SE managed Windows server patching standard
SE managed Windows server patching standard
DoIT-SE managed Windows server patching standard
Windows customers require dedicated security patching windows that coincide with the release of Windows security patches. Adherence to the Departmental IT Security Baseline requires 'all server operating systems must have critical and security patches applied within 30 calendar days of release'.
Standard Windows security patching window
- Monthly Windows security patching window
- This is not a maintenance window and is only used to apply Microsoft security updates
- Cost of doing business using Windows:
- Servers patched monthly using Windows Automatic Updates. Only SE-approved updates are deployed to servers
- Security updates will be applied within 48 hours of release
- "[Microsoft] releases new security updates and their accompanying bulletins on the second Tuesday of every month at approximately 10 A.M. Pacific Time."
https://technet.microsoft.com/en-us/security/dn436305 - First 4 hours - internal SE testing, evaluation of criticality
- First 24 hours - patch dev/test servers
- First 24 hours - patch QA servers and servers without dev/test/QA environments
- Second 24 hours - patch production servers
- Customers can opt to patch sooner
- SE works with customer to define actual schedules; a limitation in Automatic Updates requires that patching only occur on the hour
- Customers will not be notified when the standard patching window is used
- "[Microsoft] releases new security updates and their accompanying bulletins on the second Tuesday of every month at approximately 10 A.M. Pacific Time."
Emergency and out-of-band Windows security patching windows
SANS
- SANS ISC rating for servers of "PATCH NOW"
http://isc.sans.edu/diary.html?storyid=6790 - SE customer notification
- Description of SANS:
https://isc.sans.edu/about.html - "PATCH NOW" emergency
- shorten window to 24 hours or less
- pick day/time starting Tuesday afternoon
- Why we use SANS as a guideline: SANS "PATCH NOW" status is based on a number of factors. SE relies on SANS expertise to determine when expedited patching is required. As a result, there may be periods of time where a known vulnerability is not patched on an individual server. Customers can work with SE to schedule there patch installations in a more expedited manner to minimize this window. SANS declaring, or not declaring a "PATCH NOW" emergency does not guarantee that patches can be applied before exploits are widely available.
- Cybersecurity has worked with SE to produce this standard
- Customers will be notified of emergency patching through DoIT's change management system, the UW-Madison IT Outages page, or the Help Desk web site