Keeping software patched and secure is one of the biggest ongoing challenges that network administrators face. Software vendors are constantly playing catch-up with those who accidentally or purposefully discover flaws in their products. At the time of this writing, Microsoft had released 55 critical patches for Windows XP Service Pack 2 (SP2) and 48 patches for Windows Server 2003 SP1. Patch management software is a valuable tool that network administrators can use to automate the software patching process.

Modern patch management solutions address multiple challenges. They must deliver patches from vendor patch repositories to vulnerable clients in a robust, efficient, and unobtrusive manner. They must provide centralized control over the patch approval process and allow removal of problematic or unnecessary patches. And they must provide reports listing vulnerabilities, patch success/failure, and network summary information. The most flexible patch management solutions accommodate a range of network topologies, client configurations (e.g., mobile, desktop), and bandwidth availabilities.

I worked with three patch management products designed to address the challenges of software patching: Microsoft Windows Server Update Services (WSUS) SP1, PatchLink Update 6.3, and Shavlik Technologies' Shavlik HFNetChkPro Plus 5.8.

WSUS SP1
WSUS SP1 is a free product from Microsoft that joins together Microsoft's Windows Update patch repository and Windows Automatic Updates client into a patch management system. WSUS lets you approve patches prior to their deployment. With WSUS, patches can be downloaded from Microsoft once, stored locally, and distributed at LAN speed to clients. WSUS improves on its predecessor, Microsoft Software Update Services (SUS), by distributing patches for Microsoft applications such as Office, SQL Server, and Exchange in addition to patches for Microsoft OSs. WSUS also offers a modest level of reporting.

WSUS combines an unbeatable price (free) with solid patch distribution features. Careful network administrators like to test patches in their environment before deploying them. In WSUS, after you're satisfied with a patch, you can mark it Approved, which allows clients to install the patch. WSUS also lets you create Computer Groups, which can be used to restrict the scope of patch deployment. For example, you can deploy patches to a group of test computers before approving them for the rest of the network. Figure 1 shows the dialog box for approving patches for Computer Groups.

By using the lean, Web-based WSUS interface, you can approve patches manually or based on a policy. For example, an approval policy can automatically approve patches that are rated critical by Microsoft or patches that supersede previously approved patches. WSUS doesn't download patches until they're approved, so no bandwidth is wasted on patches that will never be deployed.

WSUS can also conserve bandwidth and administrative effort by creating a hierarchy of WSUS servers. This feature lets you balance a large client load across multiple WSUS servers or host patch content closer to clients.

The WSUS reporting module provides useful information about available patches, deployed patches, missing patches, and deployment failures. But WSUS provides only a portion of the patch status reporting that the other products in this review offer.

WSUS relies on Group Policy to configure clients with settings such as which WSUS server to use, how often to check for updates, and what to do with new patches. This dependency could complicate WSUS deployment and troubleshooting. WSUS also lacks the ability to deal with rogue computers (i.e., unpatched computers that aren't configured to use WSUS)—although the Microsoft Baseline Security Analyzer (MBSA) could help identify these systems—and nonMicrosoft applications and OSs.

WSUS can't force patches to clients. Its role is to distribute approved patches to clients, which download and install them at defined intervals. This pull topology might have difficulty addressing quickly spreading exploits, such as the Blaster worm, for which you might want to push out a patch immediately.

Overall, I found WSUS to be a capable solution that's tightly focused on the challenge of keeping Microsoft software patched and secure. All-Microsoft shops and smaller enterprises will love the functionality and the price.

PatchLink Update 6.3
PatchLink Update 6.3 is an agent-based, multiplatform patch management product that provides agents for Novell NetWare, Mac OS X, Windows, and several Linux platforms. You use policies to configure the agents to periodically scan for applicable vulnerabilities. You can then schedule deployments of Packages, which are patches for one or more vulnerabilities. PatchLink Update runs on Windows 2003 and, like the other products reviewed, can store patch deployment data in a SQL Server database. PatchLink Update uses SQL Server Express if SQL Server isn't available.

The evaluation copy of PatchLink Update 6.3 came preinstalled on a VMware virtual machine (VM). This was a nice touch that made evaluating the product easier.

PatchLink Update uses a patching cycle that begins by downloading an XML file from PatchLink. This file lists available software patches for the supported software. You then use the Web-based administrator console to schedule or manually initiate scans for vulnerabilities. Based on the results of the vulnerability scan, PatchLink Update distributes patch deployments to agents. The patches can be prestaged on the server or downloaded from software vendor Web sites immediately prior to their deployment. PatchLink Update also can roll back patches after they're installed.

PatchLink Update can accommodate a variety of network topologies by using distribution points. This lets you locate patch content closer to clients or load-balance clients across multiple distribution points. PatchLink Update recognizes and patches vulnerabilities in the supported OSs, Microsoft server and desktop applications, and other popular applications such as Adobe Acrobat and Flash, Mozilla Firefox, Apple QuickTime, and WinZip.

In addition to collecting vulnerability information, PatchLink Update performs an inventory of hardware, services, and installed software. The Web-based interface displays the inventory organized in several ways and with several summary levels (as Figure 2 shows), and this data can be exported in CSV, XLS, and XML formats. Neither of the other products in this review collected such inventory information.

PatchLink Update is also the only product reviewed that includes an interface for creating system users and assigning role-based permissions. For example, you can give an administrator read-only access to PatchLink Update's inventory data (the Guest role) or full access to a subset of the managed computers.

Even if you've scheduled regular vulnerability scans, PatchLink Update lets you force a vulnerability scan. That way, when a major software vulnerability is discovered, you can use an on-demand scan to more quickly identify and deploy the needed patch.

The PatchLink Update report module is configured with several useful reports. Included are reports (mentioned above) on hardware, software, and service inventory along with the usual reports on missing and deployed patches. One particularly useful report is the Vulnerability Analysis Report, which summarizes several critical metrics relating to specific unpatched vulnerabilities. All report data can be exported in CSV, XLS, and XML formats.

The PatchLink Update agent proved tricky to install on the Linux Fedora Core 4 client that I included in my testing. The agent requires the Sun Microsystems Java Runtime Environment rather than the GNU Java Runtime Environment packaged with Fedora. This could complicate agent deployment in some environments.

To prevent unauthorized connections to the server, the PatchLink Update agent requires you to enter the server license key during installation. Windows installs can use a customized .msi file to automate this step, but it seems unnecessary to require a license key for a software patching agent.

Overall, I found PatchLink Update to be a capable solution worthy of consideration for multiplatform enterprises. In fact, it's my pick as the Editor's Choice product. Its flexible agent software and full set of features will keep a wide variety of enterprise networks patched and secure.

Shavlik HFNetChkPro Plus 5.8
Shavlik HFNetChkPro Plus 5.8 incorporates a unique combination of push and pull topology choices. The push component uses the Windows Remote Registry service and Microsoft Server Message Block/Common Internet File System (SMB/CIFS) communication from the Console (Shavlik's term for the patch management server) to initiate vulnerability scans on clients. The pull component uses a client agent to initiate communication with the Console. HFNetChkPro Plus supports Microsoft OSs only, but it can provide patches for major Microsoft applications and some nonMicrosoft apps, including Adobe Acrobat and Flash and Mozilla Firefox. A separate product, Shavlik HFNetChkPro for Solaris, supports the Sun UNIX OS.

The HFNetChkPro Plus installer makes setup easy by downloading and installing the prerequisite Windows components, which might not be present on a clean server install. Like the other products in this review, HFNetChkPro Plus supports multiple distribution servers and lets you customize which patches are deployed in response to scan results. For example, you can create a Patch Scan Template to define which patches to look for and a Deployment Template to define how and when missing patches are deployed, how much bandwidth to use, and when client reboots can be tolerated. Like PatchLink Update, HFNetChkPro Plus can combine scheduled patch scans with on-demand scans for a flexible posture in responding to patching needs. HFNetChkPro Plus lets you uninstall patches in any order.

HFNetChkPro Plus works without an agent on most clients, which should make installation easier but might mean extra configuration on some clients. You might need to configure an XP client's Windows Firewall and Remote Registry service to accept connections from the Console.

With HFNetChkPro Plus, all clients that report to the same Console must use the same configuration settings. (Shavlik plans to resolve this in an upcoming minor version release.) Both WSUS and PatchLink Update have greater flexibility in this area and can accommodate multiple client configurations per server to better match network topology and client needs.

Because of its push topology, HFNetChkPro Plus can manage computers that might otherwise be outside your control. HFNetChkPro Plus's built-in IP Range Scan facilitates a comprehensive network scan that finds any client computers to which you have administrator access. On mobile computers, firewalled computers, and other difficult cases, you can install the HFNetChkPro Plus agent. The agent supports push installation as well as local installation from CD-ROM or USB flash drive, so no independent software distribution infrastructure is needed.

The HFNetChkPro Plus admin interface is a standalone .exe file rather than a Web interface. Also, some scheduled tasks on the Console server execute inside a command prompt window. Together, these minor points cause HFNetChkPro Plus to feel like a desktop application rather than a service.

HFNetChkPro Plus's prepackaged reports are well done and include a few helpful analysis reports, including the Top 10 Vulnerable Machines and Top 10 Missing Patches, which Figure 3 shows. Reports such as this help you quickly get a handle on the most serious threats to network health.

HFNetChkPro Plus also has an optional, extra-cost antispyware add-on that was in development at the time of this review.

Overall, I found Shavlik HFNetChkPro Plus a well-rounded patch management product that addresses many of the software patching challenges facing modern enterprises.

Conclusion
All three of the reviewed products provide significant benefits for the overworked system administrator. They all deliver the core functionality of modern patch management solutions: patch approval, patch delivery, and reporting. And most importantly, all three products were successful in delivering and applying patches in my test lab environment. Beyond this core functionality, the three products have significant differences.

WSUS provides the base level of functionality that administrators need to control the Windows Automatic Update client and save bandwidth. Its spartan reporting provides usable information about the status of patch deployment and it can accommodate a variety of network topologies.

HFNetChkPro Plus adds several useful features to the expected core patching functionality. I was impressed with the smart combination of push and pull models for patch management, and the management interface was easy to use, although I would have preferred a Web-based interface.

PatchLink Update also adds several useful features to the core patching functionality. It offers agents for multiple platforms, hardware and software inventory collection, and useful summary and analysis reports that can be easily exported. PatchLink Update also has the most flexible access control model for administrators. Because of its solid functionality in the multiplatform enterprise and its useful features, PatchLink Update is my pick for Editor's Choice.

See Associated Table