Given the ever-increasing threats from hackers, viruses, and Internet-based worms, patch management has become a crucial component of enterprise security. Patch management is the process of identifying, verifying, downloading, and distributing security updates. Security updates are special hotfixes or software patches that a software publisher releases to address specific security threats. Microsoft has a well-established system for notifying the public about security vulnerabilities and makes patches available at http://www.microsoft.com/technet/security.
Tracking and assessing security threats, then finding and deploying the correct patches for each environment is a constant administrative challenge. Enterprise patch-management software can help streamline patch management, and the growing number of products in this arena is a testament to the need for easier patch management. Although I welcome all the development in this area, the currently available products still have plenty of room for improvement.
My associates and I tested seven patch-management products to determine their suitability for managing a Windows-based enterprise network. These products are not the only patch-management programs available, but they provide a good overview of the field. (For information about a free OS patch-management tool from Microsoft, see "Secure Your Clients with SUS," page 81.) We configured a complete test network (see the sidebar "Setting Up the Test Network," page 46) that reflected many common and some not-so-common configurations that IT departments must work with. We then installed each product to see how it performed.
We began the testing process with the assumption that enterprise patch-management software should meet certain minimum requirements:
- It should provide flexible methods for scanning multiple systems, including the ability to scan within and across Active Directory (AD) organizational units (OUs), IP address ranges, and standalone systems.
- It should accurately detect missing patches but skip obsolete or irrelevant patches.
- It should allow easy patch deployment across a network.
In addition to testing for these minimum requirements, we reviewed the following additional features:
- accurate, up-to-date information and analysis of current security patches
- coverage of the most commonly used OSs and products
- policy enforcement through custom computer or patch groups
- a secure mechanism for scanning for, acquiring, and distributing patches
- scalability to allow for large networks, multiple administrators, and multiple scanning stations
- flexible scheduling and alerting features
- flexible and useful reporting options
Our tests produced no clear winners. No one product works best for all environments. Although some products are clear leaders in the field, each has strengths and weaknesses that might make it appropriate or inappropriate for your network. To determine the products that meet your requirements, you must look at their features. Web Table 1 (http://www.winnetmag.com, InstantDoc ID 40710) lists the products we tested, their features, and a summary of their strengths. Because this technology is rapidly changing, check with the vendors for the most recent product information and updates.