Manage Learn to apply best practices and optimize your operations.

Patch deployment timeline

In this Ask the Expert Q&A, our platform security expert discusses how long a mid- to large company should expect to wait before they are able to deploy a patch.

What is a typical patch deployment timeline from the announcement phase to completion for a mid- to large company?
It very much depends on how critical the patch is, how homogenous your server and workstation configurations are, and if you use automated patch management tools. You have to be able to test and decide whether to deploy a security-related patch in just a few days as the length of time between the awareness of a vulnerability and the introduction of an exploit is shrinking fast. Other patches can be tested and deployed over a longer period of time. Ideally, you have a complete system inventory that prioritizes all your machines, so you can plan your patch strategy around your critical systems and develop a security policy that defines your organization's stance on patch prioritization, testing and deployment. Personally, I prioritize patches by putting them in to one of two categories: security-related and everything else. For example, defending against an Internet worm is far more important than a functional issue in Microsoft Outlook.

Testing patches prior to deployment is a major roadblock to full automation. And if you have complex, heterogeneous...

systems, it will lengthen the testing process because it will take longer to test the patches in a variety of systems' configurations. Vendor patches can contain errors that require yet another patch to fully fix the problem, so it is essential that you adhere to strict validation and testing and document risk assessments prior to deployment when possible. You may have to compromise this practice, however, when the risk of an attack is deemed to outweigh the risk of system downtime. Remember, part of the patch management process involves ensuring that they are properly installed and monitoring that they are working as expected. Deploying patches to remote users can be a real headache because they may not be connected at the time of deployment. This can leave a network vulnerable if a laptop connects to the network after being infected by other sources.

Microsoft realized there were problems associated with keeping systems patched and up-to-date and revamped their Software Update Services, now calling it Windows Update Services. Now their Systems Management Server 2003 offers advanced patch deployment, reporting and compliance-enforcement features. There are also a wide variety of third-party patch management solutions. These are either scanner-based or agent-based, which install small programs on each computer to periodically poll a patch database for new updates, giving the administrator the option of applying the patch. Although agent-based solutions require set up work to integrate agents into workstations and servers, they are better-suited to large organizations than scanner-based solutions as they generate less network traffic and provide a real-time network view. I would recommend using at least one management solution along with strict policy rules in order to be able to role out patches in a reasonable time frame.

Finally, you may be interested in a paper titled, Timing the Application of Security Patches for Optimal Uptime by WireX Communications and Zero Knowledge Systems, which tries to factor in the problem of glitches in new patches while calculating the ideal time to apply patches after their release. According to their model, after 10-30 days is the ideal time.


More Information
  • Learn how to deploy a successful patch
  • Learn how to manage patch installations.
This was last published in October 2005

Dig Deeper on Microsoft Patch Tuesday and patch management