In-Depth
Grunt Work
Keeping systems patched is time-consuming and laborious, but it's crucial. Here are seven tools that can help you automate the process.
We are barraged with patches and updates on what seems like a daily basis. Administrators know patching is crucial to proper security, but many are so busy with other tasks that they can't keep up, and most companies don't have the resources to hire someone to deal with patches full-time. Patch management automation is the only effective solution.
Choosing the best patch management tool depends on your company's situation and your IT infrastructure. All of the solutions examined here share similar basic functionality. They're all designed to detect network clients and determine patch status, assess them against an ideal list and deploy patches. All seven pull from an extensive patch database. They also have mechanisms for obtaining the latest patches and a means of generating reports. Two emerged as leaders in the agent-based category (see "Agent-based vs. Agentless"), and others demonstrated their own unique strengths and approaches to automating patch management.
An Integrated Approach
Altiris Patch Management Solution 6.0
Altiris joins the growing number of vendors that view patch management as a single part of an integrated desktop management strategy—a component of configuration management that includes application packaging, vulnerability assessment via automated software inventory, discovery and management, standardized image deployment, software delivery, patch management and PC backup and recovery. Consequently, Altiris has bundled its solution in the Altiris Client Management Suite. That means you need to invest in the complete package to use the Altiris solution. This is neither good nor bad, but requires that you look very carefully at not just the patch management component, but the entire package.
After installing Altiris Patch Management Solution (APMS), which proceeded quite smoothly, the system launches several background actions: creating the MBSA Distribution Package creation and downloading MSSecure, QChain, and the Altiris PMImport.cab file. The Software Update Agent installs automatically when you enable the appropriate policy.
Once APMS is deployed, the system also installs the Software Inventory Agent and the Package Agent. The Software Inventory Agent gathers inventory used to inform you which patches need to be distributed to which computers. The Package Agent helps in the sending of software updates.
Pushing Patches
As with all the other patch management options considered here, APMS identifies patches and available fixes, scanning workstations and servers and deploying patches to any number of networked machines. APMS essentially determines which software patches are applicable, which can be safely implemented for each system and then "pushes" the remediation process by deploying updates to individual workstations.
| In This Roundup: |
|
Altiris 6.0 Patch Management Solution
$80 per node as part of Altiris Client Management Suite 6.0
Altiris
801-226-8500
www.altiris.com
Autoprof Policy Maker Software Update
Price varies per number of seats
AutoProf
603-433-5885
www.autoprof.com
BigFix Patch Manager 4.0
Contact company for pricing
BigFix Inc.
510-652-6700
www.bigfix.com
Ecora Patch Manager 3.2
Price varies per number of seats
Ecora Software Corp.
877-92-ECORA
www.ecora.com
GFI LANguard Network Security Scanner 5.0
$495 for 100 IPs
$995 for unlimited IPs
GFI Software Ltd. USA
888-243-4329
www.gfi.com
PatchLink Update 6.01
$1,240 one-time fee, annual subscription ranges from $13 to $15
PatchLink Corp.
480-970-1025
www.patchlink.com
Shavlik HFNetChkPro Enterprise 4.3
$16.63 per seat for 100 seats
$11.68 per seat for 1,000 seats
Shavlik Technologies LLC
800-690-6911
www.shavlik.com |
|
|
Altiris employs an agent-based architecture, which is a consistent across everything in their entire suite. No data is available regarding the scalability of the product, though repeated reviews have shown that agentless architecture does result in increased network traffic and bandwidth congestion.
Using Altiris is fairly straightforward. After initiating a scan, APMS discovers detailed information on the OS and installed applications on both workstations and servers, as well as inventorying whether patches are installed and at what level. These results are used to populate predefined collections based on the OS service pack levels and application versions. APMS is intended to operate without a significant level of intervention or monitoring. Hence, the program automatically creates the policies required to deploy software updates for a given patch or fix.
APMS supports both the well-connected (on the LAN or WAN) or occasionally connected (dial-up) computer. Bandwidth throttling and checkpoint restart capabilities let you "drizzle" packages to LAN-based, remote and mobile users, regardless of connectivity. After delivering patches, the desired policies run on an ongoing basis to ensure that a required patch remains installed and to install those that might be deleted. A straightforward and intuitive software update distribution wizard helps you create distribution policies.
The user interface is one of the best I have seen. You can use the Altiris Console to review the list of vendor-issued software bulletins, automatically download and distribute new patches and updates, and obtain information on tasks, resources, configurations and incidents. The console also gives you access to Web Reports, security updates and descriptions of each patch. Besides the pre-packaged reports, you can also create your own.
The Patch Management Dashboard gives you a view of the tasks run by the Patch Management Solution. From this dashboard, you can see whether a task has been completed or started, the start and stop times, whether it is presently running and if so, the percentage of the task completed.
An automated discovery process procures the patches themselves from vendor sites. It then delivers them to a designated server running Altiris Notification Server. This process has both an upside and a downside. Vendors are responsible for the patch—Altiris acts merely as an uninvolved middle man. By comparison, other vendors maintain their own patch library and distribution servers and conduct extensive testing as part of their service.
When patches go awry or start creating more problems than they solve, APMS does have an escape strategy by integrating with Altiris Recovery Solution (ARS) to roll back system configurations to a known stable state. Altiris touts this rollback capability with ARS as a way to help minimize the need for extended patch test cycles. Personally, I wouldn't recommend relying on rollbacks to save you from a destructive patch.
Because some patches can cause systems and applications to develop instabilities that make the San Andreas Fault look solid, you should test or stage patches before deployment. Thankfully, in addition to its rollback strategy, APMS lets you assign patches to functional groups of computers (such as a test environment, an Active Directory OU or group of similar systems). This lets you target the patch and determine the likelihood of system or application problems in a test environment before rolling it out across the enterprise.
Smooth Sailing
It's hard to find fault with Altiris as delivered. The product is well-designed and intuitive to use. Having said that, I couldn't help but feel that patch management was an afterthought tacked onto the Client Management Suite because it seemed like the right thing to do. For example, the "Getting started Guide" that comes with the installation CD uses the word "patch" once. Another concern is that Altiris is Windows-focused. While it supports Unix and Linux platforms, it does not support other platforms like Sun Solaris, which could limit its value in some enterprises.
The pros and cons of a point patch solution versus an integrated desktop management suite are many and outside the scope of this review. However, when choosing patch management software, you need to consider your organization's overall strategy.
Installation Notes
To install Altiris Patch Management Solution (APMS) you must first install and configure the Altiris Notification Server. Notification Server (which is required for Client Management Suite as well) requires a Pentium III 800 mhz or faster with 1 GB RAM and 20 GB hard drive. You must also be running Windows 2000 server or later and Microsoft SQL Server 2000 SP3 or later. Once you get all that done, you can install the Altiris Agent which needs Windows 95 or later, with 64 MB of RAM and 5 MB of free hard disk space (plus additional space for the software). Altiris supports all Windows clients later than Windows 95. Support for Unix and Linux is available in their Server Management Suite.
| Agent-based vs. Agentless |
|
With agent-based solutions, a software component—an agent—resides on each client machine being monitored and communicates patch data to the patch management system. In agentless systems, a central server scans all client systems on the network to assess patch status. Here's how they compare:
| |
Agent-based |
Agentless |
| Pros |
- Reduces network bandwidth
- Facilitates constant scanning
- Scalable
|
- No client software agents required
- Faster setup
- Easier maintenance
|
| Cons |
- Increased deployment time and complexity
- Requires access through firewall
|
- Heavier bandwidth load
- Network traffic must be encrypted
- Configuration can be more difficult
|
|
— David W. Tschanz |
|
|
Focused and Refined
AutoProf Policy Maker Software Update
Patch management has traditionally involved using third party software specifically designed for that purpose. Autoprof, a New Hampshire-based company that has positioned itself as a leader in extending Group Policy client-side configuration, has turned Yankee ingenuity into patch management through Group Policy. You can use Policy Maker Software Update (PMSU) as a standalone program or an add-on to Autoprof's Policy Maker Professional (PMP).
PMSU leverages Group Policy's capabilities and Microsoft's Software Update Services (SUS), so you can use Active Directory (AD) to address patch-management needs. PMSU uses the architecture and common features of AutoProf's Policy Maker Professional.
AutoProf claims to have avoided the problems surrounding both agent-based and agentless patch-management products with PMSU's integration of Group Policy and the SUS update installer. I suppose this is technically true, but PMSU deploys a Group Policy Client Side Extension (CSE) via a GPO as an MSI package and configures the Windows SUS client queue during background processing of Group Policy. The Windows SUS client then performs downloads, updates, reboots and logging. This sounds to me an awful lot like agent-based architecture.
On the other hand, there are no server-based components you have to install, a hallmark of an agent-based patch management system. Autoprof is correct in stating that PMSU really is Group Policy. PMSU policies don't install or run as a service, but as a Group Policy extension. This means PMSU launches as a system process on a periodic and secure basis. Therefore, you can't neatly place PMSU in either category.
PMSU allows all of Group Policy's delegated administration features. A high-level administrator could apply certain updates from an enforced GPO, while delegating the choice of applying other updates to other administrators.
PMSU approaches patch detection differently as well. The typical method involves scanning for updates, collecting information on the state of each client computer's updates and then deploying patches to targeted computers. PMSU completely ignores this method. You simply mark the update "Install," "Uninstall" or "Report." Doing so will generate a report item if the update is required but missing from the computer, or if an update is installed and needs to be removed. However, the "Install" selection will queue the update for installation when it detects the need. This deftly bypasses some administrative activity and lessens the possibility that the client state information may lag behind update deployment, while preserving the ability to scan and report without installing. This way, there is a 100 percent correlation with Windows Update and SUS with regard to accurate update detection.
You have high granularity with patch distribution. You can create any number of GPOs and target each of them to any number of OUs with standard GPO-level security restrictions and WMI filters. You can also independently filter each node in the update tree, including individual updates. Since you apply updates through Group Policy, you can easily create a testing OU to try out updates before deploying them systemwide. This is a powerful feature because you don't need to create two environments—one to test and one to deploy—as you would if you were using SUS alone.
You can uninstall individual updates that support removal, whether you applied them with PMSU or another method. Rollbacks fit neatly into the policy-based model for override and precedence. You can pull updates directly from the vendor's URL or from a corporate update repository. Unlike other update systems, you don't need any special server or web services.
PMSU's CSE does not perform actual update downloads or installations. Instead, it programs the client system's built-in Automatic Updates (AU) service. This lets you use the update installer used by Software Update Services (SUS) without installing SUS servers, scaling them and locking them down accordingly. The AU service directs the system to download updates using spare bandwidth and install them using any available techniques -- including scheduled installations and requests from local administrators or logged-on users. PMSU loads manifest files, which it obtains directly from the Microsoft Software Update Web site, listing all software updates to determine patch requirements. In theory, there is no upper limit to scalability since patching is simply a means of implementing GPOs.
There is little question that Autoprof has created an intriguing, almost seductive product with an elegantly conceived approach to patch management. PMSU nicely builds on technology you already have on your network. Scanning, management and reporting were very good, but PMSU isn't perfect.
By design, PMSU is limited to systems that can integrate with Active Directory, meaning Windows systems. This is not a product intended for an enterprise with a significant mix of other platforms. It is also suitable for sophisticated administrators. There are no scheduling or bandwidth throttling capabilities. Alerts are similarly hobbled. PMSU also has no custom patch creation capabilities.
It works best in a Microsoft-centric environment where Active Directory is deployed and well-maintained and where the administrators are comfortable with Group Policy. Despite a conceptual method that shows enormous promise, it is not likely to be the first choice for enterprises running multiple platforms and not heavily invested in Active Directory Services.
Installation Notes
Policy Maker Software Update installs on servers running the Windows 2000 management console or above. Any system running Windows 2000 SP2, Windows XP, Windows 2003 and above can function as a client. Installation took less than 10 minutes and proceeded without incident.
Getting Better All the Time
BigFix Patch Manager 4.0
Of the agent-based products in this review, BigFix shares the top spot with PatchLink. Both are high quality products that have earned—and managed to maintain in an increasingly competitive marketplace—a dominant position. Picking one over the other is like choosing between Kirk and Picard, the right choice depends on your individual parameters.
It is important to adhere to BigFix's stringent requirements for a clean operating system. I urge you to review them because if you don't, installing BigFix Patch Manager 4.0 (BFPM4) will be a painful process. Think about when you were a kid—if you didn't make your bed right the first time, you kept getting sent back until you did. Installation otherwise went smoothly, but seemed a bit cumbersome because of the many components. The BigFix installation program automatically loads Microsoft SQL Desktop Engine 2000 on the server. You should install a full version of Microsoft SQL Server if you're planning on maintaining more than a few hundred machines.
Fix It and Forget It
BigFix uses agent-side intelligence to scan the end-user host for patch configuration and for pulling down patches pushed out by the BigFix administrator. Installing agents is easy and the footprint is very small. You can create "Fixlet" messages, in which BigFix packages a group of patches and then pushes them out to hosts that meet the requirements for those patches. These requirements are in the Fixlet messages and include parameters such as registry keys, application-build levels and OS platform.
One of the more impressive parts of BigFix is its health-check utility, which is initiated after installation. Like all the reporting mechanisms, it was easy to understand and intuitive, displaying all the system's important components with a traffic light metaphor of greens and reds for "Go/No Go." Be prepared though, the check is quite thorough and I found myself flipping through several tabbed pages of results.
BigFix's Client Deploy Tool will load the required agents on PCs running Microsoft Windows systems later than Windows 95. Client deployment was quick and silent. Because the test client system I used was -- deliberately -- a basic Windows XP new installation (before SP1), the first time I opened the console I was provided a long list of missing patches and updates.
BFPM4 uses an advanced deployment strategy. You can sort patches based on download size, release date, severity and product type and create hierarchical machine groups to ease management and deployment. BFPM4 comes with multi-level administrator privileges, relevance evaluation of patches and affected machines. You can schedule the exact deployment date and time, deploy multiple patches with a single action, and create policies to automatically deploy a fix to any computers that experience a specified problem. You can also control download restart and bandwidth throttling for remote and dial-up connections.
You can target fixes to specific computers, groups of computers, or to active directory domains or organizational units. BFPM4 can also use retrieved properties from a client system and create patch distributions based on those results, although this did require some time and effort to figure out because the scripting used for retrieved properties isn't very clear or intuitive.
Bandwidth management is handled through what BFPM4 calls "Temporal Distribution" and Relay Agents. Temporal Distribution lets BFPM4 execute actions over the course of a given time interval. This can reduce the load on a network during large distributions like a service pack. The Relay Agent model means that any BFPM4 client agent can automatically be enabled as a Relay Agent so it can act as an aggregation point to distribute patches. You can then assign specific systems to download from specific agents, providing another point of granular control for large-scale distributions. If a distribution fails, you can retry any number of times, wait a given amount of time between retries or wait until the computer has rebooted.
BFPM also mirrors all downloads to clients from a central mirror server, thus limiting external communication to the Internet and reducing the load on valuable extranet access while facilitating network restriction enforcement.
On the client, Patch Manager is a silent background application requiring no user input and using minimal system resources. In most cases, it applies patches and updates without user knowledge or intervention. In those rare cases where user input is necessary or desirable, you can post a message to inform the user of a pending action and request assistance. Thus, you have full control over user involvement. Because of the agent-based architecture, communications typically require a mere 20KB per day per client of traffic (with continuous scanning turned on) as opposed to agentless architectures which may utilize megabytes per day to achieve the same goal.
Keeping an Eye Out
Patch Manager continuously monitors patches after deployment until every machine is fixed. It never gives up. It's as persistent as my cat going after my tuna sandwich.
The Fixlet is central to BigFix's technology and is one of its most elegant features. A Fixlet is an intelligent, actionable message that can detect a problem, proactively alert users or administrators to a problem before failure occurs and deploy a one-click solution.
BFPM4 also provides the most sophisticated mechanism for deploying custom patches, including the ability to build custom patches from scratch. This means you can distribute updates for products not yet supported by the patch manager. To do so, BFPM4 lets you write your own Fixlet. This makes BFPM4 more than just a patch manager. It becomes a customizable network security system that does things most security staff only dream of.
The Fixlet writing function also lets you create and enforce policies across the enterprise with the same ease and relentlessness as patching. For example, let's say you don't want your enterprise users installing a program like Napster and tying up the company bandwidth downloading mp3s. To solve this, write a simple Fixlet that hunts it down and removes it. It will continue doing so until the employee gives up or you fire him for violating computer security policy.
BigFix Patch Manager also stands head and shoulders above the rest in its reporting functions, providing a user-friendly Web-based reporting module with a variety of features including filtering, custom fields, charting, interactive links and exporting to Microsoft Excel. It only takes a few clicks to use any of the canned reports, generate custom reports or understand the big picture of your patch-management efforts. Unlike other products, BFPM4 lets you create reports about any specific system or patch. For already overburdened administrators, being able to easily generate "high-level" reports is a real time-saver.
BigFix clearly had scalability in mind when it built BFPM4. Each console can efficiently handle up to 15,000 clients. BigFix Patch Manager also uses relays to establish multiple patch distribution points across a network. Although the other programs reviewed here don't have fixed limits for the number of clients they can support, none seem to be well suited for handling more than 5,000 clients per console. This may not be an insurmountable limitation, however, since you can break up the network into segments and manage each segment with a separate console.
BigFix is excellent, but it isn't perfect. The GUI is stark compared to the colorful icons employed by the other products tested here. However, the interface is sufficient for most tasks. It's easy to use and nicely integrates Active Directory's organizational capacities. After a few hours, even the most novice administrator should be able to navigate with ease.
BFPM4 doesn't have a packaged alerts system. Instead it relies on administrators at the enterprise level to integrate BFPM4 into their existing events system with the open database APIs. This presupposes that BFPM4 customers already have such event notification in place and they can integrate it with whatever they have.
I think the above comment also summarizes a philosophy that permeates BigFix. This is a high-quality product developed by savvy high-quality engineers. However, the rest of us are not always that savvy or technically astute. BigFix is a bit less accessible to the average person. Everything they do, from the design of their website to their documentation to their expectation of clients handling alerts suggests a technically savvy group, speaking to other technically savvy people. BigFix has carved itself a high-end niche that not everyone is going to want to reach for.
BigFix Patch Manager 4.0 is an excellent product. The qualitative improvements between BFPM 3.0 and BFPM 4.0 are at several orders of magnitude. Given the nature of the product and the company's overall culture, if I were a large enterprise with a high-quality dedicated IT staff, I would look no further.
Installation Notes
Installing BigFix involves installing the BigFix Enterprise Suite that includes BigFix Enterprise Server, BigFix Enterprise Console, BigFix Enterprise Client and the BigFix Patch Manager Library, as well as the heart of the process—BigFix Patch Manger 4.0. System requirements for BigFix Enterprise Server include Windows 2000 Server & IIS. The BigFix Enterprise Client installs on any client running Windows 95 (or later), Linux, Mac OS9 or OSX and Sun Solaris.
While BigFix Patch Manager 4.0 (BFPM4) is technically a component of the BigFix Enterprise Suite, I have opted to categorize it as a point patch program, rather a desktop management program, since it is clear that BFPM4 is the core component, not just another module.
Support for All
Ecora Patch Manager 3.2
Ecora Patch Manager (EPM) is among the leading agent-less architecture patch management solutions. EPM 3.2 is the latest iteration of what had started off as a free patch management tool. Like every other product in this roundup—it is intended to scan a network for patch vulnerabilities, obtain the patches, deploy the patches and generate reports about what it did. It also has a well-constructed patch rollback "safety net" mechanism.
You have to construct a local shared repository to keep copies of downloaded patches and the Reporting Center. A SQL Server database keeps system records and patch history information. I ran into a couple of small problems and anonymously (meaning they didn't know I reviewing the product) called tech support. More on that later, but whatever Ecora is paying them it isn't enough. Once everything is put together, EPM employs a Web licensing service after you install the application and run it for the first time.
EPM automatically discovers, analyzes and deploys security patches critical to workstations and servers from your desktop and offers patch coverage for the most popular Microsoft products, including Windows NT/2000/2003/XP, Internet Explorer, Exchange, IIS, Media Player, Office, Outlook and SQL Sever. Cross-platform support extends to Sun Solaris and international versions of Microsoft and Sun operating systems.
Using the product was pleasant. It is user-friendly and intuitive. The 3-D Patch Views let you quickly see all missing patches in the environment by machine, application or by a particular patch. That tool also lets you view the scan analysis by host, application or patch for a quick snapshot of what requires resolution.
EPM lets users define groups of servers and workstations for analysis or installation by department, machine type, time zone, and so on. You can deploy service packs and hotfixes interactively or on a scheduled basis. Either way, you just have to identify groups or individual machines, select one or more patches, and EPM automatically installs patches on the specified machines. This flexible grouping of systems is convenient in smaller organizations and critical in larger ones.
Another useful feature of EPM is that it uses both registry checks and file integrity checks to validate whether or not service packs or hotfixes are installed, not just remote registry checks. This eliminates guesswork and helps ensure the accuracy of the patch status analysis.
Of all the products here, EPM has the best alert options—customizable alerts sent to the Windows Event Log, SNMP trap, or email. You can configure it to sound the alarm when new patches come out. It automatically provides information regarding all critical events such as patch push failure, security lapses and so on. It also dynamically updates its patch database, meaning subsequent environment analyses are performed with the most current patch information.
The EPM Patch Test Center is particularly valuable. This tool lets you choose a system to be the guinea pig. Ecora calls them the model or "reference" systems, but the truth is you want to pick a system you can sacrifice for the good of the enterprise. You can then compare other systems against them and use this cadre of test subjects to test patches before deploying them enterprise-wide. This helps ensure that patches that test well in your lab will perform they way you want them in your production environment. I think this is one of EPM's nicest additions over 2.0. It also corresponds to my personal belief that deploying patches into a production environment without testing them should be considered grounds for termination.
Patch Manager creates HTML reports for easy printing. You can also export these reports into a CSV file for further manipulation in MS Excel and other tools. Since version 2.0, EPM has added a browser-based Reporting Center that can generate the reports you'll need to understand and monitor patch compliance and deployment progress. It also creates easy-to-read reports you can show to management to demonstrate what systems have been patched, where missing patches may exist, and whether systems are in compliance to corporate standards.
You'll have to load the Online Reporting Center on a Microsoft Internet Information Services server running .Net Framework 1.1 or later. This Reporting Center still has some flaws. In my testing, the reports listed different missing patches than the console, which was puzzling. Also, the reports list only the Microsoft Q number for the missing patch—not the bulletin number or even a description of what the patch fixes.
EPM's Patch Repository Scheduler helps you ensure that you have downloaded the latest patches. By selecting operating systems in the network, you can schedule downloading of all appropriate patches, which is much easier than doing it manually. The way EPM implements this scheduling feature is among the easiest to use of the tools reviewed here.
EPM 3.2 includes a Policy Manager that lets you create generalized rules about how you want to configure systems in your environment (normally secured to the latest critical patches). You can also prioritize certain groups with stricter policies for applications you consider higher risk. Policies let you define these rules, apply them to groups you create and then schedule scans to ensure that you're always aware of systems that do not comply with your policies.
I had to call Ecora's tech support twice during the evaluation, and play the dumb administrator (which isn't that difficult for me). Not only was the phone answered and someone on line in a matter of minutes, but their tech support personnel were bright, efficient and knew their stuff well enough to help me in a matter of seconds without wasting time going down fruitless paths. I don't mean to imply the rest of the tech support staffs were bad—they were all good, all professional and all adequate—but Ecora's team was by far the best.
EPM 3.2 does everything that it says it will do, some of it very well. The product is solid and conducts itself with a causal efficiency that it is appealing. The interface continues to be among the best I've seen and very easy to work within.
What problems I saw with the product stemmed from the choice of an agent-less architecture and the impact that imposes on a network. Deploying clients may not be an administrator's favorite experience, but the payoff is well worth it in scalability and overcoming excess network traffic.
Other shortcomings include not being able to create your own patches with EPM, a feature present in both BigFix and PatchLink. Curiously, while EPM lets you select multiple patches to deploy to a single system, it does not let you select multiple patches to deploy at one time across an enterprise.
Given this combination of strengths and weakness, EPM 3.2 should be viewed as an excellent product ideally suited for non-technical users in smaller companies or networks. It's a top candidate for patch management solutions in those environments.
Installation Notes
Patch Manager 3.2 requires NT4/SP6a (either workstation or server) or higher (or later OS such as Windows 2000, 2003 or XP. NT systems will only need MDAC 2.6. Remote Registry Service must be enabled. The machine should have at least a 500 MHz CPU, 256 MB RAM, Internet Explorer 5.01 SP1 or higher, 35 MB free disk space available for software, as well as sufficient disk space for the patch repository. EPM, by benefit of its agentless architecture, can be installed and used right of the box without configuring and deploying agents. Installation was a tad rough in spots, but not overly so.
| Patch Management Checklist |
| When assessing your patch management tool options, ask yourself the following questions:
- Can you create policies that require specific patches for groups or classes of similar devices?
- Can you put machines into groups, and delegate patch management for the grouped devices?
- Can you customize reports to suit individual needs?
- Will you automatically receive failure or exception alerts?
- Will you be able to develop customized patches?
- What sort of deployment flexibility do you need?
- Can you deploy multiple patches to multiple systems at once?
- Does the tool support rollback?
- Can you create a test environment to test patches before deploying them across the entire network?
— David W. Tschanz |
|
|
Vast Improvements
GFI LANguard Network Security Scanner 5.0
My experience with GFI products has always been favorable. This relatively small company produces a line of high quality e-mail/Exchange enhancements and has a reputation for staying on the forefront of the technology.
Its LANguard Network Security Scanner (NSS) is not quite a point patch management tool. It's more of a network security scanner that includes patch management. A security scanner lets you take proactive measures to protect your network instead of waiting for hackers to discover where you're vulnerable. To do that, you have to think like a hacker and be able to simulate the types of attacks they will use.
A security scanner like NSS 5 automates the process of finding "holes" in your network's security. As you can imagine, combining security scanning and patch management is not a difficult fit. One tool makes the process more intuitive and manageable. LANguard Network Security Scanner works with Microsoft's Software Update Service to handle patch management.
You'll need a domain administrator account to schedule scans (otherwise you can run the software using the local system account). You'll also need credentials for your SQL server if you want to use SQL/MSDE for storing the scanner logs (otherwise you can use an Access database, but you don't have to have Access installed on the machine to do this). You'll also be asked for an e-mail address and SMTP server so the software can send you e-mail notifications. You'll need to enter the server's IP address and SMTP port and whether or not the SMTP server requires authentication. Then you can select the folder to which the program will be installed.
Installing GFI products has always been very straightforward and NSS was no exception. The process was quick, straightforward and took less than five minutes from start to finish. A well-constructed wizard walks you through the process, and you're up and running in no time. However, if you want to use NSS for patch management, GFI strongly recommends installing Microsoft Software Update Service Server first.
Silent Agent
GFI LANguard N.S.S. 5 uses a patch deployment agent installed silently on the remote machine to deploy patches, services packs and custom software. The agent consists of a service that runs at a scheduled time depending on your deployment parameters. This architecture is much more reliable than not using a patch deployment agent. The patch deployment agent is installs automatically without administrator intervention.
Scanning the network requires either entering the IP range directly at the top of the scanner interface or using the Scan Wizard to specify which computers to scan. You can scan domains, specific computers or an entire IP range. One of the nice features of NSS is that it groups all vulnerabilities into separate nodes, and lets you expand only the information that you wish to view
Once the network scan is complete, the Alerts node details missing patches and service packs. Right-clicking on a patch or a service pack lets you send it out to a particular computer or all computers. A "deploy patches" dialogue lets you easily specify which patches to push out to which computers. After you specify that, NSS creates a list of service packs and patches you need to download to the NSS download directory. You can also create a report listing all missing patches and service packs.
Scanning with GFI LANguard NSS was easy. You can either enter the IP or machine name directly at the top of the scanner interface or use the scan wizard (accessed from the file menu) to specify which computers to scan. You can scan domains, specific computers and an entire IP range.
Documentation and help files were adequate. The GUI interface was very user friendly and administration for a small network seemed adequate. Security scanning was lightning fast and provided a wealth of information about the security status of the network, including what users are configured on the machine, what shares are available, what the password policy is, active services and so on. This information is vital in locking down your network.
This new release is a vast improvement over NSS 3.2. The new interface makes deploying patches much easier. The program automatically downloads patches from the Microsoft website and shows you the download status. You can now select which patches to deploy on which computers and set deployment parameters for each patch. You can opt to deploy the software immediately or set a date and time for it to be deployed. You can also choose whether the computers should be rebooted after the software is installed, whether to send a warning message to the user before deploying software, whether to stop services first and whether to delete copied files from the target computer after deployment.
The interface provides easy access to bulletin information and has much better patch deployment status reporting. It also provides better stability through the use of a patch deployment agent. You can also deploy under different credentials.
Filtering Made Easy
Filtering reports is a breeze. Click on one of the default filter nodes to show machines with high security vulnerabilities, for example, or machines missing a particular service pack. It just takes one click to filter scan results by category, such as all computers missing Windows XP Service Pack 1. You can also create your own custom filters, and specify items to be shown in the report. You can also apply filters to previous scans as well as to the current scan, and export scan results to XML.
Filtering conditions can include operating system, host name, user logged in, domain, computer usage, TTL, MAC address, SNMP, UDP port, TCP port, patch, product and so on. You can use operators like "is equal," "is installed," "includes," and others. You can also customize items that must be shown/hidden in the filter results report. You can choose to apply the filters to the current scan or to a previously saved scan as well.
NSS 5 has an extensive set of vulnerability checks for Linux and UNIX machines, so you can find the weaknesses in all of the computers on your network, regardless of operating system. Other enhancements include a new SQL/Access database back end that lets you save scans to either a Microsoft Access database or a Microsoft SQL Server database. This means you can create custom reports and do trend analysis. It also features a new VB-script compatible script engine, a new script debugging and editing tool, an improved SQL audit tool, and enhancements to the DNS lookup. Finally, the Whois, SNMP Walk, and SNMP audit tools are also improved. The "Enumerate computers" lets you filter computers based on OS and services, and there is now an "Enumerate users" feature that lets you display Active Directory user accounts with account details. The improved Whois tool which can query multiple Whois servers.
Supreme Security Scanning
LANguard N.S.S. excels at security scanning. However, it seems to lack the same level of excellence when it comes to patch management. As with Altiris, there was a vague sense throughout that patch management was sort of an afterthought. That may not be true, but that's the sense you get. However, the vast improvements GFI has made in the product, including better looking reports and a way to store past scans in a database are quantum leap level improvements.
NSS 5's efficiency, speed, stability, and its superb performance on local and remote LANs is impressive. The bottom line is that GFI isn't just a patch management tool, but a comprehensive package that does its own vulnerability scanning—an intriguing combination. It is also elegantly crafted. You won't find many network scanners with which you can find all the information available on discovered vulnerabilities, download the appropriate patches and apply them with a few simple clicks of a mouse.
I would not call NSS 5 the best solution for patch management alone, especially if you need a simple and robust point patch management tool. Still, its combination of a security scanner (of which I am becoming a big fan) and patch management seem tailor-made for the small- to medium-sized enterprise seeking to combine security and basic patch management for an excellent value. NSS 5 is not quite ready for the large enterprise, but given the differences I saw between NSS 3.2 and NSS 5, it will likely carve itself a place among the leaders in the field.
Installation Notes
LANguard NSS runs on Windows 2000, Server 2003 or Windows XP, as long as Internet Explorer 5.1 or above is installed and the Client for Microsoft Networks is enabled. No personal firewall or the Windows Firewall can be running during scans.
Continuing Excellence
PatchLink Update 6.01a
When I picked up Patchlink 6.01a (PL6) for this review, I admit that I greeted it with a mixture of anticipation and concern that perhaps the luster of previous successes was gone, but it wasn't. Patchlink is still producing an exceptional product that is among the best of the agent-based solutions out there.
The installer moves quickly and smoothly, even doing a system check that would halt the process if your system lacked the minimum requirements. After installation, it deploys the client agents to all systems that are going to be monitored. PL6 offers three methods for doing this: single agent install, multiple agent rollout and a network login scripts distribution.
PatchLink scans through the Discovery Agent, which can effectively detect patch fingerprints across many different types of computers connected to your network. The reports generated by the Discovery Agent always show you what is patched—and what isn't. PatchLink monitors Microsoft and other vendors for newly released patches. Patchlink's engineers test the patches, place them in PatchLink's proprietary package format and deploy them to customers' local PatchLink servers through a periodic subscription process, which occurs over a Secure Sockets Layer at a predetermined time.
You receive e-mail when there is a new patch on the PatchLink server. If it's a critical patch, it's automatically downloaded to the Update Server on your network. Noncritical patches are downloaded at your request.
PatchLink automatically caches critical patches on the Update Server, a marked difference from agentless products. Caching patches is extremely useful. If a worm or other malicious act slows down the Internet, how will administrators download patches to their critical servers? With cached patches, you already have the files. Since those cached patches have to be stored somewhere, you'll need adequate disk space.
You connect to the PatchLink server through a Web interface that lets you view reports, deploy packages, create packages and view system inventory. You can also configure groups of machines with baseline patch settings. If any computer in the group is missing any patch defined in the baseline set, it is automatically installed on the computer. PL6 also lets you create your own patches, issue registry changes or distribute software.
New and Improved
Improving patch deployment was clearly an important aspect of PL6. The new version also introduces chainable deployment, meaning you can define a group of patch reports to be deployed to a group of computers—a clever many-to-many model you can execute without rebooting after every patch is applied, thus reducing lost productivity (and user annoyance).
PatchLink Update has several other useful features. It inventories the hardware and software installed on a system, providing an easy means of monitoring licensing levels. You can place locks on system configurations so you receive alerts if anything on the system changes. If a patch is inadvertently removed, the agent will alert the management console of the missing patches. Conversely, if a patch is defective, you can uninstall it. PL6 is a tremendous improvement over PL4 in a number of key areas including how agents are handled and communicated. It has also made dramatic strides in improving patch deployment in the enterprise.
PL6 adds an Agent Management Center (AMC) that gives you a tool for managing agents from one application. You can use the AMC to locate all systems in the enterprise, determine whether or not PL6 agents have been installed (and automatically install them if needed) and add them to groups when they are registered on the Update Server without administrator intervention. It also automatically discovers computers within a specified IP range, NT or Active Directory domain or LDAP OU. The Discovery Tool lets you define a set of action rules to run after the discovery process for auto-group and auto-rule creation and population. There is also a new Distribution Point feature that provides a WAN distribution point, cache capability and allows for agent communication customization.
You'll be pleased with the improved search function for the Reports page that lets you search by report name, vulnerability status, as well as some other obvious categories. The PL server (PLUS) status page gives you a set of comprehensive indicators on what PLUS is doing or scheduled to do—such as all deployments in the queue (for any period of time) and the current status of the discovery and analysis process. It also provides detailed agent deployment status logging that allows each sub-transaction to be logged and displayed back on the server.
Finally a new Application Programming Interface (API) lets you query the SQL database and check the status of any computer at any time. PL6 is also the leader in platform support, covering Windows operating systems 95 and later as well as Solaris, Mac OS X, Linux, HP-UX, and AIX.
PL6 does an excellent job when it comes to client reboots. You have significant control and flexibility to configure what message your users see, the reboot countdown, and separate end user snooze options for deployment and reboot.
While PL6 is in many ways a truly exceptional product, there are several limitations. PL6 does not allow you o create custom\m or printable reports. You are essentially limited to what their engineers and designers provide you. Patch deployment is exceptional for one patch to one machine, but PL6 doesn't allow deploying multiple patches in a single deployment. While there is a workaround here it is cumbersome and should not even be necessary. Similarly, the only way to deploy multiple patches to a single machine is to have an existing baseline setting that includes multiple missing patches. Otherwise you have to deploy patches individually. As you can imagine, this also means you can't set default deployment settings, but must go through the wizard for each patch deployment.
Finally, alert options are limited to e-mail notification only. Scalability is high, though it does not seem to approach the level that BigFix can reach. PatchLink's support staff was excellent and cooperative, which is good since I found their documentation and help screens lacking.
PatchLink Update 6.0 is a solid, reliable product that has a deserved reputation as a leader in patch management. Recommending the product for purchase is a business decision you can be happy with 99 percent of the time.
Installation Notes
PatchLink Update 6 requires Windows 2000 or 2003 Server (with latest service packs), plus 256MB RAM, 5 GB disk space and a 1 Ghz processor. Software requirements include Internet Information Server (IIS) and an internet connection.
Keeping Windows Sealed
Shavlik HFNetChkPro Enterprise 4.3
Shavlik has a long association with Microsoft. Its CEO Mark Shavlik is a former Microsoft employee, and its plain, yet popular, HFNetChk utility is distributed for free by the folks in Redmond.
HFNetChkPro 4.3 is the enterprise version of the freebie utility. Enterprise-level features include a management GUI and the ability to push patches out to client systems. The new version also has some additional wrinkles over previous incarnations that are nice to see.
Patch Patrol
HFNetChk Pro uses the HFNetChk engine, which is based on the XML and cabinet (CAB) files that Microsoft maintains to determine which patches are installed and which are missing. Shavlik has added its own data to the XML file, such as information pertaining to patches and vulnerabilities in MDAC and Java virtual machines.
The interface, to put it mildly, is spectacular. HFNetChkPro is a breeze to navigate and use (see Figure 1). You're immediately presented with a split-pane control panel. On the left, you have access to all computer groups, recent scans, a folder of your favorite items and the patches that are currently available for applying. When checking for missing patches, HFNetChk Pro uses a combination of checks like file versions, checksums and registry keys. HFNetChk advises you in its reports of any errors.
 |
| Figure 1. Shavlik's HFNetChk Pro features a superb, easy-to-navigate interface that gives you immediate access to scanning and deployment functions, lists of available patches, and detailed patch and application configuration information. (Click image to view larger version.) |
There is also an excellent scan configuration wizard. Stepping through the wizard to create a scan, you have the option to scan one machine, one domain, multiple machines, multiple domains, IP address ranges or variations thereof. You can create a text file listing what should be scanned and import that data into HFNetChk.
You can name and list scans in the favorites section of the program, which stores frequently used scans for easy launching. You can also schedule scans to run periodically. You can display patch data and advisories based on their severity rating and criticality, which is a nice feature. Even with this filter on, the system will issue reminders about low-priority patches and routine maintenance updates.
Patch management is a simple drag-and-drop operation. You can select a group of computers or IP addresses, drop them on an icon that represents a rule such as search for a particular patch and install it if it is missing. Similarly, you deploy patches with a single click. You can send out one patch to all necessary systems, or all patches required on a single system.
HFNetChkPro downloads patches from Microsoft and stores them in a selected location. The patch to be installed is copied to the target machine and installed at the scheduled time. You can control system reboots, whether or not you shut down the SQL or IIS server, backing up files for uninstall and using quiet mode for installation. When deploying multiple patches to a single machine, HFNetChkPro creates a deployment batch file and uses Microsoft supplied Qchain.exe to install all patches at once with only one reboot.
Swift Scanning
I installed HFNetChkPro on a new Windows 2000 Professional machine (theorizing that it would need more patches) and started a scan. After 81 seconds, HFNetChkPro reported that scanning was complete and gave me a summary of the missing patches. It also outlined major points of failure for the system.
Once it started deploying patches, HFNetChkPro contacted Shavlik's patch server. This went fairly quickly, with the entire download process taking less than 10 minutes for about 37 patches. Once the download was complete, installation began immediately. I was able to monitor the progress because it's often hard to tell if patch deployment has failed or is just running slow. HFNetChkPro lists the start time and the last time activity on the machine was reported.
HFNetChkPro can report on necessary patches and installed patches. You can scan for patches just on Windows Update. You also can set thread settings that control how much network traffic the product creates. Of course, the less traffic created, the longer the scan time.
There are automated find-and-fix features that control what machines are scanned and how patches are deployed. These track patch installation success for each server and autodiscover those computers missing critical patches. It then pushes the patches out and installs them.
Shavlik wisely built in a quarantine system that lets you test patches before pushing them to production servers. It can generate reports by machine, patch, operating system, machine detail or missing service packs. Documentation is superb and by far the best of the products in this round-up. HFNetChk Pro did a good job scanning the network and deploying patches. The GUI is spectacular. It's obvious that Shavlik designers aimed for simplicity and administrator efficiency when designing their application.
On the downside, I found that enumerating the network took awhile—something that could be traced to the product's agentless architecture and its negative impact on bandwidth and speed. I would like to see the product develop a console/server model for multiple servers across a large enterprise and controlled from a single console. This could also alleviate bandwidth and time constraints that inevitably surface when trying to make a centralized product like this scale to a large enterprise. Shavlik currently only supports Windows and Red Hat Linux. Also, there is no alert methodology worth speaking of, and you can't create custom patches.
If you have a small number of machines at a few locations around town, HFNetChkPro may be just what you are looking for. During testing, it performed well and provided valuable information on deployments and patches. There were no real issues with patch deployment. The improvements over version 4.0 clearly enhanced HFNetChkPro. Still, Shavlik's latest offering does not belong in the upper tier of solution options if you are looking at a WAN with greater than a few hundred or so nodes. The agentless architecture just generates too much network traffic to be efficient and effective.
Also, its roots as the child of extensive collaboration with Microsoft show. HFNetChkPro is built for Microsoft-centric environments, and it really is designed for just security patches and Microsoft products. While Linux support has been added, other platforms or non-Microsoft software are rarely included.
In my opinion, HFNetChkPro is the best Windows based agentless product. If you're looking for a simple to use patch management application for a small network with a couple hundred nodes or so, with a GUI interface that is easy to use, than this is definitely a product you should consider.
Installation Notes
HFNetChkPro installs on a Windows NT, 2000, 2003 or XP system, and requires no additional software on the target machines. Installation takes only minutes, with minimal difficulty. System requirements include Microsoft Data Access Components (MDAC) 2.7 SP1 or later, Windows Installer Version 2.0, XML Parser 3.0 SP2 or Microsoft XML 4.0 (installing both recommended) and Jet 4.0 SP8 or later. If any of these components are missing, the installer informs you and provides a link to the Microsoft site to access them. If you're missing a prerequisite and click install a second time, the installer lets you bypass that requirement. Please note that fully installing these components may require that you reboot the system.
The Choice Is Yours
There is no single right answer in choosing a patch management solution. All of these utilities have positive attributes. I recommend Shavlik among the agentless products here, while BigFix and PatchLink are the clear leaders in the agent-based category. If you're looking at a large network manned by technically sophisticated people, you'll find BigFix to your liking. PatchLink is the clear leader for all other agent-based patch management needs, especially in the medium and larger markets. Assess your needs, consider the capabilities of these tools and make automated patch management a part of your network if you haven't already.