Security

Keeping software patches up to date with UpdateEXPERT

Traditional patch management is no longer feasible considering the dizzying array of patches you have to keep up with. This review of UpdateEXPERT takes a peek at one method guaranteed to keep you current.


One of the most frustrating parts of network management is trying to keep up with all of the available patches that should be applied to the various servers and workstations on the network. Patch management can be a huge job. After all, security patches aren’t the only types of patches that you need to worry about. It’s just as important to apply other types of bug fixes and service packs. Furthermore, there are also patches for applications, not just for operating systems.

To make matters worse, not all patches are reliable. Anybody remember Windows NT Service Pack 6? Microsoft almost immediately replaced it with Service Pack 6A because it caused so many problems. A more recent example is Windows XP Service Pack 1. In certain environments, this service pack slowed Windows XP network access to a crawl and caused problems with writing data to network servers.

To help you with patch management, St. Bernard Software has recently released a product called UpdateEXPERT. UpdateEXPERT is a software patch management tool that can automatically apply patches to your workstations and servers. In fact, UpdateEXPERT manages patches for a wide variety of operating systems, applications, and server applications. These include Windows NT 4.0, 2000, XP, Internet Information Server, Terminal Server, Media Player, Windows Media Services, NetMeeting, Microsoft Office, Outlook, and more.

One-stop patch updating
UpdateEXPERT has a unique way of managing patches that seems to get around many common patch management problems. The most obvious problem with traditional patch management is that there are just too many patches to track. Rather than requiring you to visit Web sites for each software package, you can simply check the UpdateEXPERT database for any updates available. The research database is organized into a tree view. This means you can either search for a specific patch in the traditional manner, or you can browse through the tree to see what’s available for your specific products.

The best part is that when you're deploying a patch, unstable updates are no longer a factor. St. Bernard Software claims to thoroughly test any available patches for reliability prior to publishing the patch in its database. If you attempt to deploy a patch that UpdateEXPERT considers unsafe, the software will block the installation.

Built-in scripts
Another common patch management problem is that in larger organizations, deploying a patch can be time-consuming. Manually deploying a patch to thousands of workstations is simply not an option. In most cases, you can deploy a patch by writing a deployment script. However, it takes time to write and test these scripts—time that your programmers could better spend doing other things. UpdateEXPERT has deployment scripts built in. Each deployment script is written for a specific patch and is tested for reliability. You can use the UpdateEXPERT interface to deploy a patch with just a few mouse clicks.

Profiling patches
Aside from the deployment issues, there are other problems with traditional patch management as well. For example, suppose a new, critical patch became available for Internet Explorer. Obviously, you'd want this patch applied to everyone’s computer. How would you know if the patch was actually applied to all those machines? Furthermore, how would you know if someone accidentally removed the patch later on?

UpdateEXPERT solves this problem in a couple of ways. First, it allows you to create a profile of which patches you consider mandatory. You can then query each machine against the applicable profile to see if all of the required patches are installed. Next, you can build a report verifying exactly which patches are on each machine. Of course, you can also have UpdateEXPERT automatically deploy any patches that are missing. Best of all, the tool contains a built-in scheduler. This means you can schedule such operations rather than having to run them manually.

You aren’t limited to using a single profile across the entire network. You can create a variety of profiles and assign these profiles to groups of machines. For example, you might create machine groups by operating system, service pack level, or even by a machine’s assigned OU within Active Directory.

Accessibility agent
Yet another challenge of traditional patch management is accessibility. For example, suppose you have a Web server that is accessible to the public via the Internet. Since the Internet is such a hostile environment, you’ve probably taken many steps to make sure the Web server is as secure as possible. The problem is that high security environments usually block any attempts to remotely add any software to the machine.

Normally, when UpdateEXPERT needs to update a machine, it does so with RPC calls. However, in a high security environment or on machines that are tightly locked down, RPC traffic is often blocked. To get around this problem, UpdateEXPERT offers an optional agent component. You can apply this agent to secure machines, and it will allow the machine to communicate with UpdateEXPERT in spite of other security settings.

In case you're wondering, all components of UpdateEXPERT, especially the agents, are designed to be secure. All UpdateEXPERT transmissions are encrypted and CRC checks are run against patches before the patches are applied. Another nice security feature is that an administrator doesn’t have to be logged in with an administrator account in order to apply patches to remote machines. Instead, an administrator can create an account whose sole purpose is patch updates. The administrator can then use UpdateEXPERT to delegate the necessary privileges to that account.

What’s new?
One of the software’s newest features is that it can be used as a snap-in for HP OpenView. St. Bernard Software is a solution-level member of the HP OpenView Solution Alliance Program. The OpenView plug-in will allow IT managers to effectively inventory, deploy, test, and validate the increasing number of Windows patches.

Acquiring UpdateEXPERT
St. Bernard Software has a free trial version of UpdateEXPERT that you can download from its Web site. This trial software will allow you to test UpdateEXPERT on up to five machines for 15 days. If you decide to purchase the product, you can do so directly from the St. Bernard Software Web site. Pricing is based on a sliding scale determined by the number of licenses and number of years that you subscribe to patch updates. The current pricing for up to 50 licenses and a year’s subscription is $780, plus $15 for shipping.

Editor's Picks

Free Newsletters, In your Inbox