SEC 340 – Patching Policy in a Windows Environment

Draft a Corporate Policy on how patching will be implemented on the Windows Operating Environment. Be sure to include the Servers, Clients, and any associated devices (i.e printers). The policy should be as detailed as possible.

Please read before applying patches and updates to software used by the company’s computers, peripherals, and networking equipment. Due to potential security risks and quality-of-life changes it’s important to keep things to up-to-date. However, updates can introduce unexpected problems.

NOTE: Updates can be performed at any time if there is a security risk or other emergency. Though, if it would cause interruptions to service then users and other administrators will need to be notified, ahead of time, if possible.

Applications and Hardware that require patching (specific hardware should be listed here in a real environment)

  • Microsoft SQL Server
  • Exchange Server
  • SharePoint Portal Server
  • Printers
  • Windows Machines (Windows Updates)
  • Firewalls/Switches

Patching precautions:

  1. Verify that the current version of software is noted in case it needs to be rolled back.
  2. Have a copy of that software readily available and be prepared to roll back right away in case things don’t go smoothly with an update.
  3. Run manual backups where possible before doing manual updates (in case changes were made to a system since the last automatic backup)

Intervals and methods of patching

  • Microsoft SQL, Exchange, & Windows 10 Client Computer Updates
    • Friday Evenings – Automatically configured via WSUS
    • Windows 10 Client Computers that are offline can remotely powered on to push the updates so that they are ready to go Monday morning. Computers that are out of the office will be required to update upon reconnection to the server.
  • SharePoint should be pushed manually only due to custom configuration concerns
    • Saturdays 1pm – via WSUS, and basics should be tested afterwards to make sure everything is working properly.
  • Printers/Networking Equipment
    • Manually – Updates can be checked for monthly. Email notifications can be set up for specific equipment with the vendor so that we won’t have to check manually for new patches, but the install of the patch would still be manual.