ASD's Blueprint for Secure Cloud

Patch Operating Systems

This page provides a template and guidance to assist organisations in documenting their approach to patching operating systems, as per the Essential Eight Maturity Model, associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 6 minutes

Applicability

The Patch Operating Systems mitigation strategy is applicable to the appropriate patching of operating systems for the following components of <SYSTEM-NAME>:

  • Endpoints (Windows laptops and desktops)
  • <ON-PREMISES SERVERS>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Maturity Level

Targeted:<TARGET-LEVEL>
Currently Assessed:<ASSESSED-LEVEL>

Implementation

Asset discovery

<ASSET-DISCOVERY-TOOL> is used to scan for all assets within <SYSTEM-NAME>.

<ASSET-DISCOVERY-TOOL> performs an asset discovery scan on a <FORTNIGHTLY> basis.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Vulnerability scanning

<VULNERABILITY-SCANNING-TOOL> is used to scan for all operating system, DRIVER, AND FIRMWARE vulnerabilities on endpoints and servers AND NETWORK DEVICES within <SYSTEM-NAME>. <VULNERABILITY-SCANNING-TOOL> is configured to update its vulnerability database on a <nightly> basis.

Windows Endpoints

<VULNERABILITY-SCANNING-TOOL> is configured to scan all Windows endpoints discovered by <ASSET-DISCOVERY-TOOL>, performing vulnerability scans on a WEEKLY basis.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hybrid servers

<VULNERABILITY-SCANNING-TOOL> is configured to scan all hybrid servers discovered by <ASSET-DISCOVERY-TOOL>, performing vulnerability scans on a daily basis.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Patching

Windows endpoints

Patches for operating systems on windows endpoints are managed and deployed using Microsoft Intune, and applied using Microsoft Defender for Endpoint.

In accordance with the <SYSTEM-NAME> Vulnerability and Patch Management Process, vulnerabilities in operating systems, DRIVERS AND FIRMWARE discovered by <VULNERABILITY-SCANNING-TOOL> are applied within 48 HOURS where these vulnerabilities are assessed as critical by vendors or when working exploits exist, and applied within ONE MONTH otherwise.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hybrid servers

Patches for operating systems, DRIVERS AND FIRMWARE on hybrid servers are applied using <SERVER PATCH DEPLOYMENT MECHANISM>.

In accordance with the <SYSTEM-NAME> Vulnerability and Patch Management Process, vulnerabilities in operating systems, drivers and firmware discovered by <VULNERABILITY-SCANNING-TOOL> are applied within 48 hours where these vulnerabilities are assessed as critical by vendors or when working exploits exist, and applied within 2 weeks otherwise.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Removal of unsupported operating systems

Windows endpoints

In accordance with the <SYSTEM-NAME> Vulnerability and Patch Management Process, <ORGANISATION-NAME> will monitor Microsoft support for Windows, and ensure that all operating systems on workstations are removed prior to this support ending.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hybrid servers

In accordance with the <SYSTEM-NAME> Vulnerability and Patch Management Process, <ORGANISATION-NAME> will monitor Microsoft support for Windows, and ensure that all operating systems on servers are removed prior to this support ending.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra