Patching your Windows operating systems is a never-ending story.
What do you do when you can't do it all? I speak of the never-ending job that you have in securing your systems. From firewalls to VPNs, policy to PKI, you're supposed somehow to keep the computing infrastructure of your home, your company, your country, secure. Granted that tools and knowledge abound today in a way they never have before, granted that software companies are seeking to make their products more attacker-proof and the boss finally has acknowledged that security is important, securing your systems is still an overwhelming task that can leave you frozen with indecision.
But if you don't do it, and do it well, then there's no way that your systems, from servers to every client workstation, will perform to the maximum extent possible.
So, what should you do first? What can you do with the time and resources you do have?
In this first installment of a two-part series on patching Windows, I'll offer some suggestions on how to handle Windows patchwork in medium-sized organizations and enterprises. Part two covers small businesses and the principles that are important regardless of your company's size and organizational complexity.
Patch management programs: business nirvana?
Free programs, automatic updates and periodic checks can do wonders for the really small guy, but folks with 50 to 500 computers might find that automatic applications cause them needless aggravation. While a bollixed hotfix that needs to be uninstalled before systems will run can be annoying if you have two computers, when you have quite a few more it can be a major disaster. It's therefore more important that these medium-sized businesses evaluate the hotfix. Does it affect you? Will it cause any problems for your specific systems? If you do the research, you'll know whether the fix is appropriate for your systems and needs to be done now, regardless of the downtime while systems reboot, or if it can be relegated to the normal system maintenance cycle. Sound standard operating procedures require that you test patches, too.
Its easy to see that analyzing the reports provided by free analysis programs can soak up hours of time, and they don't usually automate the process of patch delivery for multiple systems, once you decide that the patch should be applied. You might want to dedicate some time or personnel to understanding and testing each patch before you decide to apply it, or you may want to pay for that advice. You can also use the cautious, cheap analysis alternative: holding off on patch application until a fair number of other businesses apply it. If you subscribe to a number of administration/security lists, and there's a problem with a patch, you'll hear about it. If a few days pass and there are no issues, then its probably safe to apply it on your systems.
There are additional patching solutions that make sense at this level of company size. Here's what you can do:
- Create your own management program. Use HFNetChk in a script to evaluate multiple systems and feed this information into a SQL database.In the database, also include information on specific systems, history of patching, why a certain patch must not be applied, etc. Create SQL statements that provide information about patching status. Develop scripts to download needed patches to a central location and apply patches to systems as necessary. This can be an elaborate program or a simple reporting system where additional software or manual labor takes care of the most critical patch applications.
- Download and use Microsoft's free patch management program, System Update Server (SUS). SUS allows you to set up an update server on your network. This server can be configured to download new updates automatically or at your direction. You then approve each patch, or not. Once approved, the patches can be distributed by configuring a client program, also available free from Microsoft. The client can then automatically download your approved patches from the SUS server on your network. Critics complain that they can't customize it the way they want and that it lacks reporting facilities. Give me a break; it's version 1, and it's free. Use it, write your own, or purchase someone else's.
A number of companies have developed patch management programs that do more than the freebies do. These programs deal with the problem of servicing a large number of devices. Some of them even include the ability to work across multiple systems. You'll pay for these puppies though -- and for that reason, among others, you need to consider whether these solutions are appropriate for the size of your company. Some of you may think their price is right even though you have few systems to manage. (Price varies depending on the number of machines you need to manage. I've seen pricing in the $15 - $45 per machine range, and you'll pay more per machine for fewer than 50 machines.) Others may decide that an in-house solution is best. I've provided information on three of the Windows-specific solutions below. But the fact is that when your company reaches a certain size -- sorry, you'll have to determine what that size is -- you need the features and reporting capabilities that the freebies don't offer. There are solutions in the mixed operating system/device space; you can read about one example at the PatchLink Website. However, we'll limit our discussion to those that are Windows-specific.
- Microsoft SMS feature pack - This is a free add-on, but Systems Management Server, the underlying product, is not. SMS feature pack provides support for patch management of systems that are managed by SMS, including analysis, distribution and reporting.
- Shavlik Techonologies' HFNetChkPro - Shavlik Technologies provides a more sophisticated product at a price. HfNetChkPro adds functionality, including agent-free analysis, management of patch installation and validation of patch application.
- St. Bernard Software's UpdateExpert - This is a patch management program that automatically finds updates and patches and downloads them to the server. Administrators control inventory of patch installation on machines and distribution of patches. No agent must be installed on client machines. The program also provides links to relevant Microsoft online articles, and its own database of patch information, as an aid to administrators in determining whether the patch should be applied. The product also verifies that approved patches are installed.
Put the process in motion
It's not enough to download, purchase or say you'll use one of these tools; you have to put that tool to work. You also have to do so tomorrow, and the next day and the next and, well, you get the picture. Patching systems is not a choice anymore; the choice is in deciding what tools we'll use to get the job done.
Click here to read part two of this tip.
Roberta Bragg is an author and consultant on Windows security issues.
This was first published in November 2002