Software

General discussion

Locked

Patch Management

By lachlann562 ·
I have just recently started on a project for implementing a patch management solution. So far these are the products i've learned about:
Microsoft WSUS (Upgraded SUS - not yet released)
Micrsosoft SMS
Shavlik's HFNetCheckPro

I am with a company of about 300 employees, and 200 servers (DMZ's, extranet, intranet).

Any help would be appreciated.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

The only solution

by mdisbury In reply to Patch Management

Lachlan,
You have to look at ZenWorks form Novell. It's just brilliant. It does patch management, application delivery, hardware & software inventory and remote control or workstations.
It will run on Microsoft, Netware and Linux.
It's really cheap and just works.
BTW, why has each 1 1/2 employees got a server each :-)

Regards

Mike

Collapse -

patch management recomendation

by bryan_newman In reply to Patch Management

we us a product called bigfix and works really well. It is an agent based product and therefore works well with traveling users. Check it out www.bigfix.com

Collapse -

GFI LANGuard N.S.S 6

by michael.hart In reply to Patch Management

We use this in locations from 20 - 500 units. Handles Patch Management for Operating Systems as well as standard applications, even custom apps. Does a great job for Auditing machines also.

http://www.gfi.com/lannetscan/

Collapse -

Only Patch Management?

by Anandu In reply to Patch Management

We use SMS in our environment for Patch Management and it works really good. If you are only looking for Patch Management, you should look for single product that only provides Patch Management solution, because SMS provides everything from Asset Management to Software distribution. Single product may save you some money. Compare it with full SMS.

Collapse -

Once again, if you are only interested in patching MS, then WSUS is fine

by sdattoli In reply to Only Patch Management?

However, in larger companies where vulnerabilities etc. create much more work in patching everything else that is not MS.

Once again using the Adobe example from their site, here is a clear example of the limitations of WSUS being an MS-only solution: Here is a pull from a forum on the latest Adobe vulnerabilities.

Adobe Systems on Wednesday rolled out patches for security vulnerabilities found in Adobe Reader 7.0 and 7.0.1, and in Adobe Acrobat 7.0 and 7.0.1.

The hole in the products, referred to as an XML External Entity vulnerability, under certain circumstances allows XML scripts to be used to discover a user's local files.

According to Adobe officials, the vulnerability is within the Adobe Reader control. If an XML script is embedded in JavaScript, it is possible to discover the existence of local files, according to a security advisory from the company. An attacker could then maliciously use the gathered information. But the statement pointed out that the local files can be found only if the attacker knows the complete file names and paths in advance of such an attack.

Programs like Shavlik's newest release in 3 weeks and a couple of the others mentioned do address these issues. WSUS is "free", but it does have a cost. That cost depends on how much work is spent manually dealing with all the other patches from all the other programs out there (mainly the popular one's like Adobe) that WSUS does not address.

Collapse -

Something Urgent to consider when selecting a Patch solution

by sdattoli In reply to Patch Management

First, this is in addition to some of the other considerations/features already mentioned. Second, this is not a sales pitch -- I work only with F1000 companies. Third, I am somewhat biased in that we are a partner of Shavlik. However, we are also a partner of Microsoft and have designed solutions to complement SMS etc. We chose Shavlik because they were simply the best "Microsoft" patching solution.

Now, that brings me to the all important piece I have heard no one mention yet (I may have missed it -- sorry to anyone if I did). Most likely, you are going to want a patching solution that will address patching for some of the other ubiquitous programs like Adobe right? With WSUS you would be SOL.

Shavlik new release covers things like Adobe and Firefox (HFNetChkPro 5.1 --- GA in about 3 weeks).

Here is a clear example of the limitations of WSUS being an MS-only solution: Here is a pull from a forum on the latest Adobe vulnerabilities.

Adobe Systems on Wednesday rolled out patches for security vulnerabilities found in Adobe Reader 7.0 and 7.0.1, and in Adobe Acrobat 7.0 and 7.0.1.

The hole in the products, referred to as an XML External Entity vulnerability, under certain circumstances allows XML scripts to be used to discover a user's local files.

According to Adobe officials, the vulnerability is within the Adobe Reader control. If an XML script is embedded in JavaScript, it is possible to discover the existence of local files, according to a security advisory from the company. An attacker could then maliciously use the gathered information. But the statement pointed out that the local files can be found only if the attacker knows the complete file names and paths in advance of such an attack.

The vulnerability impacts Acrobat and Reader running on Windows and Mac platforms.

Adobe recommends that Reader and Acrobat for Windows customers download the updates provided on the Adobe Web site here.

To clarify - PA+ *will* cover things like Adobe Reader and Firefox, as soon as Shavlik the next release HFNetChkPro 5.1 in 3 weeks My understanding is that this product also addresses/runs on Linux according to their website

The product is also very easy and much less money than most of the other Enterprise Patching Solutions. Yet, It is the TCO that really makes the difference. While WSUS may seem like the least expensive product, consider the amount of time you will still be spending addressing patching & security issues from Adobe and all the other non-MS products that your 300 or so desktops will need. Hope this helps

Collapse -

by david.ware In reply to Patch Management

Look at Computer Associates eTrust Vulnerability MGMT product

Collapse -

Altiris is the Solution we use

by cneustadt In reply to Patch Management

We use a suite of products form Altiris for software deployment, imaging, inventory, remote control and local hard drive back up. Included in the latest versio is a good patch management product. Further, Altiris' roadmap is to utilize the patch management solution for Oracle,and other application and OS besides Microsoft. We get a lot of bang for our buck out this product

Collapse -

Clean Access, f.k.a. Perfigo

by sscarbrough In reply to Patch Management

Cisco bought Perfigo last year. Consider their "Clean Access" product. It does wired as well as wireless authentication, nessus, and policy based patch management. You decide the policy, you load the patches on the management server, clients must pass muster to gain access to the LAN, be they wired or wireless.

Collapse -

Other Patch options

by nickc In reply to Patch Management

Take a look at ScriptLogic's Patch Authority Plus - it does the patch and also manages services.

Related Discussions

Related Forums