6 Replies Latest reply on Jan 20, 2015 9:05 AM by thomas.barwick@imglobal.com

    Do you guys and gals actually review patches before approving/deploying them?

    Rookie

      We're struggling to find out how we should best handle this and how others are handling things.

       

      Right now we only apply Security Patches and Security Tools. We haven't jumped into the Non-Security Patches due to the sheer quantity.

       

      How is everyone else doing this?

       

      So right now, if I scan my workstations for missing "Security Patches and Security Tools" I come up with 114 unique missing patches and a total of 3132 for all 120 systems.

       

      2015-01-13_13-17-19.jpg

       

      Then, if I scan that same group of computers, but only look for missing "Non-Security Patches" my numbers go through the roof. 513 additional, unique patches and a whopping total of 12,816 for these same 120 systems, and this is ON TOP of the security patches.

       

      So, do you apply all patches in your environment? Security, Security Tools, Non-Security?

      How do you possibly review all of these without having a massive staff? (Who has the time to review 513 patches and understand what each one does?)

      Do you have a change control board/process in place? Do they review patches?

       

      Just trying to learn what everyone else is doing. Security auditors are beating us up because we have some patches missing but most of those missing patches are Non-Security Patches (so they should not matter for a security audit) but they are are dinging us for not applying them anyways.

       

      Just looking for feedback.

        • 2. Re: Do you guys and gals actually review patches before approving/deploying them?
          Rookie

          Not an answer to your question, but just letting you know you're not alone.  We also get dinged during audits for the same issue.  Very interested in an answer and feedback from others experiences with this.

          • 3. Re: Do you guys and gals actually review patches before approving/deploying them?
            Rookie

            We currently only apply OS security patches and I don't personally review them every month.   I've just started testing pushing all patches to my machine for all applications (WUScan) and I haven't had any issues but I'm hesitant to push it out to the rest of our users.  I'm leaning towards taking the most aggressive approach (applying all patches) and relying on staged patching, system restore, and server backups for files as my failback if I do decide to roll this methodology out into production. 

            • 4. Re: Do you guys and gals actually review patches before approving/deploying them?
              arniecabral Rookie

              We only deploy Security patches and forget about the Non Security ones. Before the old team handed over Shavlik to us, they used to include ALL patches (yes, ALL) and of course our patch compliance rates were horrible because there was never enough time/bandwidth to deploy all that stuff.

               

              Also, we do not test any patches prior to deploying.. we just don't have the time or manpower.  It has bit us in the ass only once thus far (MS14-080). But if we did have the time and extra personnel, best practice would be to test them prior to including them in your patch template.

               

              Good luck!

              1 of 1 people found this helpful
              • 5. Re: Do you guys and gals actually review patches before approving/deploying them?
                Rookie

                We apply all security patches, as well as critical and important non-security patches.  I am the only one who does patching and it is not my only function, so I do not have time to review all the patches.  In lieu of that,  I download the new XML each Friday, scan and deploy missing patches to a “test” group over the weekend, then see if any issues are reported on Monday before deploying them to the rest of the organization.  The “test” group is just a small (about 20) group of production PCs representing different areas in the organization. There is no formal testing – just these folks doing their regular jobs.  If any strange issues arise, then I will dig into the patches further.

                 

                This has us deploying patches about a week after they have been released, with the hope being that if there are problems with a patch that somebody else will flush it out and we can avoid an issue.   I do subscribe to the PatchManagement.org mailing list which is a great source for seeing what issues others have experienced.  Several times I’ve saved myself a big headache from the information I’ve read on there.

                 

                Glad you asked this question – I’m curious as to what others may do that I can incorporate to make my life easier!

                1 of 1 people found this helpful
                • 6. Re: Do you guys and gals actually review patches before approving/deploying them?
                  Rookie

                  We use a product called Nessus Security Center.  This is required because we do some government business.  That system shows me what we will be audited for, so I scan for everything that system scans for.  I pretty much have to scan for all patches.  I had to get our environment caught up over the course of a few weeks, but now I have far fewer patches to deal with.  It was a real pain in the beginning, and took several long nights, but we're better for it.