SQL Server Magazine

Keeping software patched and secure is one of the biggest ongoing challenges that network administrators face. Software vendors are constantly playing catch-up with those who accidentally or purposefully discover flaws in their products. At the time of this writing, Microsoft had released 55 critical patches for Windows XP Service Pack 2 (SP2) and 48 patches for Windows Server 2003 SP1. Patch management software is a valuable tool that network administrators can use to automate the software patching process.

Modern patch management solutions address multiple challenges. They must deliver patches from vendor patch repositories to vulnerable clients in a robust, efficient, and unobtrusive manner. They must provide centralized control over the patch approval process and allow removal of problematic or unnecessary patches. And they must provide reports listing vulnerabilities, patch success/failure, and network summary information. The most flexible patch management solutions accommodate a range of network topologies, client configurations (e.g., mobile, desktop), and bandwidth availabilities.

I worked with three patch management products designed to address the challenges of software patching: Microsoft Windows Server Update Services (WSUS) SP1, PatchLink Update 6.3, and Shavlik Technologies' Shavlik HFNetChkPro Plus 5.8.

WSUS SP1
WSUS SP1 is a free product from Microsoft that joins together Microsoft's Windows Update patch repository and Windows Automatic Updates client into a patch management system. WSUS lets you approve patches prior to their deployment. With WSUS, patches can be downloaded from Microsoft once, stored locally, and distributed at LAN speed to clients. WSUS improves on its predecessor, Microsoft Software Update Services (SUS), by distributing patches for Microsoft applications such as Office, SQL Server, and Exchange in addition to patches for Microsoft OSs. WSUS also offers a modest level of reporting.

WSUS combines an unbeatable price (free) with solid patch distribution features. Careful network administrators like to test patches in their environment before deploying them. In WSUS, after you're satisfied with a patch, you can mark it Approved, which allows clients to install the patch. WSUS also lets you create Computer Groups, which can be used to restrict the scope of patch deployment. For example, you can deploy patches to a group of test computers before approving them for the rest of the network. Figure 1 shows the dialog box for approving patches for Computer Groups.

By using the lean, Web-based WSUS interface, you can approve patches manually or based on a policy. For example, an approval policy can automatically approve patches that are rated critical by Microsoft or patches that supersede previously approved patches. WSUS doesn't download patches until they're approved, so no bandwidth is wasted on patches that will never be deployed.

WSUS can also conserve bandwidth and administrative effort by creating a hierarchy of WSUS servers. This feature lets you balance a large client load across multiple WSUS servers or host patch content closer to clients.

The WSUS reporting module provides useful information about available patches, deployed patches, missing patches, and deployment failures. But WSUS provides only a portion of the patch status reporting that the other products in this review offer.

WSUS relies on Group Policy to configure clients with settings such as which WSUS server to use, how often to check for updates, and what to do with new patches. This dependency could complicate WSUS deployment and troubleshooting. WSUS also lacks the ability to deal with rogue computers (i.e., unpatched computers that aren't configured to use WSUS)—although the Microsoft Baseline Security Analyzer (MBSA) could help identify these systems—and nonMicrosoft applications and OSs.

WSUS can't force patches to clients. Its role is to distribute approved patches to clients, which download and install them at defined intervals. This pull topology might have difficulty addressing quickly spreading exploits, such as the Blaster worm, for which you might want to push out a patch immediately.

Overall, I found WSUS to be a capable solution that's tightly focused on the challenge of keeping Microsoft software patched and secure. All-Microsoft shops and smaller enterprises will love the functionality and the price.

   Prev. page   [1] 2 3     next page