Microsoft Windows Security Resource Kit

Part V

Managing Security Updates

Chapter 22

Patch Management

Patch management is required in a Microsoft network because software is not bug-free. Hotfixes and patches must be periodically applied to the Microsoft Windows NT 4.0, Microsoft Windows 2000, and Microsoft Windows XP operating systems to address security and functionality issues. Typically, hotfixes are developed to resolve one of the following issues:

• Testing for all the design possibilities is difficult.

  As network designs become more complex, it is increasingly problematic to test every use of a Windows OS component during initial testing and development of the OS by Microsoft.

• More legacy versions must be supported.

  Although Windows XP is Microsoft s latest client OS, not all customers will deploy it immediately. Customers will continue to use their common base operating systems, and these versions must be patched to protect against newer vulnerabilities.

• Customers demand higher quality.

  The quality bar rises as customers network infrastructures change. More companies are connected to the Internet and are vulnerable to Internet attacks. This awareness drives higher the quality requirements for Internet-related components of Windows 2000.

• Critical security issues must be fixed before the next product release.

  Many issues cannot wait for a new version of the product to ship. Security issues, memory leaks, and other problems must be addressed immediately, especially if the vulnerabilities can lead to the compromise of a Windows 2000 based computer.

This chapter examines the following topics:

• Types of patches

  Not all patches are the same. This section looks at hotfix formats and how Microsoft rates security patches.

• Development of a hotfix

  The development cycle of a hotfix illustrates what happens after a security vulnerability or bug is reported to Microsoft, before the hotfix is released to the public.

• Patch management in six steps

  The last section of this chapter proposes a methodology for patch management that will allow you to successfully deploy patches.