Centrally Managed were invited to review Patch Deployment for a multi-site company with on-premise and remote workers needing a way to ensure endpoints are patched.
Their existing WSUS solution only patches Microsoft products and devices on the LAN / VPN. People working remotely who don’t have their VPN connected miss out on vital updates.
• Securely connecting to the corporate network when not connected to VPN.
o As the client works in the energy sector in ‘Top Tier COMAH’ high hazard sites it is
crucial that any external connectivity is robust and secure.
• Ensuring not just Microsoft applications are updated.
o Vulnerabilities are exploited in many popular applications which are used globally.
If these apps aren’t patched then the corporate network could be compromised. It’s important that updates are able to be deployed as soon as they’re made available by the developers.
• Ensure ‘bad patches’ can’t take down hundreds of computers at once.
o Although developers test patches before release there have been numerous
occasions where a bad patch has taken down a large percentage of the corporate network leaving the support teams stretched to get people back online.
Perhaps needs a flow diagram or simple illustration?
• Look at the current WSUS environment and put together a migration plan
• Confirm plan with internal stakeholders
• Configure new Ivanti servers
o Configure CSA server o Configure Rollout groups o Ensure agent is deployed to all endpoints o Ensure each endpoint has the correct settings depending which Tier they’re in o Ensure correct product definitions are downloaded
The best way to tackle these challenges is to create a 3 tier rollout of all new patches. The 1st tier will be test devices. This will capture ‘bad patches’ to ensure that only the test devices are taken down if one is released.
Once a % of successful devices is reported the patch will move to the 2nd stage, the pilot group. This will contain approx. 20% of devices with all of the different business apps captured. This group will ensure that each application is tested for the new patch.
After another % of success the patch will move to the 3rd stage, the main rollout stage. There will be an 8 day window between the 2nd and 3rd stages to allow for any problems to be reported so they can be resolved or the patch withdrawn until further testing has taken place.
In order to ensure communication on devices off the LAN/VPN we will configure an Ivanti CSA server. This will sit in the DMZ of the corporate network and devices running the agent will communicate with the internal Ivanti servers through the CSA using certificates. This will ensure the integrity of data and ensure that only approved devices can connect.
Once implemented, ensure that the service is maintained through an annual support agreement. This provides a fully managed service that will ensure your support staff can do their day to day job without worrying about this important role.
