Patch Management Best Practices
We've listed below a few best practices of patch management using Patch Manager Plus. You can go through them to gain knowledge on how to manage your networks effectively and keep them secure.
Patch DB Settings:
- You can configure the Patch DB Settings by selecting the required patch types. You can also disable the patch types which you don't want to update.
- The Patch DB is synchronized every day. This is an automatic sync which has been enabled by default.
(You can also disable this by navigating to Admin -> Patch Settings -> Patch Database Settings -> untick the 'Enable Schedule' checkbox). However, we highly recommend you to perform this sync on a daily basis, in order to stay updated with the latest patch information.
- To enable the Patch DB sync for Mac and Linux, you should have enabled Mac and Linux agent settings.
For seamless patching, you should enable connections to the following sites:
- patch.manageengine.com - To update patch status to the Server
- patchdb.manageengine.com - To collect patch information from the patch DB
- patchdatabase.manageengine.com - To download patch dependency files
- dms.zoho.com - To perform on-demand operations
These are the domains required for agent communication. This allows you to synchronize the patch details with the Patch DB and download them in the form of XML, SQL, .zip files., etc via proxy.
- The patch scan is done automatically by the Patch Manager Plus server. Once the DB is synced, a scan is initiated and all the systems in your network are thoroughly scanned in the next refresh cycle.
- You can customize your preferred time of patch scan by changing your Patch DB Settings. Go to Patch Settings -> Patch Database Settings -> Under 'Schedule Patch Database Update' you can specify when you want the patch DB sync to be initiated.
System Health Policy:
- To achieve 100% compliance, set your system health policy accordingly. This policy will help you determine the health status of your system. Based on the severity of the missing patches your systems will be classified as healthy, vulnerable or highly vulnerable systems. The point to be observed here is that you can customize the system health policy based on your compliance needs by navigating to Admin -> Patch Settings -> System Health Policy.
Disable windows automatic updates:
- You can disable windows automatic update across the network by using the patch 105427. This will work for all OSes from Windows XP up to the latest versions and also for the Server OSes.
- It's recommended to choose all the domains in the target while deploying this patch because this configuration can be applied to computers added in the future.
- Follow the steps given below to confirm the settings:
- Press 'Windows Key + R' and then type 'gpedit.msc' and click OK.
- This will take you to the Group Policy Editor. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update.
- Double-click on Configure Automatic Updates click on the button 'Disabled'.
Test and Approve:
- In order to avoid compatibility issues post-deployment, we recommend you to test your patches always using the 'Test and Approve' feature and then roll them out into the production environment, only if these patches are not found to be problematic.
- You can do this by creating a custom group where you'll be specifying a group of target machines on which you want the patches to be tested. You can also automate the entire process by mapping the test group to any APD task. Hence, right from testing up to deployment, everything will be automated.
Automate Patch Deployment:
Automation is required to patch all of your endpoints regardless of its Operating System, Operating System flavors, whether it's in a local or remote office. Without APD(Automate Patch Deployment), it becomes unmanageable. Therefore, we recommend you to create an APD task by selecting the type of OSs and severities of the patches which you wish to deploy.
Using the APD feature will benefit you in many ways like:
- Since the scan is automated, all the missing patches will be downloaded onto the server and will be ready for deployment in the next refresh interval. Hence, there's no delayed deployment.
- The deployments scheduled in the APD will continue until there are no missing patches.
- Enhances the security level as the missing patches are downloaded and readily available for deployment.
- Deployment You can customize your deployment with the 'Deployment Policy' feature, wherein you can specify your preferred time, week and day of deployment. We recommend you to deploy all the patches soon after the release in order to keep your networks secure.
- You can also opt for the Wake On Lan feature so that you can wake up systems to initiate deployment. You can tweak the deployment policy based on your enterprise's needs by selecting the required options like, skip deployment, allow/deny reboots, etc. Using the skip reboot option, you can let the users suppress reboot and decide the time.
- We recommend you to choose non-office hours for deployment. These options will help to eliminate sudden reboots during peak hours and facilitates smooth deployment.
- If you've more than 10 machines to manage in your network, we recommend you to install a Distribution Server(DS).
- The DS will help you to distribute the load among the machines in your remote office. Can you imagine 100s of machines in your remote office contacting the Patch Manager Plus Server individually? This will lead to huge bandwidth traffic, which will slow down your systems and affect your overall network productivity.
- By having a DS to manage your networks' endpoints the load will be shared evenly and hence saves your bandwidth. In this scenario, instead of every agent contacting the Patch Manager Plus Server, the DS will contact the Server and download the patch binaries. Then, every agent will contact the DS and get the patch information before initiating the scan.
- As mentioned in the previous point, the DS synchronizes with the Patch Manager Plus Server. The time interval during which this synchronization occurs is called 'replication interval'.
- You can customize the replication policy to limit the data transfer rate and avoid congestion in the network during business hours. Note: Patches will be installed only after the patch and software binaries are replicated in the DS. So, please take this into account before you make changes to the replication policy.