Microsft Patch Management
Hello folks,

Ideally a security patch released by a vendor such as Microsoft for the Windows OS is required to be patched immediately. What would be the recommended patching period that Microsoft or best practices would require by which the systems should be updated? Microsoft as I understand releases patches every second Tuesday of the month as a cycle. Accommodating the time to test those patches against applications within the user environment should 30 days from the date of release for a medium level risk be a reasonable upper limit set for carrying out the patching?

Any suggestions or recommendations are highly appreciated.

1 Posts
For Microsoft, it is important to patch before the next patch is released. The new patches sometimes replace the old patches (in particular for the monthly IE rollup patch), and the old patch will no longer apply with WSUS once the new patch is released. But 30 days should be the upper limit.

Other then that, in my opinion 1 week is a good goal to aim for. But other then that, you need to make decisions for each patch individually:
- are there current exploits?
- what other controls do you have in place?
- what are the risks to availability?

For example, there may be a Java flaw that allows arbitrary code execution and sandbox escape. So a "pretty bad" Java bug. But if you run Java for JSP on an intranet accounting system server, then you may want to delay rolling out the patch. Loosing the system will be a big deal, and the flaw isn't easily exploited agains the system plus you can limit access to the system to a few internal users.

On the other hand, a XSS vulnerability in a public facing website that holds confidential customer information may require special effort to be patched quickly as it is easily exploited and it my be difficult to find other means to protect yourself from exploitation (maybe a web application firewall, but XSS can be tricky to protect against).

4602 Posts
ISC Handler
I second the 1 week limit, especially given the past 3 months where at least one update had to be pulled and reissued at a later date. PW

69 Posts

Sign Up for Free or Log In to start participating in the conversation!