Tenant Manager Background

11-Point Checklist for Customer Patching

Written by Hornetsecurity / 13.04.2018 /
Home » Blog » 11-Point Checklist for Customer Patching

When a new customer signs you on to manage their network and IT Services, they’re really instilling A LOT of trust in you. Many business owners and managers have the perception that they just hired someone to come in and handle everything an internal IT team or person would handle. 

That includes ongoing daily support operations and the back-end work that end users (and likely your customer contact) can’t see happening. While you likely have a very concise document that you provide your new customers that lays out exactly what items you’ll be taking care of as part of your proactive maintenance, how do you know you’re covering all the bases? What components of your customer’s network do you include in this kind of maintenance? 

The easy blanket response is, “Well, we update everything.” Do you, though? I’m surprised, even to this day, how many items are left out of the standard patching/maintenance routines, so I’ve compiled a list below of the different items a customer may have in their environment that require regular patching, as well as a few tools in each section that may be of assistance for that particular item.

Note: While the tools I list in each section below may help in most cases, they are by no means ALL of the tools available in the marketplace. The ones mentioned here are simply those I’ve had first-hand experience with. You’ll want to test any of these tools before using them in production.

With that out of the way, before we get started with that, let’s answer one simple question….

Should I be Running Updates on Everything?

I still hear this question way more often than I should. The short answer here is YES. Your customers are paying you for a service. That service includes keeping their systems running with maximum uptime, no data loss, and protecting them from security breaches. Regular patching is part of the equation for all of those items, but I’m surprised that in the MSPs I’ve talked with, they can often be selective about which items they apply updates to on a regular basis. 

The concern here is often breakage, which admittedly can be a concern for certain components, but you have to remember what the vast majority of patches are for. Patches typically contain fixes for discovered breakages, malfunctions, bugs, and security holes. Sure, getting them applied properly can be something of a chore sometimes, but leaving anything un-patched will eventually lead to your customer running into what was ultimately an avoidable issue. 

To help avoid the “broken-via-patch” issue, your team should be doing regular patch testing, either internally or by having it outsourced to a provider (Continuum, for example, does patch testing as part of their platform). Doing this gives you the confidence to apply tested patches for all customers. It helps you justify the resounding answer to this question of “yes” as you move forward supporting your customers.

With that out of the way, let’s take a look at the checklist.

1. Endpoints

This is often what most customers will think of when they hear of patching/maintenance simply because it’s the network component that is most visible. While I could break this down into several sub-categories, for the purposes of this article, simply know that when you’re patching your customers’ endpoints, it’s not just the OS involved. 

You have third-party applications, device drivers, firmware, anti-virus, possible encryption software, etc. When I first started putting this article together, it was focused primarily on backend infrastructure. But I’ve added this item so that you can at least start thinking about your customers’ endpoints, everything contained within them, and how you’re going to patch them. 

Most RMM platforms today have methods for dealing with OS patching and common applications such as Flash and Java. But there will undoubtedly be other industry-specific applications that you will need to patch via other methods, such as manual scripting installation.

Possible Tools to Assist: WSUS, Continuum, ConnectWise Automate, Kaseya

2. Server OS

This is a no-brainer, right? The OS running on your servers (often Windows Server) needs to be updated regularly. Many MSPs dread the monthly patch Tuesday, but again, remember what these patches are doing for you. In most cases, your customer’s core functions and data sit on a Windows Server somewhere, so when there are fixes to known issues and security vulnerabilities available, I HIGHLY recommend you get them installed. 

You can install said patches manually if you’d like, but many RMM vendors provide the option of doing this for you. At the very least, if you have a customer with more than a few servers and you have no RMM package, consider using WSUS (Windows Server Update Services). It will make your life easier.

Possible Tools to Assist: WSUS, Continuum, ConnectWise Automate, Kaseya

3. Core Server Applications and Roles/Features

This line item refers to the core applications and roles/features installed on top of Windows Server. SQL Server or Exchange, for example. When you’re running these on top of Windows Server, they often have patches and version releases that happen outside of the core OS. So, you’ll need to plan accordingly for these items as well.

Possible Tools to Assist: WSUS, Windows Update, Manual Application

4. Third Party Server-Installed Applications

Not all servers run dedicated Windows Server roles/features. Many are running the hosting component of a core business application. Medical facilities might have a patient records application, or a factory might have an inventory tracking app running, for example. Whatever the application, they will eventually need updates as well, just like the OS.

When you onboard a new customer, you’ll want to take stock of the core business applications they use and where they live. Once you have compiled your list, you’ll want to contact the vendor of said applications, determine their patching cadence, and get documentation on how to apply patches when they are released. Have this information handy because it can be difficult to gather it at the last minute if an urgent patch is needed.

Possible Tools to Assist: Continuum, ConnectWise Automate, Kaseya

5. Server Hardware

I find that this item is a big one and often overlooked. An MSP will install a new server, throw Hyper-V or VMware on it, ensure it has the latest firmware and driver versions on it on the day of installation, and then never update those items again. Those same components are capable of having bugs and security issues as well, and MSPs should be checking the hardware vendors’ websites regularly to see if there are new drivers/firmware. 

This is where it helps to have something like a baseboard management controller or BMC (Dell DRAC or HP iLO, for example) in every server you manage because if you’re upgrading a NIC driver or server BIOS, you have another avenue for getting into the server if there is an issue during a remote patching routine. Some of the MSPs I’ve worked with over the years have simply made BMCs a requirement when a customer wants to install a new managed piece of hardware. 

I’ve even seen some MSPs who will eat that cost if the customer doesn’t pay for it because the benefits often outweigh the costs.

Possible Tools to Assist: Dell Lifecycle Controller, HP Smart Update Manager

6. Storage Infrastructure

This line item is an important one. This item includes all the locations where your data sits (if not on a Windows server) and the interconnectivity in between. This includes things like NASs, SANs, Fibre Channel Controllers, SAS controllers…etc…etc. 

You want these items to be updated regularly for nothing other than stability. If your storage comes crashing down around you, nothing else will work. Make sure you spend the necessary cycles (and the maintenance windows, too!) to ensure these patches and fixes are applied regularly. Thankfully, the plus side here is that storage vendors tend to have excellent documentation and support when it comes to performing maintenance on these systems, so leverage them when you can.

Possible Tools to Assist: Dependent on Platform (See your vendor)

7. Network Infrastructure

Another frequently missed thing that gets patched at installation and then never again. Switches and routers are the unsung heroes of many networks. They quietly do their jobs, and no one ever thinks of them. However, they do need security and maintenance fixes from time to time, so I recommend you check in with the switch manufacturer quarterly to see if there are any new firmware releases. The only rub with patching switches is if you’re doing it remotely, there is often no recourse other than to go onsite if something goes south during the patching process, so plan accordingly.

Possible Tools to Assist: Cisco IOS Software Checker

8. Firewalls

If you think about it, a firewall is often the first line of defense for the security of your customer’s network. It’s the entry point, the castle gates, if you will. Many MSPs see the value easily in making sure this item is patched regularly, but I still run into some MSPs that are still running super old Cisco firewalls with ancient firmware. This is NOT one you want to forget. Add it to your quarterly checklist and plan an outage window as needed. Also, like switches, be sure to have someone standing by to head onsite if attempting to upgrade remotely. If things go south, you won’t have remote access anymore.

Possible Tools to Assist: Dependent on Platform (See your vendor)

9. Printers

If you’re like me, you hate managing printers. They break often, everyone needs them, and they eat up a bunch of support time. But I’ve found over the years that if you keep them well maintained with regular visits from an imaging vendor and you keep the firmware and drivers up to date, you can cut the support calls regarding these items fairly significantly. This item doesn’t need to occur often, but twice a year should make a meaningful impact.

Possible Tools to Assist: PrinterLogic

10. Phone Handsets

Another often ignored item. Many end-users simply pick up and use their VOIP phone without much thought to how it works. You, as the MSP, know better. While the backend server component of the VOIP service will often get patched as part of one of the above processes, the phone endpoints are often forgotten about. Make it a point to get their firmware updated twice a year to keep them up with security fixes and functionality.

Possible Tools to Assist: Dependent on Phone System (See your vendor)

11. Mobile Devices

Something of a new line item for many MSPs. As an MSP, wrapping your hands around all of your customers’ mobile devices (phones, tablets…etc…etc) can be difficult. However, many Mobile Device Management (MDM) packages on the market today are making this easier. Some will assist with version levels and lifecycle management, so you can help close the management gap in this ever-growing section of your customer’s business as well. 

I think that as more corporate data mingles with users’ data on personal cell phones, this space is set to explode from an MSP perspective. Many businesses don’t realize the intricacies of this new trend nor appreciate the importance of tight management and security of any device with their data on it. Adding this to your patching routine today could get you ahead of the game.

Possible Tools to Assist: VMware Air-Watch, Microsoft Intune

Wrap-Up

So that wraps things up for us! Again, use this list as a planning guide for regularly scheduled maintenance for your customers. If you make it a point to cover all of the mentioned bases above, you should see a drop in support tickets as a whole, leaving you more time for other billable work!

Whilst we are in the mood to update things, if you haven’t already done so, why not subscribe to our MSP Dojo newsletter to upgrade your MSP via helpful articles like this one? Sign up here to receive a new MSP article every week directly in your inbox!

Thanks for reading!