Servers are central to IT infrastructure. So it goes without saying that maintaining healthy servers is essential. That’s where server patching best practices come in.
With the right approach to your Windows server patch management process, you can maintain secure, up-to-date servers while minimizing downtime. We’ll break down strategies you can use to improve your server patching process.
What is server patching?
Server patching refers to applying software updates to a server's operating system, applications, and firmware. These updates may address vulnerabilities, fix bugs, add features, or improve performance.
1. Inventory everything
For any patch management plan to work, you first need to understand your assets and their dependencies. Not only should you know the devices and applications in your environment to pinpoint what needs updates, but you should understand their dependencies to anticipate the potential effects if an asset becomes unavailable.
2. Implement enterprise patch management software
A high-quality patch manager centralizes and standardizes your server patch management process. By eliminating manual work, it also saves you a significant amount of time.
A Windows Server Update Services (WSUS) license comes free with your Windows Server license. If your budget is tight, this patch management tool can simplify routine tasks to an extent. However, the setup is cumbersome and time consuming, and the features are limited. Other options (*cough* PDQ Connect or PDQ Deploy & Inventory *cough*) give you more control while saving time.
3. Develop a patch management policy
We here at PDQ love a good IT policy. And a good patch management policy is undoubtedly one of the best ways to standardize procedures. Don’t forget to document your server-specific guidelines so that everyone on your IT team knows what’s up.
We’re nowhere near egotistical enough to assume we can summarize how to develop an effective patch management policy within the confines of this short article. So behold: NIST Special Publication (SP) 800-40 Revision 4 and NIST SP 1800-31. After reading just over 200 captivating pages, you can be the expert. We applaud your diligence and doggedness.
4. Assess server risk
You should assess the security risk for all your assets as part of your general Windows patch management process, but it’s especially important for servers since they have far-reaching implications. Consider the following factors:
The results of your vulnerability scan
Exploitability of any known vulnerability
How long a system has been unpatched
The system’s access to the internet
Patching every security vulnerability on your servers probably won’t be possible except in your wildest fantasies. But once you’ve analyzed the risks, you can better prioritize patches so that you at least address the most pressing vulnerabilities.
5. Schedule routine server patching
Scheduling routine updates is the easiest way to make sure they actually get done. Otherwise, it’s all too easy to push them off to deal with all the password resets, troubleshooting, and ID-10T errors.
As a general rule, you should carefully monitor security patch releases and apply those updates as soon as possible. Many businesses install updates to the server operating system, client applications, and security software once per month (usually a week or two after Patch Tuesday, when routine Window updates are released), with mission-critical servers getting more frequent updates and noncritical servers getting less regular attention. However, the ideal schedule depends on your business needs and environment.
Automate whatever you can. Automated patch management reduces manual work, streamlines the process, and allows you to apply software patches more consistently.
6. Use sandbox testing
Patch deployment in an isolated testing environment helps protect your production environment. If the latest patch has unforeseen consequences, at least it won’t interrupt business operations. Once you’ve determined the effects of a patch, you can more confidently apply it to your production environment.
7. Back up your server
While patch testing in a separate environment should keep most problematic patches out of your production environment, one might occasionally slip through. Secure backups preserve your data, systems, applications, and settings so that if your server is compromised, you can recover more quickly. Just roll back to a stable state and go on with business as usual.
Plus, regulatory standards love backups more than Jordan and Andrew love PowerShell, so backing up your servers helps you maintain compliance.
8. Monitor system health
After you’ve installed server patches and your systems are still fully functional, your adrenaline might kick in. But don’t start running victory laps around the conference room just yet. You should continue to monitor system health to verify that your server patches work as intended with no unforeseen consequences. Confirm that the patches were successful, performance hasn’t degraded, and no new vulnerabilities were introduced.
9. Perform regular audits
A sysadmin’s work is never done. You’ll need to keep checking back and performing regular audits to monitor for vulnerabilities and ensure policy and regulatory compliance. Your security team will be so proud.
Following patch management best practices is obviously a good start. But do you know what else simplifies inventorying, streamlines server patching, and makes maintaining a healthy fleet infinitely easier? Throwing all your hardware out of a fourth-floor window. Or, you know, using PDQ’s product suite.