 --> 00:02:36,840 over the installation of patches. 66 00:02:36,840 --> 00:02:39,650 For large organizations, it is highly recommended 67 00:02:39,650 --> 00:02:42,690 to centrally manage updates through an update server 68 00:02:42,690 --> 00:02:45,300 instead of using the Windows Update tool. 69 00:02:45,300 --> 00:02:47,220 This will allow you to test the patch prior 70 00:02:47,220 --> 00:02:49,350 to deploying it in your environment. 71 00:02:49,350 --> 00:02:50,960 To disable Windows Update, 72 00:02:50,960 --> 00:02:53,490 you simply need to disable the Windows Update service 73 00:02:53,490 --> 00:02:55,730 from running automatically on the workstation. 74 00:02:55,730 --> 00:02:58,710 The Windows Update service is called wuauserv 75 00:02:59,860 --> 00:03:01,760 in the list of running services. 76 00:03:01,760 --> 00:03:03,870 Find that and disable it. 77 00:03:03,870 --> 00:03:05,570 If you have a lot of mobile devices 78 00:03:05,570 --> 00:03:08,140 throughout your network, you should also implement patching 79 00:03:08,140 --> 00:03:10,530 through your mobile device manager. 80 00:03:10,530 --> 00:03:12,670 The final step is auditing. 81 00:03:12,670 --> 00:03:14,850 It's important for us to audit the client status 82 00:03:14,850 --> 00:03:17,310 after conducting the patch deployment. 83 00:03:17,310 --> 00:03:18,910 Auditing is used to ensure the patch 84 00:03:18,910 --> 00:03:21,010 was installed properly and that there's no 85 00:03:21,010 --> 00:03:22,760 unexpected failures that have occurred 86 00:03:22,760 --> 00:03:24,450 because of our installation. 87 00:03:24,450 --> 00:03:26,090 Again, using a tool like the 88 00:03:26,090 --> 00:03:28,120 System Center Configuration Manager 89 00:03:28,120 --> 00:03:30,150 or a third-party management tool 90 00:03:30,150 --> 00:03:31,760 to conduct scanning and verification 91 00:03:31,760 --> 00:03:33,750 of your workstations can help ensure 92 00:03:33,750 --> 00:03:36,570 that those patches have been installed properly. 93 00:03:36,570 --> 00:03:38,650 If you're using Linux or OSX, 94 00:03:38,650 --> 00:03:41,420 they also have built-in patch management systems. 95 00:03:41,420 --> 00:03:44,610 For example, Red Hat Linux uses a package manager 96 00:03:44,610 --> 00:03:47,810 to deploy RPMs or packages of patches 97 00:03:47,810 --> 00:03:49,573 to your servers and workstations.