A report on Best Practices for maximizing the value of your computer system

Author: Darryl McAllister, Managing Director, NetCare HelpDesk

Everyone knows that staying on top of system patches and updates is essential to keeping your computing environment safe from viruses and malware. These electronic demons search for security holes that they can exploit. System patches and updates help plug these holes, leaving the demons out in the cold.

But it’s not just about security - an often overlooked advantage of keeping all your company PCs patched is that your staff will be more productive because their PC will run faster and have fewer annoying little quirks.

Here are just a few of the tasks that system patches and updates perform:

• Fix security holes
• Update subsystems and drivers to increase software compatibility
• Optimize how the operating system handles resources
• Add updated features and tools
• Remove outdated features and tools

So are these updates really necessary? Well for the last seven years, Microsoft has issued its security fixes on the second Tuesday of every month – commonly known as Patch Tuesday. But here is the problem: The day after Patch Tuesday is known in the hacker community as "Hack Wednesday."

Here's why. As soon as Microsoft releases its patches, hackers scramble to reverse engineer them. That's right - although Microsoft has already found the problems and fixed them, the patches still have to be downloaded by you - the user. Until you do, the Microsoft security update is essentially a treasure map for hackers. These online criminals know that a lot of users don't bother to install their updates right away - so for these people, the security fixes actually work against them.

In a way, Microsoft is damned if they do, damned if they don't. So what must we all do?

Update quickly and regularly

But wait there’s more. In an office environment, the problem is multiplied by the number of users connected to the computer network. You now see that system patches make good sense, but how do you convince EVERYONE else (including the MD and the warehouse guy) that their PC needs to be updated with patches too.

What we need to do is find a way to minimize the pain for everyone and also ensure that all PCs in your network are updated regularly – after all, a chain is only as strong as the weakest link.... The great news for all our NetCare clients is that the solution is a very simple one. Every single NetCare plan provides system patching for servers and all the PCs in the network as well.

Here’s our standard strategy – of course, if it needs to be adjusted to meet your requirements, we’re happy to do so:

• Downloads – most networks we start looking after have been set up so each PC gets its updates from the Microsoft update website. So if you have 20 PCs that means the same patch is downloaded 20 times. We set your system up in a far better way – we download all patches once to your server and then each PC gets its updates from the server. This saves your internet bandwidth quota and means that updates are actioned quicker. It can mean that initially there can be a surge in your internet download usage, especially if your network needs a lot of updating. And it also means that we need to permanently reserve 10Gbytes of space on your server for all these updates to be stored.
• Servers – we set all servers to update patches on one night of the week – at 3am. In most cases not much is happening at 3am – except perhaps the backup process, which is why we typically set the server updates to Sunday at 3am. Most of our clients don’t do backups on Saturdays and Sundays, so the patches are applied quickly and effectively with little or no performance impact. And if a server restart is required then downtime is minimized.
• All other PCs – we use our NetCare management software to force updates on a regular basis. However we do it in way that minimizes impact - just because we can push a mass update in the middle of the work day doesn't mean we do! Common sense should rule when devising rollout and deployment schedules. Non-critical updates should always be scheduled to run after hours when the fewest amount of workers will be affected. We use the process over the page to determine the optimal strategy for your organization.
• Monitoring – it’s not much good having the above fancy strategy if we don’t monitor that its working! Fortunately, we have the systems in place to record the success or failure of every single patch that is applied, and we are therefore alerted whenever a patch issue arises. This allows us to investigate and resolve the issue quickly and with the minimum of fuss.
• Reporting – the final piece in the system patching puzzle is to provide you – the client – with concise information that confirms that we’re doing our job. We do this on a regular basis, depending on the NetCare plan you have, so you can be assured that your exposure to malware is being minimized, and that your PC productivity is being maximised.