If you are a network administrator like me, there are a few billion things on your list of things to do. From a security aspect, it is pretty well documented at this point that a good defense is keeping your systems updated to avoid being taken advantage of by “well-known” exploits. But there are a lot components to an environment and probably not enough bodies or time to address everything.
What is “everything” anyhow?
I started listing out the various resources in the environment and then breaking down how likely they are going to be targeted. Then I listed how to address them and at what frequency. For example, you might want to start at things from a high level:
Then from there, start breaking down the various components that are in each section. For examples, servers might start off with:
- Windows updates
- VMware updates
- Exchange updates
- SQL updates
Those updates aren’t limited to security updates, but to product updates too.
What else should be included?
Here are a few examples of what should also be included:
- Antivirus software
- Backup software
- vCenter software
- Management software
- APC PowerChute network shutdown
- Hardware firmware & driver update
Keep reviewing your various systems and building out a list.
Workstations may include items for Windows, Antivirus, Office, client applications, browsers, plug-ins for browsers, etc.
Infrastructure might include switches, firewalls, access points, controllers. Don’t forget to include such components as VPN software that may get pushed from your firewall, management solutions, subcomponents (such as FirePOWER modules in an ASA), etc. Printers & scanners have firmware and software updates.
Building a Spreadsheet
You will end up with a list that is a mile long, and it’s probably a bit overwhelming. But take this list and put it into a spreadsheet. Setup columns on it such as:
- Systems impacted
- Update Frequency
- Last Updated
- Next Update
- Installation Notes
- Update Source
- Notification Subscription
You will end up with something like this:
You can adjust the spreadsheet to meet your needs. The way I like to look at it is to see what items are most pressing and start figuring out the update frequency for them. For example, Windows Updates I view as critical and do them on a monthly basis; so I would put in 30 days. Hardware firmware/driver updates I will check on quarterly or semi-annual basis depending on the manufacture’s publishing schedule. Having a priority in mind is important to keeping your systems updated.
The “Next Update” would be a computed cell – adding days of “Update Frequency” to “Last Updated” so you know when you should be checking in on it again. This will allow you to sort your list to help identify what you need to address next and plan accordingly.
As you build out that spreadsheet, and as you start diving into the update cycle that works for you, take the time to update any special notes for performing the update (“Installation Notes” column) or where to look for the updates (“Update Source” column). For example, I check a particular site for AV updates to make sure no product updates have been released that should be addressed and would have that URL parked in that row.
Pro tip: For many of your items, you can subscribe to receive notifications on regular or critical updates. For those that you can, it would be good to document where that notification is at. This will help out your peers (current or future) so they can stay well-informed of issues.
While trying to stay on the schedule, there will be exceptions where a critical update is released for a product. You’ll need to determine if the functionality or security impact justifies some unscheduled outage.
This approach will have everything level-set at the same revision, one product at a time. In large environments, you might not be able to address all the servers, so you might need to split up the spreadsheet a bit. You may want to make different worksheets for different batches of servers or whatever makes the most sense logically for how you want to operate. Then use the spreadsheet and start organizing the rotation.
Scheduling a Maintenance Cadence
Once you have your spreadsheet created, the next step to keeping your systems updated is setting an update cadence. Figure out a cadence that works for you for maintenance windows based on your users’ work needs and your personal life. As you proceed, you’ll undoubtedly find more software (Azure Active Directory Connector, MFA components, etc.), and just add another row to the spreadsheet and figure out the interval.
While the list may be very long, some software doesn’t update frequently. So, it really is a quick check to see if there’s an update, not necessarily having to perform an update every month. Staying aware of all the pieces that may need to be updated is important.
How to do the updates….
Well, there are a variety of options for keeping your systems updated. Good old manual labor, having your managed services provider (MSP) handle portions of it, or leveraging a system such as SCCM. Hopefully that’ll help you start to regain visibility and control over your environment. It’ll speed up the time going forward if you trap good notes in your spreadsheet as to where you need to grab the updates from or if there are special steps that need to be performed. For additional information or assistance in making sure everything is staying current, let us know at firstname.lastname@example.org. We are happy to help.