Patch-Management Software

Worms and viruses that exploit vulnerabilities in Microsoft products continue to plague computer users. But you can avoid many of these attacks simply by keeping up-to-date with Microsoft patches. On the second Tuesday of each month, Microsoft releases security updates and urges users to deploy them as soon as possible. However, unless you have reliable patch-management software, deploying this steady stream of updates is difficult and time-consuming. This Buyer's Guide compares patch-management products to help you find the best possible solution to meet your needs.

To manually deploy patches, you typically log on to a computer and either let Windows Update scan and update the computer's software or manually download and install the appropriate patches. The manual process can be complicated because Microsoft often releases multiple update files per patch. For example, the company might release a Microsoft Internet Explorer (IE) patch as separate files for each IE release. If your environment has computers that run various IE versions, you have to download all these files, then apply the appropriate patch to each computer. Patch-management products scan the computers in your environment and determine which patches they need. When instructed to deploy a specific patch, software ensures that the correct version is deployed to each platform.

Most third-party patch-management products deploy Microsoft updates; a few third-party products also patch non-Microsoft products. Most vendors employ the official Microsoft security database, mssecure.cab, which contains detailed update information for a variety of Microsoft products. Some vendors create their own databases that include non-Microsoft updates, articles, links, and other information.

Most vendors update their products within 24 to 48 hours of a Microsoft patch release. Some companies test patches before approving them, and a few actually repackage them. Repackaging the patches lets vendors provide better control over the distribution of patches and facilitates deploying non-Microsoft patches.

Many patch-management tools let you create groups of desktop machines and servers so you scan or patch computers based on location, type, ownership, and role. Look for products that let you easily populate these groups--for example, by searching Active Directory (AD) for domains, organizational units (OUs), and sites. Make sure that the software can create groups according to IP addresses and other characteristics. Look for the ability to quickly customize and save groups; using groups will save you time during subsequent scanning and deployment activities.

Scanning features vary by product. The most accurate scanning methods compare a computer's registry and files with values stored in the patch database. The software then flags any values that don't match and reports all flagged patches as missing or incomplete.

Deployment features also vary by product. Some products deploy patches immediately after you perform a scan; others let you schedule both scans and deployment. Some tools let you customize the reboot typically required after installing updates. Some products use QChain, a Microsoft tool that lets you install multiple patches without requiring a reboot after each installation. Make sure that the product you choose supports Microsoft's update-rollback features, which can come in handy if you need to uninstall patches. If you need to deploy Microsoft Office patches, make sure that the patch-management tool supports Office deployments and that it can update multiple Office versions with a single scan-and-deploy action.

Make sure that the product you select fits into your user-privilege model. For example, does the product require that end users be local administrators, or can it run under a separate privileged account? Some products require that you install a software agent on each computer; others scan and deploy from a management console. Agents provide better feedback and installation control, tend to provide more robust remote-management options, and can include basic Quality of Service (QoS) controls, such as bandwidth throttling. But agents also increase the computer's software footprint.

Solid reporting features are important, especially for deployments in large enterprises. Look for the ability to export reports in delimited text formats (such as comma-separated value--CSV) so that you can import the raw data into a spreadsheet. If you manage a large number of systems, you might prefer a Microsoft SQL Server­based product that lets you write your own queries against the patch database so that you can generate reports such as lists of missing patches.

The clock begins ticking almost immediately after Microsoft releases new patches. You need to be able to quickly triage, test, and deploy new updates. Many patch-management vendors offer trial versions, so test several products to determine which one best meets your specific needs.

End of Article