General discussion


Patch Management

By lachlann562 ·
I have just recently started on a project for implementing a patch management solution. So far these are the products i've learned about:
Microsoft WSUS (Upgraded SUS - not yet released)
Micrsosoft SMS
Shavlik's HFNetCheckPro

I am with a company of about 300 employees, and 200 servers (DMZ's, extranet, intranet).

Any help would be appreciated.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Ah you want a recommendation??

by CG IT In reply to Patch Management

There a long list of companies that have patch management software. Quest software has one thats pretty all encompassing BUT with a hefty price.

Windows Update Service is what we are playing around with right now. We nabbed a beta copy and its pretty good. Runs just like the Windows update except its on our servers. Software Update Service requires a LOT of admin effort. A LOT. you have to baseline ALL computers and track whats on what, when and when. Then approve ipdates for deployment, then deploy them. Lot a work.

Systems Management Server is a lot like Software Update Service but has way way more capabilities than just getting patches and services packs rolled out. Its pricey to and unless your running hundreds of workstations all over **** and back, just isn't worth it.

Collapse -

Reboot Control

by lachlann562 In reply to Ah you want a recommenda ...

How do you find the reboot control, we have approximately 107 servers in production and 110 servers in offices (and approximately 150 test servers). They main concern is the production servers, how much control do you have on whether or not it restarts?

Collapse -

we read the security updates from Microsoft

by CG IT In reply to Reboot Control

Microsoft has a Security update notification service which we subcribe to. We can read about the patches, hotfixes etc and whether it requires a reboot. If it does, we then schedule when we do a cluster. We don't automatically push updates out or let servers automatically pull updates. We do workstation but not servers.

Heck most of our time was devoted to reading all the crap that comes out [which everyone bitched at Microsoft because we couldn't keep up with the daily notifications. So they went to a monthly deal].

Now we know when an update is coming out and can schedule the server nodes that need reboots. It's still a big admin chore but it was a HUGE admin chore before.

Collapse -

tough no matter what you do.

I have been using HFNetCheckPro v4 for a while. It has been less than perfect and very troublesome for a mixed environment (windows 2000, Windows XP and mixes of Office). I have upgraded to v5 and am curretly teesting, looks very promising, especially in mixed environments.

Never used SMS but hear it is garbage from friends.

We tried SUS (Older version of WSUS) and it was difficult without any reporting features, currently test the new WSUS and it too looks very promising. It handles shutdowns well.

No matter what you choose, keep this in mind. You will want a central server at each remote location that you can terminal service into and run the scans/deployments locally. It is a good practice to have seperate computer groups, especially if you are going to push to servers (which I don't recommend).

If you must push to servers, push to non-critcal servers as most other require certain services to be stopped and you may want to backup certain data prior to the push.

That's my 2 cents. Me and mine are curretly in the same patch management boat but has focused on 2 products, WSUS (in beta even for us) and HFNetcheckPro (Problematic in the past, new version may be our answer). A little bit of good luck and much research... Have fun!

Collapse -

You have other problems my friend

by jason.meissner In reply to Ah you want a recommenda ...

300 employees and 200 servers?
My first point of managing this environment would be to ask why the **** you have 200 servers in the first place?
For a company of your size it is quite ridculous that you have this many servers, even if they are a software development shop.
x2 Decent servers to manage Data.
x2 Decent servers to manage print
x4 Development servers to handle application and web - use a product such as vmware's Vmotion to create images and rollout new servers in 10 minutes, but all on the same hardware.
x1 Exchange
X2 DC's
x1 DMZ web presence
X1 Intranet ISA
etc, etc
Look at consolidating your server hardware first. This will reduce the amount of servers you have to manage and reduce the amount of servers to patch.
Then look at a product that will scan your servers for vulnerabilities (WUS cannot)and have the ability to push approved patches out to those servers.
My two cents.

Collapse -

Patch Products I have Tested

by rcharles In reply to Ah you want a recommenda ...

I have tested the WSUS and yes this requires a lot of work. But the Other products I have tested Are Ecora Patch Management Solution and it is really easly to setup and use. The reporting in this product is much better than any on the market.

Another one you miight want to consider is LanDesk. This provides reporting and Software distribution capabilities.

Collapse -


by BFilmFan In reply to Patch Management

Several of the clients I've consulted with in the past have used PatchLink to great success.

Collapse -

Possible Issues with patchlink

by lachlann562 In reply to PatchLink

I was just reading over the website and I had a couple concerns that you might have encountered.

It is helpful that it supports multiple OSes as we have mixed environment.

All operating systems should be the default installation, do not load additional software prior to PATCHLINK UPDATE. Windows 2000 and Windows 2003 must be updated with the latest service packs.

Does this mean we would have to reinstall windows on each server? If so this is unnaceptable.

Important: You must NOT have SQL Server or MSDE installed on the target system for PATCHLINK UPDATE Server.

Do you know if they are referring to haveing it installed on an SQL server or is it unable to patch an SQL server?

Collapse -


by ATXStranger In reply to Possible Issues with patc ...

We are currently working on testing a PatchLink installation on our site and hopefully I can help. The items you are talking about are on the server that will be running the PatchLink software. During my talks with our software provider, their recommendation was to run PatchLink on a standalone box with no other software loaded, especially SQL Server or MSDE. The way I understand it, Patchlink should be able to patch an SQL server but shouldn't be loaded on a machine running SQL server.

For our rollout we are going to buy a seperate workstation to run Patchlink. That seems to be the most effective and safest way to do ti.

Collapse -

PatchLink Server

by BFilmFan In reply to Testing

That is correct. The PatchLink server should be a plain-vanilla installation.

PatchLink can indeed patch SQL boxes, as I used it to patch my MOM 2005 servers just the other evening.

Related Discussions

Related Forums