Skip to content

Latest commit

 

History

History
44 lines (32 loc) · 4.85 KB

patch-management.md

File metadata and controls

44 lines (32 loc) · 4.85 KB

Patch Management Guideline

This guideline is intended to define a pragmatic target for effective patch management and associated tools for most use cases. This guide is primarily focused on routine patching as defined within NIST Special Publication 800-40r4 (Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology).

<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/cGWA-lW__MY?si=BRMtUjVPfb3mI6kx" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

Small / hybrid scenarios

In some situations, a central management tool is already being used by a third party, or a deployment is small enough (e.g. dev/test environments) that incorporating into an enterprise wide management tool is not very effective. For these the below small scale operations tools that can be run locally are quite effective:

Large / enterprise scenarios

For larger deployments across an enterprise using Azure server management services for all on premise and cloud workloads can simplify backups/patching significantly:

!!! note "Vulnerability Management Business Context" Ensuring that vulnerability management activities also ensure the appropriate business context is applied (e.g. using Tags (Tenable Vulnerability Management)) should effectively prioritise patch activities.

Example patching approach

A checklist based on ACSC's Assessing Security Vulnerabilities and Applying Patches resource is below:

  • Configure and implement a fully automated patching process
  • Ensure backups are in place before patch window to enable rollbacks
  • Ensure availability monitoring is in place to enable rapid addressing of patching issues before end of patch window
  • Share the maintenance window (automated patching schedule) widely with the business
    • Default to weekly - e.g. 2am-5am a standard day each week (ideally before least busy day for operational team)
    • Potentially extend to fortnightly if teams can't be available weekly for patch issue remediation
  • Exclude systems with major constraints making them not able to be patched in standard maintenance window
  • Critical external posture alerts and advisories (from DGov and others) should trigger urgent / unplanned patching
    • internet-facing services: within two weeks, or within 48 hours if an exploit exists
    • workstations, servers, network devices and other network-connected devices: within one month