Patch It Up
Tips for picking your ultimate patching tool.
- By Joern Wettern
Applying security patches to your desktops is necessary, but it's often tedious
and annoying. This is especially true for administrators responsible for small-
to medium-sized networks. Fortunately, there are some tools to help you out.
Patching has come a long way since the days of Windows NT. Back then, it meant
installing a Service Pack to Windows when you could find the time. Microsoft's
quality control wasn't up to snuff on some of those service packs. After a few
bad experiences, some IT professionals even decided to skip the odd-numbered
Today, anyone who is responsible for securing a network knows that taking such
a leisurely attitude can spell disaster. They need to install new hot fixes
as soon as they're available. The days following Patch Tuesday -- the second
Tuesday of every month when Microsoft releases most fixes for its products --
tend to be the busiest in IT shops everywhere.
By now, most organizations have adopted some type of patch management strategy.
Larger organizations often have full-time staff tasked with rolling out updates
and administering management software like Systems Management Server. At the
same time, many smaller and medium-sized organizations struggle with finding
the right solution. Luckily, there are some solutions available that can help
you keep your systems up-to-date without breaking the bank. Let's look at the
new version of Microsoft's Windows Server Update Service (WSUS) and Shavlik
Technologies LLC's HfNetChkPro.
Before using any patching solution, I evaluate it by several criteria. First
and foremost, it has to quickly make newly released updates from Microsoft (and
preferably other vendors) available to client computers. It must also reliably
detect which updates are needed and which ones are not. After all, you don't
want your patch management solution to apply the wrong updates or roll back
previous system states.
Most of the solutions available today generally meet these requirements. Where
they differ is in usability, manageability, reporting and how much granular
control they offer. A good patch management solution lets you control which
updates can be applied and creates easy-to-use reports to let you know which
updates have been successfully deployed so you can troubleshoot any problems.
The New WSUS
Microsoft is putting the finishing touches on version 3.0 of its WSUS. After
some practice with the first two versions -- which didn't win any prizes for
features or usability -- Microsoft seems to be getting it right this time.
Like the previous versions, WSUS 3.0 lets you set up either a simple patch
management system for a smaller office or a hierarchical structure for a larger
organization with multiple offices. You can choose which updates are installed
on which computers and whether or not this should happen automatically or only
after you've reviewed and approved the updates. You can use Group Policy to
easily configure the update mechanism.
The biggest addition to version 3.0 is vastly improved reporting, which now
uses the Microsoft Report Viewer (see Figure 1). These reports are useful for
finding information about specific patches. You can also use the reports to
assess how well your patch deployment is working. The administration tools for
WSUS have also been completely revamped, making WSUS 3.0 a mature patch management
[Click on image for larger view.]
|Figure 1. Besides
new reporting and management features, WSUS also sports a new interface
that makes this tool easier to use.
One of the most appealing features of WSUS is its price. It's free -- sort
of. It runs under Windows Server, so you'll need to be running that. All but
the smallest organizations typically run this on a dedicated server, so you'll
have to budget for the hardware and the operating system license.
Many companies will indeed be happy with Microsoft's tool, but there are good
reasons to consider the other alternatives. Foremost among those reasons is
that someone other than Microsoft will double-check the updates.
Some other advantages to using third-party patch management tools are that
they include patches for non-Microsoft products, they review any patch classifications
and they add additional quality control tests for updates. Many patch management
vendors also have mechanisms with which to recall problematic patches more quickly
HfNetChkPro (short for Hotfix Network Check and pronounced H-F-Netcheck Pro)
from Shavlik is one of my preferred tools because of Shavlik's quality control
and support for some non-Microsoft software, such as Adobe Acrobat and Firefox.
For example, HfNetChkPro found that one of my servers was missing 17 patches.
WSUS showed that it was completely up-to-date. The reason for the discrepancy
wasn't a flaw in WSUS, but rather Shavlik's decision to scan for more items,
including fixes for isolated problems.
Unlike WSUS, HfNetChkPro can run without agent software on the client computers.
WSUS depends on the client computers to check in with the update server at regular
intervals, download updates and install them. HfNetChkPro can work the same
way, but you can also have it actively connect to computers, check their status
and push out updates, instead of depending on them to check in with the server.
This gives you real-time control over the patch process. You also can configure
HfNetChkPro to work in an entirely hands-off manner.
Whether you use WSUS, HfNetChkPro or another solution, the good news is that
patch management tools have matured. There are excellent tools available to
ensure that your computers are up-to-date without requiring you to go to each
of them with a CD full of updates.This means there's no excuse for having any
computers in your network that aren't up-to-date with any and all applicable
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.