Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


December 2003

Enterprise Patch Management for Windows

Find help for managing security patches
From the December 2003 Edition
of Windows IT Pro
Mark Burnett
Lab Feature
InstantDoc #40710
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Hotfixes Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Setting Up the Test Network

Application Security
When installing a patch-management solution, the last thing you want is to introduce more security holes to your network. Because a patch manager has a wide reach across an enterprise, it must be secure.

Patch managers must obtain patches and patch information databases from a reliable source and must ensure that they're working with original, unmodified files. Most of the products had strong security features. BigFix Patch Manager uses a public key encryption system for which the company issues its own certificates. Although someone might be able to gain access to the application and view hotfix information, he or she can't take any action without knowing the certificate's credentials. HFNetChkPro uses extra caution by checking not only signatures on the XML files and downloaded patches but also on each of the application's executables.

One problem with agentless patch managers is that Windows doesn't encrypt much of the information queried from network hosts. To properly secure this type of traffic, you need to implement IP Security (IPSec) or some other encryption between the scanning server and network hosts.

Scalability
Scalability is a vital concern for some administrators. The products we tested differed widely in their ability to scale to different environments. When evaluating patch-management solutions, consider the following criteria:

  • How many end-user systems will you manage?
  • How many administrators will use the patch manager?
  • How many patch-manager consoles will you need?
  • How will you segment your network for patch management?
  • How much bandwidth do you have available?
  • How much time do you want to spend managing the patch manager?

Of all the products tested, BigFix Patch Manager was the most scalable, with PatchLink Update following close behind. BigFix designed Patch Manager with scalability in mind; each console can efficiently handle up to 15,000 clients. BigFix Patch Manager also uses relays to establish multiple patch distribution points across a network. Although the other solutions don't have fixed limits for the number of clients they can support, they're not well suited for handling more than 5000 clients per console; however, you can break up the network into segments and manage each segment with a separate console.

Reporting
BigFix Patch Manager, Service Pack Manager 2000, and SysUpdate had the most flexible and useful reporting options. Most of the others had some reporting features but had limitations on output format, features, or interactivity. BigFix Patch Manager provides a user-friendly Web-based reporting module filled with features such as filtering, custom fields, charting, interactive links, and exporting to Microsoft Excel. Service Pack Manager 2000's template-based reporting provides many of these same features without the Web interface. SysUpdate uses Crystal Decisions' Crystal Reports for its reporting engine, allowing for powerful reporting options if you have access to the Crystal Reports Designer. HFNetChkPro also provided powerful reporting capabilities with flexible report criteria and numerous export formats.

Although not all the products have advanced reporting features, they all provide an export feature so that you can use an external reporting mechanism. And many of the products allow ODBC access to their scan databases, providing further options for custom reporting.

Our lab tests didn't single out one overall winner; some products are simply better suited for certain environments. Consider your requirements for flexibility, accuracy, deployment, product coverage, security, scalability, and reporting and compare them with the feature comparison in Web Table 1. Patch management is an industry still in its infancy, and plenty of room for improvement exists, but we've come a long way from where we were just a few years ago. The number of patch-management solutions is growing, and each solution is growing in features and reliability. The hard part is finding the solution that's right for your environment.



Patch-Management Software Vendors
BigFix * 510652-6700 * http://www.bigfix.com

Ecora * 603-436-1616 * http://www.ecora.com

Gravity Storm Software * 858-792-0162
http://www.securitybastion.com

PatchLink * 480-970-1025 * http://www.patchlink.com

SecurityProfiling * 765-420-7227 * 888-645-3676
http://www.securityprofiling.com

Shavlik Technologies * 651-426-6624 * http://www.shavlik.com

St. Bernard Software * 858-676-2277 * http://www.stbernard.com


End of Article

   Previous  1  2  3  [4]  Next  


Reader Comments
A vague narrative of truisms and "what esle is new" commments about patching, mixed with some useful details. A comparison table of specific features for each package would be much better.

Milton F. Lopez December 03, 2003

Is there any reason why Microsofts SUS, SMS, and BSA weren't included in the review?

Steve December 11, 2003

We have been evaluating a product called Novadigm Patch Manager. Is there a reason why some of the more main stream products were not included in your evaluation? Thank you for your time.

Monique Ludwig December 12, 2003

This is an excellent article. I was browsing the net to search for a Microsoft Patch Management Products and accidentally hit this page. I got the information I was looking for except that the article does not have anything about the Microsoft Software Update Services.
Good Article indeed...

Thanks Author.

Regards,


C Mugilan December 13, 2003

Excellent work. This market needed some more definition. The thoroughness of the feature sets and non-biased presentation is a credit to your publication. Thank you for setting a new standard.

T Wadsworth December 17, 2003

Good job. I have just started patch management in our company and it is a big task, with articals like above everything becomes more clear everyday. Thank You for thinking of us.

Madeleine December 19, 2003

I've been running HFNetChk Pro for quite a while now, and while it works OK, I still get frustrated with Office patches, especially Office 2K. We have some mixed version clients due to custom Access DBs, and it's virtually impossible to update both versions of office at the same time. From what I see in forums for other products, this is not limited to HFNetChk, but is common on all patch management systems. The requirement for source files from install media is frustrating. Hopefully MS can address this soon...
Nice article, though. I plan on evaluating Patchlink since I need an app that's more scalable. I'd also like to work with a console that's multi-threaded, too...

Charlie Kaiser February 09, 2004

I may have missed this feature in the products, but I see a need for a "exclusion list" of servers requiring specific sign off before patching. Many of the servers that I have to patch are FDA Validated machines requiring testing on QA machines before ANY patching. The Validated servers require very specific Change Management protocols before changing anything on the production systems. I see this as an important feature for any organization that supports FDA Validated systems.

RON February 09, 2004

I use Service Pack Manager 2000 (Gravity Storm Software) works well. Very fast scanning, no agents to install.

leonard March 23, 2004

I wanted to post a message about PatchLink I didn't see in the article. It is a great solution, but you cannot use their agent system on multiple computers when those computers were imaged using Norton Ghost, PowerQuest DeployCenter, etc. All computers will hash to the same unique identifier in their system.

Brandon Pack April 08, 2004

 See More Comments  1   2 

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events WinConnections and Microsoft® Exchange Connections

Deep Dive into Windows Server 2008 R2 presented by John Savill

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement