Blog > Automation > The Importance of Solid Patch Policies
3/1/22 | Eric Haff, Rexel Technical Consultant
One of the best ways to keep your computer safe from vulnerabilities is to be up to date on the latest patches. But how do you know if a Microsoft® patch is going to affect other software? What do you do if you know the patch will affect your production environment? How do you recover? The answers to these questions should be in your patch policies.
First, let’s talk about how patches are managed. For your home computer, it’s very basic. The computer checks the Windows® update service, and if there is a patch ready to be downloaded from Microsoft servers, it downloads and installs it. This is not the same for a computer on a company network.
For the most part, computers on your company network are part of a domain. This is a structure that governs all the computers that make up the company network. Using active directory services, IT professionals can apply group policies to all the computers, including patch policies. IT usually lumps computers into different categories based on their function. For example, all the accounting computers or engineering computers get lumped together because they all need the same patch policies. One of these policies relates to how and when the computer will check for updates. Usually, the updates for the company PCs are stored and managed on a server within the organization. This is where IT pros can pick and choose what patches are sent to their computers and which are not!
It’s important to understand who in your organization manages patch policies, and how they are handling the manufacturing production PCs. IT should take special precautions when updating a PC that is critical to production. In many cases, a Windows patch may change the way software interacts with the operating system, causing errors and, in some cases, complete system failures.
So, how do you keep your systems safe and up to date without affecting production? The answer is going to be what works best for your organization. In some cases, a company will get the production computers to a stable state and then never update them again. Though leaving these computers out of patch policies may benefit your company by reducing downtime caused by patching, it also leaves these systems vulnerable to day zero attack vectors. These types of cyber-attacks can result in even more downtime if production computers end up getting hacked or infected.
A different strategy is to have your production computers running a version of Windows that is a few versions behind the latest and greatest, and then build appropriate patch policies for those computers. With this strategy, companies will also build a testbed, which is a very scaled-down replica of the manufacturing environment, and apply newer versions of the patches to the testbed to ensure that they will not have any issues. This allows companies to have peace of mind while also being up to date.
In June, Microsoft will be launching its KB5004442 patch. This will affect applications built on Windows DCOM. Like many software providers, Rockwell Automation® server-client architecture relies on Windows DCOM for communication. This is just one example of a patch that will affect the production environment. Software companies are responsible for testing their products and keeping up with the new operating system updates, and Rockwell Automation will be releasing subsequent patches that will resolve this issue.
It is important to have a good relationship with your software and hardware providers to stay up to date and informed on what is going on in your industry. Open communication between your IT and OT staff within your organization is also paramount.
If you have any questions about patch policies and patch management, contact us today. We will help you build a system that will ensure your companies security and productivity are in line with your goals.