Patch Management – CompTIA Security+ SY0-401: 4.3

Patching your operating system is a good way to stay ahead of the bad guys. In this video, you’ll learn how operating systems are patched and why the patching process may not be as easy as it looks.

<< Previous Video: Anti-MalwareNext: White Listing and Black Listing Applications >>


Managing patches on your operating system is very similar to managing the patches for applications. We spoke of that in an earlier video. And it’s just as important for our apps. We want our operating systems to be secure. We also want our operating systems to be stable.

So there will constantly be updates that come out for our operating system to work. In fact for Windows we get at least one update every month. And we always have to be sure that we’re keeping our systems up to date.

Sometimes we get service packs, though. After a certain amount of time goes by you’ve got a lot of different patches. And when you bring up a new operating system for the first time we have to make sure that all of those patches are installed.

But if it’s been six months, and every week a new set of patches has come out, then we may end up having to download install a lot of patches. So one of the things that Microsoft does is create these things called service packs, where you can install all of the patch is at one time. And you can even integrate them into the operating system installation so that when you install the operating system for the first time it may be at a certain service patch or service pack level.

And that makes it much quicker. If we know we can install Windows 7 and automatically have it service pack one, we only need to install the patches that have occurred since service pack one was released. It makes a little bit faster for our patch management.

As we mentioned, these updates are usually going to occur every month. You’re going to get incremental updates. And these are going to be relatively important updates.

Microsoft doesn’t a release an update unless it’s something that does affect security and stability, and it puts it into different categories. It tells you about important updates. And it tells you about optional updates.

If you’re updating a driver in your computer that does not have a security concern associated with it, maybe that’s an optional update. But if this is part of the operating system, where a security problem has been found, it generally gets put into the important update category.

Which brings up another point, which is what if you find a really, really bad vulnerability before the update time comes at the every month time frame? Well then that is something called an out-of-band update, where Microsoft has been presented with a problem that affects a large number of end users and it’s too long to wait to put this patch out. So they’ll create an emergency update for the zero-day and these other important vulnerability so that your operating system remains as secure as possible.

In our previous video, we spoke about the type of updates. But I thought a review would be useful depending on how you manage updates in your environment.

For Windows, you may want each individual machine to do a Windows update, which is 1 by 1 by 1. Or if you’re a larger, domain-type environment, you might want to take advantage of Windows Server update services so that you have one central server, and you get to decide how you roll those patches out. Apple, of course, and Linux, has also other options to be able to update all of the operating system patches, security updates, and everything else for those operating systems.

This update process for operating systems isn’t exactly seamless when you get into a large and complex environment. For our home computers, we tend to turn on updates and just have it download the updates and install them. We don’t care very much.

But we also have to consider that, when we are installing these updates, they might introduce other problems. They might break an application that we use in our environment that is a mission critical app. This application must run for us to be able to perform the duties and functions of our organization. So you don’t want to install a patch and suddenly your entire business comes to a complete halt.

So sometimes you have to pick and choose exactly what patch you want to install. And that’s when that Windows update server can be really, really useful, because you can deploy the patches as you would like. Maybe you’d like some patches to be installed, other patches not to be installed. You can control that all from a central place.

That central management really gives you a lot of flexibility not just with the type of apps that are being deployed, but also the bandwidth, because that central update server is the only one downloading the patches. Everybody else is getting their patches from this internal server. And you’re saving a little bit more bandwidth on your internet connection.

No matter what system you use, or how you deploy these, patch management becomes an incredibly important part of your overall security strategy.