Managing service packs and hot fixes for a network of Microsoft boxes is not for the faint of heart. Security bulletins alone come at you fast and furious--one about every 5.5 days so far this year. Add in nonsecurity hot fixes, and you could find yourself drowning in a sea of patch notifications. And, of course, tracking incoming patches is only half the battle. You still have to inventory, manage and test the patches deemed necessary on your army of servers and workstations.
The dire need for Microsoft patch management is especially (and painfully) obvious to those who perform security vulnerability assessments, as our Chicago-based Neohapsis partner labs do. Without a doubt, lagging patch levels, especially on Microsoft platforms, represent high-risk findings on a typical audit. Most administrators are well aware of the problem but may not have the mandate, personnel or tools to effectively overcome this challenge. For help on the mandate and personnel fronts, see the results of a recent survey that shows malicious code infection is on the rise (see graphic, "Patch Soup: Microsoft Patch-Delivery Process").
Taking a hard look at the numbers often reveals that proactive security tools make sense from an ROI perspective--preventing a security problem is more cost-effective than cleaning up after. As for tools, patch-management applications can help. We gathered five products designed to deal with patch management on Microsoft platforms: BigFix's BigFix Enterprise Suite, Gravity Storm Software's Service Pack Manager 2000 6.4, PatchLink's PatchLink Update, Shavlik Technologies' HFNetChkPro Enterprise 3.8 and St. Bernard Software's UpdateExpert 5.1.
In selecting products for our tests, we required that the licensing costs for our theoretical test network of 20 servers and 1,000 workstations be less than $50,000. That price ceiling excluded several products that handle patch management in addition to more extensive configuration-management features.
Also, stalwarts of the enterprise management systems space, such as Novell's ZENworks, Computer Associates' TNG and Microsoft's SMS (Systems Management Server), can handle rudimentary patching needs (though some coding and repackaging of the patches will likely be required), but they don't have the advanced features of the specialized products we tested. For example, the ability to arbitrarily group hosts by a given characteristic, such as hardware platform or logical function, is essential to most organizations. By creating such profiles, you also can push the newest critical patch out to all your public Microsoft IIS (Internet Information Server) systems quickly. Specialized patch-management products can give your administrators a fighting chance in the race to dodge the worm du jour.
Note that only Gravity Storm's and St. Bernard's products allow robust grouping functionality, though PatchLink indicated that this feature will be present in the next release of its PatchLink Update, 4.0, which was due in August.
We deployed the products in our Neohapsis partner lab on a test network containing hosts running Microsoft Windows 2000 Server (with IIS and SQL server), Windows 2000 Professional, Windows NT 4 Server (with IIS) and Windows 98. Each product was put through its paces: installation, updating to reflect the newest Microsoft-released patches and managing patch levels on our test machines.
The Players
So how do these tools work? Two main architectures determine how the products operate. Non-agent-based applications--Gravity Storm Service Pack Manager 2000, St. Bernard UpdateExpert and Shavlik HFNetChk--work by scanning hosts to determine their service-pack and hot-fix configurations. Obviously, for the tool to log in and query the machine, domain or local administrator access is required along with other prerequisites, such as Remote Registry Service enabled and SMB network access available. These target-level requirements limit the types of networks in which the non-agent-based products are useful to those in which the administrator has a high degree of control over the deployment and configuration of the target systems: the server room, for instance.
On the other hand, managing a WAN containing hundreds of user workstations will likely present some major problems. If end users have autonomous control over their systems, ensuring the prerequisites to the scanning process will be difficult. If network access-control devices, such as firewalls, process packets in between the patch server and the target workstation, SMB traffic may be dropped and break the process. Finally, and most important, if you have users who are connected to the enterprise network only part-time, the scanning process is going to miss the users who are roaming--not to mention those local workstations that happen to be turned off at the time of scanning. This is not to say that the non-agent-based products are inherently weak, but they are better suited to more static networks.
The second architecture type comprises agent-based products, wherein each host to be managed has a small agent installed and running in the background. Two of the products we tested, BigFix Enterprise and PatchLink Update, are based on this architecture. The agent periodically polls the patch server for new updates, and in this way, the turned-off-workstation and roaming-user issues can be addressed. For example, even if a user logs into the enterprise network only once a week, the agent will still poll the patch server and pull down any needed patches (assuming the user stays connected long enough). Because the registry and file system are scanned locally, network-scanning problems are avoided too. Such advantages are not without cost, however: Agent-based products require up-front work to integrate the agents into the workstation- and server-deployment process.
The three agentless products we tested have similar feature sets and pricing and ended in a photo finish, with Gravity Storm's product trailing only slightly behind those of St. Bernard and Shavlik, which were neck and neck. But it was an agent-based tool, PatchLink Update, that won our Editor's Choice. And despite its high price--$30,500 versus the $12,190 cost of the next most expensive product--BigFix Enterprise held onto second place. Bottom line, we prefer the agent-based products because of their generally superior scanning engines--the agent, by definition, has full purview of the system--and their ability to encompass nonstatic network configurations. We feel the added effort of installing agents is worthwhile.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
REPORTS
ANALYTICS
Follow 
