How to patch your systems correctly

Patch management is the theme this week—and for good reason. With the increased attacks on Microsoft Exchange servers, we’ve created a new automation policy for N-able N-central® that will tell you if your server has been compromised by the Hafnium attacks. You can download it here: https://success.solarwindsmsp.com/kb/solarwinds_n-central/CVE-2021-26855-IOC-N-Central

My colleague and head security nerd at N-able, Lewis Pope wrote a blog about Hafnium in more detail. You can read it here.

Now that we have a way to deal with that, let’s talk about some patching best practices in N-central along with a quick history review on how patching has evolved in N-central.

Even if you patch everything correctly, you still need to have the right amount of patch management sensitivity in place. That is when automation comes in handy. I have always monitored patching in terms of age, I did so with WSUS v3 and have always done so in N-central. We know some patches will fail, and knowing a critical update is missing on day one isn’t necessarily an issue—but knowing a critical or security update is missing after 15 days absolutely is. That’s why we need the right frequency of maintenance windows, automatic approvals, and monitoring.

Between doing updates, feature upgrades, and security rollups, monitoring patches can get unnecessarily noisy. If you want to set up your patch monitoring to cut through the clutter and get a good, balanced view into whether you are patching systems correctly, I suggest doing the following:

Recommended configuration for N-central Patch

 

 

Best practices tip: Always ensure your detection and download maintenance windows are configured to go off at least once a day where possible.

Disable the following thresholds by turning the thresholds off:

  1. High priority patches: Were any approved patches not successfully installed during the last patch installation window?
  2. Medium priority patches: Were any approved patches not successfully installed during the last patch installation window?
  3. Low priority patches: Were any approved patches not successfully installed during the last patch installation window?

 

 

N-central Patch Manager is something I really enjoy working with. I enjoy setting it up with our partners and most importantly I enjoy knowing I am helping prevent these evolving threat actors from attacking our partners and their customers.

We’ve also introduced some cool features for offline patching, which allows you to patch systems that wouldn’t otherwise have access to the internet to download patching themselves—so more to come on that.

A brief history of patching in N-central

In N-central 10, a product manager of patch spearheaded a redesign of the N-central patch management system into an easy-to-use, wizard-based system. Here, all of the layers previously needed were consolidated into a wizard-based walk-through. This work allowed our partners to patch their systems effectively and efficiently, without having to spend a lot of time learning it or missing a critical step.

This ensured that patch configurations, maintenance windows, approvals, and monitoring were housed together and all working synchronously. It was a huge change in the N-central system and was just after SolarWinds acquired the N-central solution, so it was also one of the first times we started using UX development to build an intuitive UI that are partners have come to enjoy.

Jason Murphy is the N-central Automation Nerd at N-able. You can follow him on Twitter at @ncentral_nerd or on reddit at u/ncentral_nerd