Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


October 2004

Patch-Management Software

Quickly and easily plug security holes
From the October 2004 Edition
of Windows IT Pro
Jeff Fellinge
Buyer's Guide
InstantDoc #43870
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Subscription and Turnkey Solutions, Intrusive vs. Nonintrusive Scanning

View this month's Buyer's Guide

Worms and viruses that exploit vulnerabilities in Microsoft products continue to plague computer users. But you can avoid many of these attacks simply by keeping up-to-date with Microsoft patches. On the second Tuesday of each month, Microsoft releases security updates and urges users to deploy them as soon as possible. However, unless you have reliable patch-management software, deploying this steady stream of updates is difficult and time-consuming. This Buyer's Guide compares patch-management products to help you find the best possible solution to meet your needs.

To manually deploy patches, you typically log on to a computer and either let Windows Update scan and update the computer's software or manually download and install the appropriate patches. The manual process can be complicated because Microsoft often releases multiple update files per patch. For example, the company might release a Microsoft Internet Explorer (IE) patch as separate files for each IE release. If your environment has computers that run various IE versions, you have to download all these files, then apply the appropriate patch to each computer. Patch-management products scan the computers in your environment and determine which patches they need. When instructed to deploy a specific patch, software ensures that the correct version is deployed to each platform.

Most third-party patch-management products deploy Microsoft updates; a few third-party products also patch non-Microsoft products. Most vendors employ the official Microsoft security database, mssecure.cab, which contains detailed update information for a variety of Microsoft products. Some vendors create their own databases that include non-Microsoft updates, articles, links, and other information.

Most vendors update their products within 24 to 48 hours of a Microsoft patch release. Some companies test patches before approving them, and a few actually repackage them. Repackaging the patches lets vendors provide better control over the distribution of patches and facilitates deploying non-Microsoft patches.

Many patch-management tools let you create groups of desktop machines and servers so you scan or patch computers based on location, type, ownership, and role. Look for products that let you easily populate these groups--for example, by searching Active Directory (AD) for domains, organizational units (OUs), and sites. Make sure that the software can create groups according to IP addresses and other characteristics. Look for the ability to quickly customize and save groups; using groups will save you time during subsequent scanning and deployment activities.

Scanning features vary by product. The most accurate scanning methods compare a computer's registry and files with values stored in the patch database. The software then flags any values that don't match and reports all flagged patches as missing or incomplete.

Deployment features also vary by product. Some products deploy patches immediately after you perform a scan; others let you schedule both scans and deployment. Some tools let you customize the reboot typically required after installing updates. Some products use QChain, a Microsoft tool that lets you install multiple patches without requiring a reboot after each installation. Make sure that the product you choose supports Microsoft's update-rollback features, which can come in handy if you need to uninstall patches. If you need to deploy Microsoft Office patches, make sure that the patch-management tool supports Office deployments and that it can update multiple Office versions with a single scan-and-deploy action.

Make sure that the product you select fits into your user-privilege model. For example, does the product require that end users be local administrators, or can it run under a separate privileged account? Some products require that you install a software agent on each computer; others scan and deploy from a management console. Agents provide better feedback and installation control, tend to provide more robust remote-management options, and can include basic Quality of Service (QoS) controls, such as bandwidth throttling. But agents also increase the computer's software footprint.

Solid reporting features are important, especially for deployments in large enterprises. Look for the ability to export reports in delimited text formats (such as comma-separated value--CSV) so that you can import the raw data into a spreadsheet. If you manage a large number of systems, you might prefer a Microsoft SQL Server­based product that lets you write your own queries against the patch database so that you can generate reports such as lists of missing patches.

The clock begins ticking almost immediately after Microsoft releases new patches. You need to be able to quickly triage, test, and deploy new updates. Many patch-management vendors offer trial versions, so test several products to determine which one best meets your specific needs.

End of Article

Reader Comments
read this document

Anonymous User November 23, 2004

Doh! You overlooked the most obvious (and free!) solution: MS Software Update Services (SUS). Paired with some minor GPO magic and 2k/XP on the desktop, it works great, esp. for smaller networks.

JJBegin December 14, 2004

THAnKS !

Anonymous User December 23, 2004 (Article Rating: )

FYI - SUS does not deploy on Win 98
The new WUS was promised to deliver for Win 98, but the pulled it.
Also, neither solve the App patch problem.
Thanks

Anonymous User January 20, 2005

Microsoft has free tools for updating their office products as well.

Anonymous User February 23, 2005

Microsoft SUS has to be installed on a windows 2000 / 2003 server and that is an disadvantage! Nice marketing action to sell another windows 2003 server

Anonymous User April 12, 2005 (Article Rating: )

I've tried the Shavlik HFNetChkPro 5, and I really like what I see. It has great features and it works like a charm.

OK, it costs money but the history has proven for us that if you want quality, you have to pay up =)

Anonymous User April 21, 2005 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Active Directory (AD) Whitepapers Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance

Solving Desktop Management Challenges in Education
Related Events SQL Server Unleashed EMEA

WinConnections and Microsoft® Exchange Connections

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement