Security Advisor

Patch It Up

Tips for picking your ultimate patching tool.

• By Joern Wettern
• 05/01/2007

Patching has come a long way since the days of Windows NT. Back then, it meant installing a Service Pack to Windows when you could find the time. Microsoft's quality control wasn't up to snuff on some of those service packs. After a few bad experiences, some IT professionals even decided to skip the odd-numbered service packs.

Today, anyone who is responsible for securing a network knows that taking such a leisurely attitude can spell disaster. They need to install new hot fixes as soon as they're available. The days following Patch Tuesday -- the second Tuesday of every month when Microsoft releases most fixes for its products -- tend to be the busiest in IT shops everywhere.

By now, most organizations have adopted some type of patch management strategy. Larger organizations often have full-time staff tasked with rolling out updates and administering management software like Systems Management Server. At the same time, many smaller and medium-sized organizations struggle with finding the right solution. Luckily, there are some solutions available that can help you keep your systems up-to-date without breaking the bank. Let's look at the new version of Microsoft's Windows Server Update Service (WSUS) and Shavlik Technologies LLC's HfNetChkPro.

Before using any patching solution, I evaluate it by several criteria. First and foremost, it has to quickly make newly released updates from Microsoft (and preferably other vendors) available to client computers. It must also reliably detect which updates are needed and which ones are not. After all, you don't want your patch management solution to apply the wrong updates or roll back previous system states.

Most of the solutions available today generally meet these requirements. Where they differ is in usability, manageability, reporting and how much granular control they offer. A good patch management solution lets you control which updates can be applied and creates easy-to-use reports to let you know which updates have been successfully deployed so you can troubleshoot any problems.

The New WSUS
Microsoft is putting the finishing touches on version 3.0 of its WSUS. After some practice with the first two versions -- which didn't win any prizes for features or usability -- Microsoft seems to be getting it right this time.

Like the previous versions, WSUS 3.0 lets you set up either a simple patch management system for a smaller office or a hierarchical structure for a larger organization with multiple offices. You can choose which updates are installed on which computers and whether or not this should happen automatically or only after you've reviewed and approved the updates. You can use Group Policy to easily configure the update mechanism.

The biggest addition to version 3.0 is vastly improved reporting, which now uses the Microsoft Report Viewer (see Figure 1). These reports are useful for finding information about specific patches. You can also use the reports to assess how well your patch deployment is working. The administration tools for WSUS have also been completely revamped, making WSUS 3.0 a mature patch management product.

[Click on image for larger view.]

Figure 1. Besides new reporting and management features, WSUS also sports a new interface that makes this tool easier to use.

One of the most appealing features of WSUS is its price. It's free -- sort of. It runs under Windows Server, so you'll need to be running that. All but the smallest organizations typically run this on a dedicated server, so you'll have to budget for the hardware and the operating system license.

Patch Possibilities
Many companies will indeed be happy with Microsoft's tool, but there are good reasons to consider the other alternatives. Foremost among those reasons is that someone other than Microsoft will double-check the updates.

Some other advantages to using third-party patch management tools are that they include patches for non-Microsoft products, they review any patch classifications and they add additional quality control tests for updates. Many patch management vendors also have mechanisms with which to recall problematic patches more quickly than WSUS.

HfNetChkPro (short for Hotfix Network Check and pronounced H-F-Netcheck Pro) from Shavlik is one of my preferred tools because of Shavlik's quality control and support for some non-Microsoft software, such as Adobe Acrobat and Firefox.

For example, HfNetChkPro found that one of my servers was missing 17 patches. WSUS showed that it was completely up-to-date. The reason for the discrepancy wasn't a flaw in WSUS, but rather Shavlik's decision to scan for more items, including fixes for isolated problems.

Unlike WSUS, HfNetChkPro can run without agent software on the client computers. WSUS depends on the client computers to check in with the update server at regular intervals, download updates and install them. HfNetChkPro can work the same way, but you can also have it actively connect to computers, check their status and push out updates, instead of depending on them to check in with the server. This gives you real-time control over the patch process. You also can configure HfNetChkPro to work in an entirely hands-off manner.

Whether you use WSUS, HfNetChkPro or another solution, the good news is that patch management tools have matured. There are excellent tools available to ensure that your computers are up-to-date without requiring you to go to each of them with a CD full of updates.This means there's no excuse for having any computers in your network that aren't up-to-date with any and all applicable security patches.