Security

Patch management enhancement tools and best practices

For systems administrators, it is tough to find much appreciation for patch management. Unfortunately, this necessary evil has to be done. IT pro Rick Vanover shares a few tips.

For patching server and workstation systems, nothing gets me irritated more than simply being informed that this update needs to be installed on a system. Pick your flavor of irritating package, we all have them. Mine are Java runtime engines, Adobe Flash and Reader, Windows pick of the litter, and SQL Server updates. While it isn’t impossible to maintain and automate updates on systems, administrators are challenged when it is more complicated than just updating everything.

Vendor requirements, test cycles, application dependencies and other factors can make the patch management process more complicated than it may look. What can administrators do about this? The most important first step is to have a collection of automation tools in place. What tool is in use can be part of the problem, however. This is primarily driven around the central assumption that system management software can do more than just determine what needs to be installed and push it out.

There will always be a collection of systems that can take all updates all of the time. Those are relatively straightforward to support and can possibly even be managed outside of a systems management package. Automatic Update configuration locally or through Group Policy as well as individual application configuration may do the trick for the majority of Windows systems. Note: Be sure to check my earlier tip on how to patch Windows Server Core.

Now, many people may just say what more needs to be done than apply all applicable updates? Enter the tightrope dance between facilitating software vendor requirements that may say a certain patch or major service pack is not supported and internal security scans saying that a system is vulnerable to a specific risk.

I recently saw that a new feature for QualysGuard Vulnerability Management appears to do a good job of reporting what updates need to be applied to a collection of systems to address specific issues, rather than install simply because it is not installed. This can reduce the application of unnecessary updates as well as minimize precious downtime. This new feature is called Patch Report, which can identify what systems are in need of which updates based on your own criteria. Patch Report isn’t a deployment mechanism, so it won’t do the work that the systems management packages will need to do.

System management packages such as Altiris, Microsoft System Center, ZENWorks and other packages are still useful to enlist the dirty work of getting patches to a system, but they may frequently lack the ability to get reporting on the vulnerabilities rather than the broad patch inventory.

Patch management can also be made better by providing scripted installations of the updates. With system management software, a package can be created to deploy the specific updates required to address a list of vulnerabilities yet reduce downtime and maintain application support. This would be a little more labor intensive and would require very well defined organization of systems in a tool such as Active Directory.

For very highly controlled environments, updates may not be permitted unless they address only the most critical vulnerabilities. Hopefully this inventory is a small number of systems, but the update process in this case may be best served by doing manual updates from an organized list.

What tips or tricks do you have for update management that you can share when you can’t just update everything blindly? Enter a comment below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

23 comments
elPresidento
elPresidento

Well just have a quick look at the Heimdal Security Agent, which has just been launched in Denmark by CSIS. This security tool constantly keeps a selection of actively exploited software patched (the patch is provided by the vendor itself). The entire patching process is silent and unattended. So you just have to press the SCAN button and the patching process is done automatically. Currently we are monitoring the following list of software which is known for their popularity and as well as being the most vulnerable too according to NVD (National Vulnerability Database): 1. Windows Media Player 2. Internet Explorer 3. MDAC 4. Mozilla Firefox 5. Adobe Reader 6. Adobe Flash player (mozilla plugin) 7. Adobe Flash plugin (ActiveX IE plugin) 8. Adobe Shockwave Player 9. Apple Quicktime 10. Oracle JRE (Java Runtime Environment) 11. Winzip 12. Skype 13. Opera browser I bet you should have at least 5 of the above software installed on your home PC, with them remained in vulnerable state because you did not find time to download the latest version or is too lazy to download the patch or does not care at all ;=) In fact, many users ignore the existence of exploits on these programs and are hence left vulnerable to attacks by hackers when they do online banking or other online transactions. Heimdal Agent helps to mitigate this vulnerability risk. Another feature provided by Heimdal Agent is that you will have the possibility to remove information stealers (i.e. malwares from your machine). If you want to install this security software, with me as referrer, well it is simple ... Steps to follow: --> Go to: https://webbank.csis.dk/ --> username: amu@csis.dk --> pass: amu --> Download the Heimdal Agent --> Install the software --> Send your feedback to me (help -- send feedback) Demo of the software: http://www.youtube.com/watch?v=ON0v7cLG4QQ Another option is to download the software from our website itself: https://www.csis.dk/en/private/heimdal Good news: we are going to monitor Google Chrome, Adobe Air, Real Player, ITune, Safari, Windows live messenger, Other Microsoft products and many more soon...

andrewv
andrewv

108 Servers, 1 administrator/Developer/SQL Dude and general dogs body

smason
smason

If you want real control over patch management, Shavlik's product does a really good job!

whatisnew
whatisnew

I pray while my eyes are opened.

Jaqui
Jaqui

since it's a perl script it is a simple one to port to ANY Unix or Unix-like os. so any of the BSDs, GNU/Linux, MacOS, HPUX, AIX could also use this tool.

Gh0stMaker
Gh0stMaker

Shavlik is a very nice tool - we use it at 1 of our customer sites with 400 - 500 clients and 60 servers.

marcos_madera@hotmail.com
marcos_madera@hotmail.com

I?ve been used Spiceworks for some patch, asset inventory, this Shavlik sees someting similar, dont you think ? With Spice Works have some firewall troubles in my domain. Also used lansweeper demo for testing, and works fine, dont buy anything yet for patching in the office

adrian.oneill
adrian.oneill

I just looked at the shavlik website are the tools all free?

mmayse
mmayse

Shavlik in an EXCELLENT tool. It can take a bit to set up, but will do patches and scans both agentless and with an agent. If you have remote offices it can be set up for use with a remote server. We use it for about 250 machines.

b4real
b4real

I know it is good at the implementation, but is it also good at reporting and such?

randyd@sji
randyd@sji

Perfect discussion, I am researching a solution now. Our environment is predominately Dell. Dell bought into kace.com. They have a couple different solution devices: System Management that covers inventory, asset management, software distribution, patch management and service desk features. And then System Deployment covers network os install, disk imaging, etc. Anyone seen this? Have not heard of Shavlik...interesting..

kpbarry
kpbarry

You could certainly execute it on any system with perl, but Solaris patching is a somewhat proprietary ordeal and PCA is pretty much written specifically for that platform. PCA uses the patchdiag.xref file published by Sun (well, Oracle now) to determine what patches the system needs. It is hardwired to fetch the patches from the Sunsolve site. And it installs the patches with the Solaris smpatch utility. Someone could probably use the code as a basis for writing a utility for other *nix OSes though, trying to match the functionality. Honestly, patch and package management in the Linux distributions that I use blows away anything that comes with Solaris out of the box. But if you have to patch Solaris boxes, PCA is a great tool and it is easy to build your own wrapper around it for automation, reporting, etc., to do specifically what you want to do in your own environment.

kkoehler
kkoehler

Yep I use it for all of my sites. The reports are very nice easy to read and for people who like visual aids lots of pie charts if needed. Wonderful software.

cmeisinger
cmeisinger

Sorry it took so long for me to post back... So we implemented the KBox 1000 virtual appliance. Install was fairly simple we did the jumpstart training which was informative but I felt as though it could have been better it was pretty basic and there is a lot to the system. We are still tweaking the labeling and learning the software install piece and getting the users using the Help Desk System but it is very nice to be able to track user issues and have their machine inventories available. If you have any questions I could help you with feel free to ask.

tomjhen
tomjhen

We are strongly considering the K1000 for our environment and would be very grateful to hear about your experience. Thanks in advance!

Gh0stMaker
Gh0stMaker

SOHO's Service Desk plus is a nice solution, and there other network tools are great as well. Soho used to be Adventnet, btw

cmccracken
cmccracken

Hey Randy, I recently went through the same task and went with KBOX, receiving the physical KBOX not long after Dell purchased KACE. I compared the KBOX with solutions from Altiris/Symantec, LANDesk, and Kaseya. When I have a chance, I intended to post an article about the experience, but until then I'd be happy to tell you anything I can about our current KBOX experiences, why I selected them, etc. Casey

cmeisinger
cmeisinger

Sure can we just had our kick off meeting with the Dell trainer and hopefully will be installing in the next week and have the training in July I'll post back info as I get more involved in the product.

randyd@sji
randyd@sji

Thanks meisingerc. Could you post back with some experience a little later?

cmeisinger
cmeisinger

We just purchased the KACE KBox Virtual Appliance and are getting ready to implement. We were looking for a Help Desk solution as well as patch management and inventory and the KBox seemed to have most everything we were looking for.