Information Security

Defending the digital infrastructure


Manage Learn to apply best practices and optimize your operations.

Patch deployment best practices: Rushing patches isn't always better

Do you rush to deploy patches, hot fixes or service packs as soon as possible? Victor Garza explains why this may not necessarily be the right decision.

Are you a procrastinator? If so, you have plenty of time to put off installing Service Pack 2 for Windows XP. In fact, consider this an opportunity to rethink patch deployment best practices altogether.

But, this really isn't procrastinating; it's being prudent. Unless there's a worm slamming your perimeter, you shouldn't ever rush to deploy patches, hot fixes or service packs. SP2 is no exception, despite unquestionable security benefits: the default-on firewall, secure browsing and e-mail settings, and better malware resistance.

This is no ordinary service pack installation; it's akin to a full upgrade. SP2 is massive--the enterprise version weighs in at more than 266 MB, and the home version is about 80 MB. Given its complexity and the inevitable application conflicts and snafus, most shops are waiting until they've completed their own testing or seen the snags hit by early adopters (see NewSCAN). As a colleague of mine said, "I never met a service pack that I wanted to blindly deploy."

Let's face it: No one runs a pure OS-anything shop. Most networks are multi-OS, and those running Windows have high concentrations of 98, NT 4.0 and 2000. (Believe it or not, some companies are still using Win95.) While earlier Windows versions are plagued with security problems, the costs and effort of upgrading to XP is prohibitive--especially for smaller shops. XP has been available for more than two years and, with the long-awaited release of SP2, is only now becoming a mature platform.

Upgrading from older Windows' versions to XP isn't any easier than deploying SP2--especially for shops that haven't adopted Active Directory. It requires a change of infrastructure and management tools. The benefit, though, is gained through greater efficiency, stability and security provided by SP2. By the time SP2 is shaken out, you'll be ready to push the OS to your desktops without having the conflict and integration issues existing XP users are dealing with today.

The security literati have good reason to advocate OS diversity, but here's a situation where upgrading to a single OS build could actually improve your security. The antimonoculture people will say that security improves with greater diversity of platforms, and, in a general sense, that may be true. However, there's even greater insecurity when there's a diversity of Windows versions.

Migrating to a predominantly XP shop will simplify security management, since admins will only have to maintain few images and take full advantage of the newer Windows patch, update and configuration tools--such as WUS and SMS. Think about the inevitable outbreak of another Sasser or Blaster worm: How easy would it be to deploy patches or change configurations on only XP machines, as opposed to a hodgepodge of 9x boxes?

Holding out on SP2 today isn't procrastinating, but rather an opportunity to get the deployment right the first time and, perhaps, upgrade and improve desktops throughout your enterprises. Sit back and think about it for a while, you've got time.

About the author:
Victor Garza is a freelance author and network security consultant in the Silicon Valley.

Article 6 of 8

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All