Patch management

Come “Patch Tuesday” and a long list of new vulnerabilities and patches are announced by Microsoft and this month's Whack-a-Mole begins for Windows administrators. As a Mac OS X administrator you're not better off unless you've used magic and figured out how to configure the Software Update service included with OS X Server.

Table of contents

Why patch management is important

In terms of fun, applying system updates ranks up there with filing your tax returns. Applications not included with system updates are even more tedious to handle with each vendor having different methods to update their software. Of course you already know what is required – apply all the critical updates to your IT environment. According to press releases and news hype you're encouraged to get the job done as quickly as possible since doomsday otherwise is certain.

software_update.png

Your task is to figure out which security issues are relevant for your IT environment, locate the vulnerable devices, distribute the patches, find those that for some reason failed to update and ensure things continue to work as they did before the update. Requiring you to set aside a lot of time you otherwise could use for more productive projects, right? 

But since the rise of botnets, worms and malicious websites that seeks out vulnerabilities within your network, patch management has become a high priority task that you must handle in time and very diligent. Patch Management has become just as important as having an antivirus solution that protects against fast spreading harmful programs.

Your IT environment consists of numerous different devices, applications and operating systems and if you factor in the remote workers or offices and updating them all it becomes an even more complex task to fulfill. Tools used to mitigate new threats must be able to manage a changing IT landscape where devices, applications and services are being decommissioned and new implemented. A half-done job isn't good enough – and most tools will leave you hanging in mid-air.

Panorama9 can track changes and update vulnerable systems and devices without you having to do anything all managed directly from the Panorama9 Dashboard. Leaving you to do what matters most – provide an IT environment that helps your business achieve its goals.

Panorama9 can automatically update (including 3rd party applications) Microsoft Windows XP or newer and Apple's Mac OS X 10.6 or newer.

Spot devices that should be updated

Monitored device will at regular intervals report the locally installed software to the Panorama9 cloud. This information is then analyzed and issues are generated. You can at anytime view the detected issues using the Panorama9 dashboard or choose to be notified through email, text message or have a ticket created in you help desk solution.

Panorama9-Vulnerabilities.png

Patch prioritizing and scheduling

Fixing detected issues simply consist of you configuring the Panorama9 system with the type of patches that should be automatically trusted and selecting a time slot when the updates may be applied. Maybe you wish to treat servers different from workstations, maybe only critical operating system patches are relevant – you decide.

Type of patches you can choose between:

  • Operating System patches
  • Microsoft application patches (such as Microsoft Office, Microsoft Exchange, Microsoft SQL etc).

You can choose to apply the above types to either servers or workstations at a specified time and you can furthermore choose not to apply updates that will force reboot the computer once the patch has been installed.

You can choose between 50+ 3rd party applications that should be updated, among these:

  • Mozilla Firefox
  • Adobe Flash
  • Adobe Reader
  • Oracle/Sun Java

Once the Patch Management system is enabled the Panorama9 cloud will instruct devices with missing patches to start and the best is - you don't need to setup a local repository with the missing patches or download software that should be updated.

The patching progress is monitored and the result analyzed. In the event that some devices fails to complete the update you will be notified with detailed information what is required to get the system up-to-date. Knowing where the problems are is a lot easier than having to go through each and every machine to ensure they are patched.

You can exclude single devices, predefined groups like "Servers" and "Computers" or use your own custom defined groups to exclude machines that you do not wish to have patches applied automatically.

Patch systems instantly

You can instruct a specific device to download and install all missing patches. You can also instantly update all devices missing that specific high threat vulnerability, you from time to time hear about in the media. In short you can quickly update devices and avoid waiting for the regular scheduled patch job.

To patch all devices missing a specific update navigate to "Vulnerability" -> "Software" and then filter the list to display the vulnerability you wish to apply.

To update a specific device navigate to "Assets" and then select the device. Use the "Remote control" option to apply all missing patches or select from the vulnerability list what to install.

Integration with Microsoft WSUS

If you are using Microsoft WSUS and configured Windows Update on computers in your network to point to it, then the missing patch issues detected by Panorama9 will be based on the Microsoft updates you've approved using the WSUS management tool. While the Panorama9 Patch Management system will integrate with Microsoft WSUS it will also work without.

Making sure that patches are applied to both servers and workstations in your network are handled according to the configured options you've chosen using the Panorama9 Patch Management system. Using Microsoft WSUS together with Panorama9 gives you complete and detailed control over which Microsoft updates are to be deployed throughout your IT environment.

Integration with OS X Software Update service

Included with OS X Server is the Software Update service that Mac OS X clients in your network may use to download updates from. The Panorama9 Patch Management system will integrate with the configured Software Update service and apply updates to both servers and workstations according to the configured options. Using Software Update service together with Panorama9 gives you complete and detailed control over which OS X updates are to be deployed throughout your IT environment.

Rebooting device when required by an update

Rebooting servers and in use workstations is always inconvenient and patching a device may require just that if the vulnerability should be resolved. Conflicting interest; reboot now and be safe or continue to work on your machine knowing that you are vulnerable?

Panorama9 solves this by letting you choose if a required reboot should be allowed once updates has been applied. Running applications or services will be gently stopped and any logged on users will be warned through the Panorama9 tray icon that a restart is about to take place. If you wish to automatically reboot then enable the [Allow reboot, if required by OS after patching] option from the main menu "Patching" tab.

Screenshot-Panorama9___Patching_-_Mozilla_Firefox-1.png

The reboot will take place when the patching is completed but only if the update process is finished within 2 hours since start. This to avoid a slow update process where a patch or many of them takes a long time to install isn't ended with a restart during e.g. work hours. If updating takes more than 2 hours to accomplish then restart is postponed. It is recommended that you schedule updating to occur during non-working hours so any restart disturbs as little as possible.
 

patch4.png

If you prefer not to allow a reboot, then patches that by Microsoft forces a restart will be skipped during the update process. The Panorama9 Patch Management system may still apply patches that require a reboot, but the user chooses when it's convenient. The Windows Update dialog will notify the user that a restart is needed. You may postpone it forever. Chances are that you won't when being reminded often enough.
 

patch5.png


The recommended setup is to enable the [Allow reboot, if needed] option on servers. You then don't have to login on each server to initiate the reboot. If you've got workstations that are never restarted and seldom have active users then it's recommended that you also enable it on workstations. Otherwise you may allow the user to choose a reboot when convenient.

Some updates may have dependencies, a specific upgrade path or require that applications are not in use. The Panorama9 Patch Management system will automatically handle this so you will in the end have a fully up-to-date system. It may require multiple reboots if the device is far behind latest security update, but you can always track and follow the progress through the Panorama9 dashboard.

Reporting - Tracking what has changed

The Panorama9 system will log every change made to each device being updated. You can anytime through the Panorama9 dashboard request a Vulnerability report listing when a vulnerability has been discovered and when it was fixed. This regardless of who applied the patch or updated installed software, e.g. Panorama9's Patch Management solution or you doing it manually. If something breaks it's important to know who and what has changed.

Screen_Shot_2014-08-06_at_4.11.35_PM.png

You can also any time lookup a specific device and see what and when the Panorama9 Patch Management system has applied one or multiple updates to the machine.

applied_patches.png

Last updated:

Comments

  • Avatar
    Andy Cooper

    how do you search for a patch to see if it's installed already?