Patch Management In The Enterprise, Part I

Patching Powered-Off Workstations

If the hardware supports it, enable Wake-on-LAN and use it for patch management.

If someone is on vacation and his or her workstation isn't powered on, how can IT patch that workstation with automated tools? A lot of people would probably tell you that it doesn't matter. Once the user returns to work and powers on the workstation, after logging in, the system will receive the patches from whatever patch management tool is being used. But while this may be true, the patches will often not be installed quickly enough. If you have an active worm infection on your network, the moment the machine's network card initializes, the system will likely become infected.

The best way to patch all workstations promptly is the use of Wake-on LAN. Several patch management applications allow you to remotely turn on workstations specifically for the installation of security patches. This is the preferred approach whenever possible.

Recently Replaced Or Re-Imaged Workstations

It would be inefficient to install a fresh operating system every time a new machine is deployed or an existing machine needs to be rebuilt. For that reason, most large IT organizations create standard desktop and server images using applications like Norton's Ghost. It is very important that these images be updated on at least a quarterly basis to include the delta of security patches released by software vendors since the last image was created.

Why? When a workstation is re-imaged or replaced, most automated patch management solutions will install any outstanding packages (security or otherwise) that are considered to be a part of the mandatory baseline. If you had 12 months worth of active security patch installations, the moment a new machine is added it may perform all of the installations immediately (or within a short time frame) and perform multiple reboots. In the worst case, this could disrupt and confuse an end user, which may lead to an unnecessary support call. At the very least, it would slow the progress for the IT staff member setting up the new machine. Once new security patches are added to the image, these security patch deployments can be deactivated in your patch management application, or removed from the mandatory baseline.