Patch servers the right way without wasting time

Apply these server patching best practices to save time, reduce complexity, and build an optimal schedule and toolkit.

Patch management has been an IT operations team bugaboo: time-consuming, tedious and inefficient.

Operations can proactively manage the server patching process and limit its drudgery by investing in central patch management tools, testing updates and maintaining some technological awareness.

Too many companies patch servers in a reactive rather than proactive mode. Half of businesses believe that client-side patches are released at an unmanageable rate and 67% of systems administrators have difficulty determining which patch needs to be applied to which system at least some of the time, a Tripwire study found. Just about every administrator will apply patches in the course of their work, so every administrator should adopt patching best practices that ease the process.

It's called 'Read Me' for a reason

Before applying any updates, carefully read and understand the Read Me file sent with each patch. This file outlines important pieces of information about the patch itself, such as the installation requirements and the main reasons why it was built.

Taking time at the start of the process means less work later in the patch deployment cycle. Modern server patches often consist of a number of interrelated components. Embedded products, such as Adobe Flash Player patches released with Google Chrome, make understanding the overall effect of a patch more complex and subject to misinterpretation, reported 86% of the Tripwire respondents. So, before you touch a server, examine the fine print.

Reduce server patching complexity

Because there are various tools to patch servers, IT operations teams often work with a variety of point tools in a fragmented manner. One tool provides Microsoft Windows updates, another updates Adobe, a third only sees action for Mac OS patches, and yet another patches the payroll application. Even when limiting patches to one vendor's software, multiple options can arise. Microsoft-centric organizations often rely on Microsoft's free Windows Server Update Services product to deploy Windows updates, but use other tools for Microsoft application software patches.

With so many tools for so many patch purposes, the operations team often lacks the visibility needed to understand the IT deployment's risk posture.

Relying on one tool to do it all is a server patching best practice. Put patches for Microsoft products, third-party software, PC-based hardware, Mac computers, client systems and servers through the same tool with the same processes. Various vendors make all-encompassing patch management platforms, including BMC Software, CA Technologies, Dell, IBM, Indigo Rose Inc., ManageEngine and SolarWinds. These tools simplify IT infrastructure complexity because operations no longer maintains multiple server patching tools. It also cuts down on technical and end-user training.

Establish a reasonable patching schedule

With so many tools for so many patch purposes, the operations team often lacks the visibility needed to understand the IT deployment's risk posture.

Thousands of patches get released daily. Applying every patch as soon as it's released can overwhelm enterprise networks. Classify patches into categories, prioritizing those of most importance and minimizing those with the least potential impact.

Once there's a hierarchy to how you patch servers, examine how much of the patching process to automate. Letting systems automatically update themselves cuts down on maintenance work; however, at an enterprise scale, simultaneous patch file downloads to all users may create performance bottlenecks. Consider integrating vulnerability scanning systems with patch management products to add intelligence to automated patching; the vulnerability scanner pinpoints any potential problem spots and the patch solution applies the fix.

The importance of testing

Patch automation leads to the next potential problem: installation of bad patches. Corporations may prohibit the IT staff from installing server patches immediately in the live production environment. Instead, they test the patch first, because this step lowers the likelihood that something goes wrong.

Another reason to test patches is the customization of enterprise IT environments. Vendors examine patches against vanilla deployments and configurations that follow best practices. An enterprise's configuration is not always so pure. Sandboxing the patch allows operations to determine what will happen once the update is deployed, and avoid problems.

Have an undo button for server patches

Even with testing, patches aren't perfect, so add rollback to your server patching best practices. The ability to undo a deployed patch also provides enough of a safety net for some organizations to deploy quick and dirty patches, those that have not been through a rigorous testing process. Untested or lightly tested patches reduce the overhead involved to patch servers quickly.

Verify, verify, verify

Trust but verify is mantra for IT operations, and it's no different when it's time to patch servers. Ensure that a patch is deployed to all of the organization's systems via at least one method. Ideally, reporting is built right into the firm's patch management software and it outlines the status of every system. A business may also spot check individual machines, and then run periodic scans with a vulnerability assessment tool to make sure that all systems are patched, and any new systems added to the network are fully up to date. The final option is manually intensive: Review patch application logs and log in to and check each machine on case by case basis.

Check the news

Knowing what your peers encountered with a new patch is helpful, and there are plenty of options to stay informed about the patch process. Make it a habit to monitor social networking forums, check with the SANS Institute and keep up to date with operations tool suppliers' information feeds. If a bad patch is released, these sources raise a red flag and help users mitigate the potential damage.

Patching servers won't earn you any major recognition or accolades. However, muddling through inefficient patching processes invites significant potential damage to the IT environment, which could harm the business. Centralizing patch management, including a rollback feature, and verifying system updates help the process move smoothly.

Next Steps

Why you need a workflow manager on Hadoop

How public and hybrid cloud affect app load balancing

The what and how of event-driven computing

Dig Deeper on IT systems management and monitoring

Software Quality
App Architecture
Cloud Computing
Data Center