The Ultimate Strategy for Server Patching

The Ultimate Strategy for Server Patching

Patching for Servers

Remediating server environments is crucially important to secure the environment from internal and external attacks as well as ensure stability and performance. Downtime, duration, and frequency are key factors for patching servers, as well as a healthy balance between effectiveness and efficiency.

When patching servers, downtime must always be minimized. A suitable downtime strategy should be utilized so that reboots are only performed when necessary, ensuring a faster operational turnaround when many updates are needed.

An effective patching strategy requires devices to be successfully remediated with few or no pending issues. It also means that the devices have been targeted with little downtime or resources, but no clear measure of success.

Ensuring an effective and efficient approach allows the end goal (a healthy environment) to be achieved at the lowest cost possible.

Change Management

One important factor in patching and also to achieve an effective remediation strategy is change management. This provides awareness about the upcoming changes in the environment and also to help from an auditing perspective.

Every organization attains a defined process based on their relative business needs. It’s highly recommended to use the Standard Change Template since remediation is a mandatory activity to be performed on a monthly basis.

Scheduling

Frequency and duration are additionally important to ensure efficiency. As mentioned, downtime must be minimized and scheduling appropriately helps to mitigate this risk.

For example, Microsoft recommends patching servers monthly; not quarterly. Plan the various scopes for patching and segregate the environment accordingly, such as Development, then User Acceptance, then Production, then Disaster Recovery.

When taking this approach and preparing any stakeholders/users for downtime, notifications may be sent beforehand so that the audience can best prepare. Gathering all information beforehand also allows for scheduling to be a simple process so that each additional month is easier than the last.

Ensure a proper communication channel is supplied so that there are no surprises.

Compliance and Reporting

Realtime task functionality displays where each and every server device is at its remediation stage, whether detecting, applying updates, or rebooting.

Pre-and Post-patching reports provided in numerous templates, including:

  • Detected Patches by Device
  • Top X Vulnerable Devices
  • Patch Deployment History by Device/Patch
  • HIPAA Compliance
  • SOX Compliance
  • PCI & DSS Compliance
  • Security Risk Assessment

Where Syxsense Manage Fits

Syxsense Manage allows all aspects of the patching process to be easily organized and prepared. Every patching task addresses the high level questions in a step-by-step format: where, what, and when.

Where

By organizing the inventory beforehand, the question of “where” is easily prepared. This also doesn’t need to be re-created every month. Leveraging site locations or dynamic filters based on inventory and/or logical organization data, the question of “where” only needs to be asked on the front-end.

What

Following change management procedures, patch content can be easily organized using patch groups. This ensures only the approved patches are deployed with each scheduled deployment task.

Keeping things easy: skipping an approval strategy can also be done by leveraging Syxsense Manage’s built-in detection logic so that only the applicable updates are deployed where the non-applicable updates are simply skipped.

Patch filters can also be used to dynamically deploy updates that share a common value, such as “Critical Patches”, leaving out the other updates of lower severity.

When

The toughest question is “when” and of course: when is best?

Every organization is different and Syxsense Manage provides multiple avenues for scheduling, such as on-demand, recurring in weekly intervals with missed-task options, as well as formal maintenance windows and blackout hours.

The most widely used option for server patching is maintenance windows. These establish pre-approved frequencies that may be re-used with every following month, but also protecting the users with schedule duration.

Maintenance windows can be scheduled at various times of day, daily, weekly, and monthly.

Reboots

Rebooting servers is where the concept of downtime comes into play.

Reboots can be forced for all, or none; however, reboots will typically be required every single month and must apply to secure the device with the latest updates.

Going back to the “where” step, devices can be targeted based on which require a reboot and which do not, ensuring only those that do will receive the reboot and others will not be touched.

Validating with end-users: although servers may not have an end-user, custom messages and timers can always be supplied so that the reboot may be postponed by the administrator.

Measuring downtime: by using realtime task functionality, Syxsense Manage can always visualize the reboot duration and end user choices.

Types of Servers

  • Physical
  • Virtual
  • On-Premise (Private)
  • Cloud (Public or Hybrid)

Operating Systems Supported

Windows

  • Windows Server 2008 R2
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Linux

  • Redhat 5.6, 5.7, 6.0, 6.5, 6.6, 6.8, 6.10, 7.1, 7.4, 7.6, 7.7, 8.1
  • Debian 6, 7, 8.5, 9, 10
  • SUSE 12,15
  • Oracle 5.8, 6.4, 6.7, 6.8, 7.0
  • Ubuntu 14, 16, 18
  • CentOS 6.8, 6.10, 7, 7.5
  • Fedora 13, 14