Full steam ahead – cautiously

With the ever-increasing amount of malware prowling the Internet, sniffing at every network and system they can find, hoping to slip in and wreak havoc, administrators have become more paranoid about unpatched software.

Even an apparently innocuous flaw can often be exploited by the bad guys, to their profit and our loss, so it’s rarely safe to ignore a security bulletin. Timing is critical. Recent exploits have been released even before a patch for the underlying vulnerability was available (the Microsoft WMF problem is a prime example), and even those that could be nipped in the bud by timely patching appear closer and closer to the patch release. Zero-day exploits, where an exploit appears at virtually the same time as the announcement of the problem it exploits have become a reality.

Yet patching isn’t cheap. A 2004 report by the Yankee Group pegged the cost at US$119 per desktop in companies from 100 to 5,000 employees. It’s no wonder that the Yankee Group has estimated that the global patch management market will grow to US$300 million in 2008.

Vendors have pounced on the opportunity.

Patching is not as simple as one would think. Patches don’t always behave well; they can break enterprise applications, and some that were rushed out by vendors have been known to harm the systems they were meant to fix. This means IT departments must install the patch on test machines before wide deployment.

Administrators also need to consider what products the tool can patch, and whether they can roll back a patch that causes problems. They need to know whether they can audit machines to see which available patches they need, and which patches succeeded or (more importantly) failed. And, they need to be able to squeeze the product into their budget.

Prices for products vary, and the amounts here are for the minimum number of seats. Quantity discounts can pare the cost considerably as volume grows.

Scriptlogic Patch Authority Plus
Price: US$160 for 10 seats
Eval available: Yes
OS support: 3

Scriptlogic’s list of patched products is extensive, even updating Microsoft products that Windows Server Update Services (WSUS) doesn’t, such as BizTalk Server. It also has the largest list of non-Microsoft products, ranging from Firefox 1.0 and higher through Adobe Reader and Winzip. Administrators can even generate custom patch deployments using XML, so they can update in-house or third-party applications. The licence price includes a year of patch database updates.

Patches can be deployed upon receipt (Microsoft patches come via Microsoft Update), or be scheduled for later installation.

Reboots requested by patches may be controlled by the administrator to avoid disrupting the client system. However, since the product is agentless, each client machine needs a suitable administrative account that the program can access to do its work.

Scriptlogic says the product can be scaled even to a 100,000 machine enterprise by using distribution servers for localized deployment, deployment templates and by grouping machines (using Active directory, IP ranges, system type or other criteria) into Patch Groups.

Ecora Patch Manager
Price: US$20 per node
Eval available: Yes
OS support: 4
Application support: 2.5
Average: 3.2

Ecora patches Windows 2000 or higher, Microsoft Office 2000 or higher, Microsoft Exchange 5.5 or higher, and a long list of other products, such as Windows Media Player and SQL Server.

It supports virtually all patches from Microsoft that have been released with a security bulletin, and it also supports publicly available patches from Sun for Solaris 7 to 9.

Patches can be deployed either through an agent installed on the client system, or in an agentless environment, as long as there’s a suitable administrative account configured on each machine.

Patches may be rolled back if necessary, as long as the vendor supports the function.

The reporting system is browser-based, and offers reports on specifics such as the success or failure of patching, inventory of applications installed and patch history by machine.

The licence price includes one year of maintenance and support; three-year licences are also available, or customers can purchase perpetual licences without bundled support.

Microsoft Windows server update service (WSUS)
Price: Free
Eval available: N/A
OS support: 3
Application support: 2.5
Average: 3.5

WSUS builds on Microsoft’s software update service, expanding the number of products patched from operating system only to OS plus selected Microsoft applications, and adding functionality. WSUS gets its patches from the Microsoft Update Web site, so can only patch software supported there: Windows 2000 or higher, Office XP or higher, Exchange 2000 or higher, and so forth. For large or distributed networks, administrators can set up multiple WSUS servers and either replicate patches internally from server to server or have each machine connect to Microsoft Update to grab patches. Client systems use the Windows Automatic Update mechanism to receive their patches from the WSUS server.

Administrators can select patches based on criteria such as product, type of update, and choose which group or groups of clients to push them to, using Active Directory organizational units. Every patch must be approved. Pre-approvals can be set up as well to, for example, automatically patch a test group without intervention.

Shavlik HFNetChkPro
Price: US$125 for 5 seats
Eval available: Yes
OS support: 3
Application support: 3
Average: 2.7

Shavlik’s highly regarded engine is actually the foundation of Microsoft’s Baseline Security Analyzer and Patch Authority Plus as well as driving Shavlik’s own branded product. It patches Microsoft products and some non-Microsoft products such as Winzip and Apache.

It, like Patch Authority Plus and Ecora, is agentless; desktop firewalls must be configured to allow its scans (as they must for any agentless product), and there must be a suitable administrative account on each machine for the software to use while patching.

Its interface is designed to be quick and easy for the administrator. One click will deploy all missing patches if you like.

Or you can select which patches to deploy, and where, with a simple drag and drop. Extensive reporting, available from the console, or a Web-based reporting server, gives you the status of each patch on each client.

There’s no such thing as ‘free’ patch management
You can’t just quote the price for a tool of this sort and assume that’s the price you will pay for patch management. Even “free” has a cost when you consider the surrounding bits and pieces you need to run the product.

For example, you need at least one server to run the patch distribution from. You need a database with adequate client access licences. You need sufficient network bandwidth to push out patches without affecting other operations. It adds up. But the savings can be substantial too. They may or may not translate into hard dollars, but will be manifested in systems that are protected from exploits, saving the cost of recovering from infections, and in IT staff time that can be spent on tasks other than running around patching systems.

All of the products discussed here offer free evaluations, and it’s best to try before you buy.

It’s especially important to make sure that your product of choice will patch all versions of software installed on your machines. Also bear in mind that very old operating systems — typically, NT 4.0 and earlier — are not supported by Microsoft any more, so no new patches are available. Older versions of Microsoft Office suffer the same fate.

Share on LinkedIn Share with Google+