Patch Management Guideline

This guideline is intended to define a pragmatic target for effective patch management and associated tools for most use cases. This guide is primarily focused on routine patching as defined within NIST Special Publication 800-40r4 (Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology).

Small / hybrid scenarios

In some situations, a central management tool is already being used by a third party, or a deployment is small enough (e.g. dev/test environments) that incorporating into an enterprise wide management tool is not very effective. For these the below small scale operations tools that can be run locally are quite effective:

• Windows Admin Center - simple/predefined
• Red Hat Satellite - simple/predefined
• Ansible (IT automation tool) - complex/manual

Large / enterprise scenarios

For larger deployments across an enterprise using Azure server management services for all on premise and cloud workloads can simplify backups/patching significantly:

• Configure the service for a subscription - Cloud Adoption Framework | Microsoft Learn
• About Azure Automanage Machine Best Practices | Microsoft Learn

Vulnerability Management Business Context

Ensuring that vulnerability management activities also ensure the appropriate business context is applied (e.g. using Tags (Tenable Vulnerability Management)) should effectively prioritise patch activities.

Example patching approach

A checklist based on ACSC's Assessing Security Vulnerabilities and Applying Patches resource is below:

• Configure and implement a fully automated patching process
  • Azure Automanage for Windows Server | Microsoft Learn
  • Azure Automanage for Linux | Microsoft Learn
  • Windows Autopatch (for endpoints)
• Ensure backups are in place before patch window to enable rollbacks
• Ensure availability monitoring is in place to enable rapid addressing of patching issues before end of patch window
• Share the maintenance window (automated patching schedule) widely with the business
  • Default to weekly - e.g. 2am-5am a standard day each week (ideally before least busy day for operational team)
  • Potentially extend to fortnightly if teams can't be available weekly for patch issue remediation
• Exclude systems with major constraints making them not able to be patched in standard maintenance window
  • Isolate these systems individually in their own network segments
  • Limit access to them from monitored jump box / bastion type services
  • Schedule manual reviews of 'excluded' systems quarterly
• Critical external posture alerts and advisories (from DGov and others) should trigger urgent / unplanned patching
  • internet-facing services: within two weeks, or within 48 hours if an exploit exists
  • workstations, servers, network devices and other network-connected devices: within one month