Patching. This is a really touchy topic as many admins don’t like being asked, “Have you patched?” Microsoft over the years has made changes to the way it releases patches. These days, you will receive either one of the following or both if you are on the newer versions of the Windows Server operating system like Server 2012 or R2 or Server 2016 and Server 2019. These patches are:
- Servicing stack for the month
- Cumulative update for the month
- Security updates
Now, if you don’t have all the latest Windows patches installed, you obviously cannot get to the latest ones. Some of these updates are 1.2GB and higher. Let’s take a look at the Exchange side of things. If you are on legacy versions of Exchange like 2007, which hit end of support two years ago, well, you will not be getting any updates unless a major bug is identified and a new service pack is released. If you are on Exchange 2010, you will still get the monthly rollups, which include security fixes.
Exchange 2013 and higher
Moving onto Exchange 2013 and higher, you will get the cumulative updates and these generally include fixes from previous cumulative updates. Rollups are the same and they also include new fixes and sometimes, unfortunately, introduce new bugs or problems.
Along with the cumulative updates comes the .NET Framework requirements that are needed. In a situation where company A is running Exchange 2016 CU3 and now needs to install CU12 or higher, they will need to update to .NET Framework 4.7.2 in order for the installation to proceed. Going forward, the need for newer versions might become a requirement.
Many admins don’t want to patch or don’t like patching. Why? Because it is, first, time-consuming, and, also, they fear the system giving you the blue smiley face of death. In environments where there are 150-plus Exchange servers that are dedicated to a rule on an F5, for example, or a Kemp appliance, you cannot just patch during the day as you need to drain the roles and then you can patch. Admins sometimes avoid it because of the complexity and others don’t want to patch because they feel the systems will just break and then they need to fix them.
My rule of thumb is always to stay one version behind the latest unless there is a serious flaw that is addressed in a cumulative update or service pack. Then proceed to do the installations and fix the security loopholes. When it comes to cumulative updates for Exchange, Microsoft generally also releases a security patch that you need to install after the cumulative update.
More patches because of more threats
The days of not patching systems are coming to an end fast. This is because of all the threats on the Internet like viruses, malware, and ransomware. Time and time again you hear of customers that have been hit by ransomware or viruses because systems were not patched. Microsoft has over the last few months been patching zero-day exploits and needs you to update. For every machine that you patch in your environment, it means fewer back doors for these threats to come through. I am not saying if you patch then your computers or servers will be invincible to the threats on the Internet. No, I am stating the fact that you lesson the blast area in your environment.
Let’s face the facts: Not many companies out there test Microsoft patches or have a test environment where they can test and see what issues it will cause, maybe to a CRM system or to Exchange. People have the impression that Microsoft or other companies release patches to break environments. They don’t. They release them to ensure you are secure and also fix any issues that you may be encountering on your terminal servers, for example.
Build a test lab
I urge you to build a test lab, maybe simulate your live environment by cloning out the machines and putting them on a different VLAN or subnet so it does not affect production and patch them to see if you have any issues. Also, look at upgrading your systems. Windows operating systems like Windows 7 or Server 2008 R2 or 2008 will soon hit end of life and they will no longer get the security patches or cumulative updates for servicing stacks needed to keep you and your environment secure.
In bigger enterprises, present your findings to your change advisory board (CAB) and make them aware of what is at risk in the environment if you don’t patch and why you need to patch systems. Based on your testing, you can prove to them that X number of holes or potential exploits were closed.
When it comes to Exchange, ensure that you also take note of when the legacy versions will reach end of life and plan your upgrades and migrations to newer versions that will be running the latest or at least be one version behind the latest versions. Keep tabs on the blogs out there of what people find and report and when a hotfix comes out to fix a problem.
Bottom line is, just like you treat your backups or email systems with the best SLAs, you need to do the same when it comes to patching your environment. Patching should be No. 1 or, at the very least, No. 2 on your list.
Featured image: Shutterstock