The importance of keeping computers updated can't be overemphasized, with new exploits making it into the wild on a regular basis. The recent .ANI vulnerability is a case in point; malicious coders released a wave of malware attacks and Microsoft released a patch for the problem in early April — but it was soon reported that the patch was breaking some applications. How do you ensure that critical security patches get installed on all the machines on your network, or ensure that potentially problematic patches don't get rolled out until you've had a chance to test them?
The smallest organizations can rely on Windows Update/Microsoft Update's automatic update functionality built into modern Windows client operating systems. If auto updates are enabled, computers will download and install any critical updates without user or administrator intervention. Auto Update can also be configured to download updates but not install them until approved, but that option requires that users know which updates should or shouldn't be installed, or alternatively requires an administrator to individually approve/disapprove updates on every client machine.
As the organization grows, such individual attention becomes impractical, and you'll want more control over the distribution of updates. If your network grows into a hybrid one, with Linux/UNIX and/or Macintosh computers running along with Windows machines, it gets even more complicated.
Microsoft has its own update tools, including Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM), which is the latest incarnation of Systems Management Server (SMS). However, these tools don't support non-Windows operating systems. To manage patches on a hybrid network, you may need to turn to a third party solution, at least for some of your systems. In this article, we take a look at some of the options.
One of the most popular third party patch management solutions for SMBs is PatchLink Update. It's been around since the mid 1990s and is well regarded in the industry. It works with Windows, Macintosh OS, NetWare and several flavors of UNIX (IBM AIX, HP UX and Sun Solaris). Unlike some network tools, it's user friendly, with wizard-based deployment of patches and support for phased rollouts.
The server component installs on Windows Server 2003 and installs SQL Server 2005 Express Edition during installation. PatchLink maintains a large repository of application and operating system patches from major software vendors and they pre-test the patches to help you head off problems. The "Digital Fingerprinting" technology detects vulnerabilities across the network and ensures that the appropriate patches are applied.
PatchLink also integrates with popular commercial vulnerability scanning products and third party network access control systems. You can find out more, view and demo and get free evaluation software at www.patchlink.com.
Another popular software solution is Shavlik'sNetChk Protect, which combines patch management with detection and removal of spyware and malware in one console. You get the option of agent-based or agentless architecture, with quick vulnerability assessment and remediation along with executive level reporting. It can scale to environments of up to 50,000 devices and supports non-Microsoft applications.
The software runs on Windows XP, Windows 2000 or Server 2003 and uses a Microsoft SQL Server or mySQL database. You can download a 14 day evaluation version to try it out, and you can find out more at http://www.shavlik.com/product_cat_patch_mang.aspx
A more comprehensive solution is Configuresoft's Enterprise Configuration Manager (ECM) with the Security Update Manager add-on module. More appropriate for companies at the larger end of the SMB market (along with enterprises), it can examine the ECM database to do vulnerability assessment and install patches on machines that are grouped by function or role.
The SUM is available for both Windows and UNIX systems, and gives you complete control over what patches to apply to which systems and how to schedule patch deployment. You can find out more at http://www.configuresoft.com/patchmanagement.aspx .
Kace Management Appliance
Another approach is to use an appliance based solution such as The Kace KBOX 1000 series. These management appliances do more than patching; they also perform hardware and software inventorying, distribution of general software, asset management (including non-computer assets), scripting and configuration, security audit and enforcement, help desk and alerting and remote control.
The administrative console is web based and it can integrate with Active Directory and LDAP services or operate in standalone mode. Agents are available for Windows, Linux and Solaris machines, and it also includes agentless support for any device with a network address. You can read more about it at http://www.kace.com/products/kbox1000.php.
Another appliance, PatchPoint is advertised as a "vulnerability shield" for servers that detects and mitigates unpatched vulnerabilities in network traffic before it reaches the servers, without blocking legitimate traffic.
No agents are required to be installed, server configuration changes aren't required and updates are applied dynamically with no reboot of the servers necessary. PatchPoint protects Windows servers, Solaris, Novell SuSe, RedHat Enterprise and Free BSD operating systems, Microsoft SQL and Oracle database servers, Exchange and SendMail email servers, Apache web servers, and more. You can find out more at http://www.bluelane.com/products/patchpoint/
Everdream Management Services
Yet another option is to use a service-based patch management solution. One such example is Everdream's Uptime Services Suite, which provides patch management services along with anti-virus and anti-malware protection and online backup. It includes automated distribution of patches, monitoring of distribution status and monthly patch compliance reports.
Advantages of an on-demand managed service include minimal up front investment, no capital expenditures for hardware and/or software, and no licensing fees. Instead you pay a monthly fee and get a guaranteed SLA (Service Level Agreement) and you only interact with the service personnel, not with multiple vendors.
You can find out more about it at http://www.everdream.com/solutions/uptime/index.aspx
Patch management can be a tedious and time consuming process, albeit an essential one. This is especially true in a hybrid network environment. Luckily, there are many third party products and services that can help to automate the process and make it easier.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.