Security vulnerabilities are uncovered on a daily basis, and managing the security patches that address them is an endless task for every network administrator. Previously, I outlined a simple strategy for patch management. Thankfully, patch management software can assist in making the task bearable.
Several products are available to manage missing patch detection and deployment. One good choice is GFI’s LANguard Network Security Scanner (LNSS), which consolidates network security scanning and patch management features in one package at a reasonable price. This article will examine the LNSS patch management features and show how they can make your job easier.
You can download a freeware version of LNSS from the GFI Web site. It contains the scanning and security alert functions that are part of the full version of the LNSS package, but it includes only a 30-day trial of the patch management features. Still, the pricing for the full version is fairly reasonable, ranging from $249 for 50 IP addresses to $695 for unlimited IPs. You can also purchase a maintenance agreement for one, two, or three years.
Patch management setup
In my article "Use LANguard to scan and audit network security," I examined LNSS and its usefulness as a network security scanner. The first step in using LNSS for patch management is to perform a network scan to determine what patches are missing. Prior to starting the scan, you need to make a few configuration changes to tweak LNSS for patch management.
First, make sure the scan is set to complete with administrator credentials. Set the credentials under Scan | Options and select the Session tab (Figure A).
Select Use Existing Credentials if you are logged on with an account that has administrator credentials. Otherwise, enter an account with administrator credentials in the Username and Password text boxes. Without administrator credentials, LNSS will be unable to connect to the registry of each machine to determine what patches are currently installed.
Next, choose the Alerts tab and verify that Check For Missing Patches is selected, along with the Yes, Download The File From Microsoft Website option (Figure B). When this option is selected, LNSS attempts to download the Mssecure.cab file when the software launches. LNSS uses Mssecure.xml, which is contained in Mssecure.cab, to determine missing patches.
After selecting the option, close and reopen LNSS to force an update of the file. You can also manually download the .cab file and place it in the download subdirectory of the LNSS installation. If LNSS can't download the file, it will display a message during startup and use the version of Mssecure.cab currently located in the download directory.
To check the version of Mssecure.xml that LNSS is using, click Patches and select Browse Bulletins to display the dialog box shown in Figure C. The file version and last update appear in the lower-left corner. Clicking on a bulletin supplies more specific information about it, as well as a download link.
Now, choose the Advanced tab to display the Configuration Manager. Double-click on the Missing_patches.ini file (Figure D) to load a configuration file that focuses on gathering the information needed to determine missing patches. This will speed up the scan by skipping the detailed port-scanning features of LNSS. When you want to return LNSS to its full scanning potential, you can reload the Backup_Languard.ini file to return it to the default configuration.
Start the scan
Once the configuration is complete, LNSS is ready to look for missing patches. Select the machine(s) you want to scan. LNSS can scan a single machine, a list of machines, a single domain, or multiple domains. Click the Play button to begin the scan. When the scan is complete, the detailed results of each machine will be displayed in the left window. The Missing Patches section details the missing patches (Figure E).
The results of an LNSS scan are easier to review in a report format. Just click File | Save Scan Results to organize the scan information into an easy-to-view report. You can further customize the report to view only security alerts.
When you are ready to begin the patch process, right-click on a listed machine in the left pane and select Deploy Patches On This Computer or All Computers. The Deploy Patches dialog box will appear (Figure F).
Here, you can configure the deployment options. You can choose to perform the deployment immediately or schedule it for later. Clicking These Patches will display a list of patches that need to be deployed (Figure G).
You can select or deselect individual patches for installation. Of course, I can't stress enough the importance of reviewing each patch and testing prior to deployment. Clicking These Computers will display the computer or computers you selected. You can select or deselect individual computers as desired.
Clicking the Advanced button allows configuration of a warning message that will be sent to the user before deployment. You can also specify whether the user can interact with the deployment (Figure H).
If users can't interact with the job, they'll receive the warning message, followed by a reboot of their PC. Additional settings allow services such as SQL and IIS to be stopped during deployment and can control the number of threads used during deployment.
After you've configured all the deployment options, click the Start button. LNSS will prompt you to download the necessary patches and provide a link for each patch (Figure I).
The downloaded patches must be installed in the download directory for LNSS to find them. Patches can also be downloaded ahead of time by using the Browse Bulletin feature described earlier. Once all the patches are downloaded, click the Start button again, and the patch process will begin. The bottom portion of the screen will display the status of the deployment. Upon completion, a detailed report will be displayed.
Review the deployment
The final step is to perform a follow-up scan to ensure that the patches are deployed and that all machines survived the patch process. Click the Play button, and LNSS will rescan the computer(s). Examine the Alerts section to view installed and missing patches.
Patch management is a tedious but essential job. The full version of LNSS can help ease the burden. I recommend that you download the free version of the product and explore the 30-day-trial patch management features for yourself on a test network.