With Microsoft releasing more than 230 security bulletins since the beginning of 2000 — most of those requiring some sort of corrective action to fix a hole in one of its Windows-based products — the numbers speak for themselves: Windows patch management in an enterprise environment is a nightmare.
We tested four stand-alone Windows patch management products — BigFix Enterprise Suite, Gravity Storm Software Service Pack Manager 2000, PatchLink’s Update and Shavlik Technologies’ HfNetChk Pro to find out if they improve patch deployment.
Patch management tools should identify accurately which patches are missing on each system, provide an easy means to deploy patches and provide administrative reports tracking patch status across multiple machines.
The products we tested attack the problem in two ways — with or without agent software. Agent-based products — such as those from PatchLink and BigFix — can greatly reduce network traffic by offloading processing and analysis to the target system, saving data until it needs to report to the central server. But they also force an administrator to manage software on all systems the product analyses.
With agentless products — such as those from Shavlik and Gravity Storm — you don’t have any distributed management issues, but whenever a scan is requested all tests and communications travel over the network. If scanning a domain with a large number of systems, the increase in network traffic can be quite significant.
PatchLink’s Update 4.0 earned the highest total score for its ease of use, flexibility, automation and letting you easily create deployment packages.
PatchLink has two components — PatchLink Update Server and the agent. The Update Server is installed on a Windows 2000 Server with SP2 and Internet Information Server (IIS). The installation process sets up a Microsoft Data Engine (MSDE) database, which can be upgraded to a full SQL Server after installation. This upgrade is recommended for large organisations.
You easily can push the agents to targeted machines using the Agent Install Wizard, or agents can be installed during the logon process.
For management purposes, administrators connect to the PatchLink server through a Web interface, which lets you view reports, deploy packages, create packages and view system inventory.
PatchLink, the company, monitors Microsoft and other vendors, such as Citrix Systems and Adobe Systems, for newly released patches. PatchLink engineers test the patches, put them into PatchLink’s proprietary package format and deploy them to customers’ local PatchLink servers through a periodic subscription-checking process, which occurs over Secure Sockets Layer at a time the administrator configures.
Administrators receive e-mail informing them of a new patch on the PatchLink server. If it is a critical patch, it also is downloaded to the Update Server on the customer’s network. Noncritical patches will be downloaded at the administrator’s request.
PatchLink automatically caches critical patches on the Update Server, a marked difference from BigFix and the agentless products. Caching patches is useful and the recent Sapphire/Slammer SQL Server worm proves the point. If a worm or other malicious act is taking place that slows down the Internet, how will administrators download patches to their critical servers? With cached patches, you already have the files at your location.
On the other hand, cached patches must be stored somewhere, so your system needs to include adequate disk space. We very easily deployed all necessary patches to one machine and deployed a single patch to multiple machines with PatchLink Update Server. We controlled whether the system rebooted automatically and could set our own deployment flags, providing detailed control not found in the other products.
One of the best administrative features PatchLink offers is its ability to let administrators configure groups of machines with baseline patch settings. If a computer in the group is missing any patches defined in the baseline set, they are automatically installed on the computer.
Another key feature PatchLink offers is the ability to create your own patches out of the box. You can issue registry changes or distribute software using this tool. In our test, we added antivirus software to the baseline configuration. A system on the network that did not have this software automatically received it via PatchLink Update.
PatchLink inventories the hardware and software installed on a system, providing an easy means of monitoring licensing levels. You can place locks on system configurations so you are alerted if anything on the system changes.
In terms of disaster recovery, if something happens to the system, you build a new machine with the same name and reinstall PatchLink Update on it. All the agents will report in as if nothing happened. Administrators will lose historical deployment data, but they will not have to reinstall all the agents.
BigFix enterprise suite
BigFix includes three components — Server, Console and Agent. The Server maintains the data and performs the processing tasks. The Console is the administrative Windows graphical user interface (GUI) application with embedded HTML components. The Agent software is installed on managed systems. The product also includes access to the BigFix Enterprise Security Site, which is the vendor’s repository for security information.
The core of BigFix’s product is a technology called fixlets, messages that monitor, detect and fix identified problems, such as a missing hot-fix. Fixlets have attributes that define a problem, a description of the problem and a recommended fix.
Installing this product is a three-step process. The server runs on Win 2000 Server with SP2. MSDE is installed with the product if an existing database is not found on the system. SQL Server can be used to increase scalability.
You select which machines need agents, and the server installs the software remotely. The footprint of the agent is relatively small, running about 4.5Mbytes. In our tests, the agent had some issues identifying missing patches. On one system, it identified a patch as missing when it actually was installed on the system.
You can deploy patches to one or many machines. Because the agents are always monitoring the system, BigFix also includes an option to install a patch whenever it is relevant on a system.
Fixlets can automatically reboot the system, display a message to the user, be distributed over a period of time to reduce network traffic and be scheduled to run at a specific date and time. When deployment starts, the patch is downloaded from the BigFix site to the local server and then to the machines scheduled to receive the patch.
Patch distributions worked well in our test, but BigFix doesn’t provide the same detailed control as PatchLink nor does it let customers create their own packages unless they purchase a separate development environment.
Reports are generated by a separate engine, which is launched with the BigFix console, but requires a separate logon. Default reports include computer properties, operating systems distribution, relevant fixlets and relevant fixlets over time.
Shavlik HfNetChk Pro
HfNetChk Pro is the enterprise version of the popular HfNetChk tool Microsoft distributes. Enterprise-level features include a management GUI and the ability to push patches out to systems. HfNetChk Pro, an agentless product, installs on a Win NT, 2000 or XP system, requiring no additional software on the target machines.
Installation takes only minutes. System requirements include Microsoft Data Access Components (MDAC) 2.6 SP2 or later, Windows Installer Version 2.0, XML Parser 3.0 SP2 and Jet 4.0 SP3. If any of these components are missing, the installer informs you and provides a link to the Microsoft site to access them.
HfNetChk Pro uses the base HfNetChk engine, which is based on the XML and cabinet (CAB) files that Microsoft maintains, to determine which patches are installed and which are missing from the system. A CAB file is a Microsoft file type used to compress files for distribution. Shavlik also has added its own information to the XML file, such as information pertaining to patches and vulnerabilities in MDAC and Java Virtual Machines. When checking for missing patches, HfNetChk Pro uses a combination of checks, including file versions, checksums and registry keys. If any information is incorrect, HfNetChk will let you know in its reports.
The HfNetChk Pro ships with a command-line facility but its GUI is the best of the products we reviewed — very intuitive and easy to use. An excellent scan configuration wizard is included. Stepping through the wizard to create a scan, you have the option to scan one machine, one domain, multiple machines, multiple domains, IP address ranges or a variation thereof. You can create a text file listing what should be scanned and import that data into HfNetChk. Scans can be named and listed in the favourites section of the program, which is used to store frequently used scans, for easy launching. Scans also can be scheduled to run periodically.
For scan options, HfNetChk can report on necessary (or required) patches and/or explicitly installed patches. Administrators also have the option of scanning only for patches from Windows Update, the free patch service that Microsoft provides. You also can set thread settings that control how much network traffic the product creates. Of course, the less traffic created, the longer the scan time.
HfNetChk Pro did a good job scanning the network. It quickly identified all the servers in the domain. Scans also took a short amount of time, running about two minutes for our five servers.
Patch deployment can be performed with a mouse click. One patch can be deployed to all necessary systems, or all patches required on a single system can be deployed. The patches are downloaded from Microsoft and stored in the selected location. The patch to be installed will be copied to the target machine and installed at the scheduled time. System reboots can be controlled, as can shutting down SQL or IIS server, backing up files for uninstall or using quiet mode for installation. We found no issues with patch deployment for this product. The patch deployment wizard is easy to use and lets you specify whether you want to reboot the server, remove temporary installation files and the like. However, you don’t have the detailed flag control that you have with PatchLink.
When deploying multiple patches to a single machine, HfNetChk Pro creates a batch file for deployment and uses Qchain.exe, a tool that Microsoft provides, to let all patches be installed and use only one reboot.
Reports can be printed by machine, patch, operating system, machine detail or missing service packs.
Gravity Storm SPM 2000
SPM 2000 is another agentless product. Like with HfNetChk Pro, installation takes just a few minutes. SPM 2000’s one main requirement is that Windows Internet Name Service be installed because it is used for name resolution. The GUI is not as intuitive as HfNetChk Pro, but it provides a lot of the same functionality. SPM 2000 clearly differentiates between operating system patches and product patches — Gravity Storm’s term for any non-operating system patch — by providing different GUI tabs for these two categories.
With SPM 2000, administrators can scan by domain or individual system. They also can create Virtual Custom Networks, which is a fancy way of describing the ability to create your own groupings.
SPM 2000 does provide some system information, such as available disk space, running processes and diagnostics. You also can view the event log, send alert messages or remove network shares from any remote machine through the SPM 2000 GUI. Scans, called NetQueries in SPM 2000, can run immediately or be scheduled periodically. Scan results can be logged to a CSV file for further analysis. SPM 2000 works faster than HfNetChk Pro, but it is not as accurate. When scanning the network for systems, it often missed an available server. Also, when scanning systems for missing patches, it never properly scanned Server 1 in our test bed. No other products had any issues finding this system. Additionally, on one server that already had the Win 2000 Security roll-up package installed, SPM 2000 reported that all the patches included in that roll-up were not installed on the system.
For deployment, patches must first be downloaded into the download directory, which can be located on any network-attached storage device the administrator selects. This can occur when patches are deployed or at an earlier time, but this process cannot be automated. Gravity Storm maintains its own inventory of hot-fixes that Microsoft released on its own site. To update the patch information in SPM 2000, Gravity Storm implemented a LiveUpdate feature. This requests the latest database from Gravity Storm and immediately imports the information into SPM 2000, making the latest patch information available to subsequent NetQueries. LiveUpdate also can be scheduled to run unattended.
Once the service pack or hot-fix has been downloaded, the patch can be deployed. A hot-fix can be deployed to multiple machines, and multiple hot-fixes can be deployed to a single machine. By default, machines are rebooted after installation but an administrator can override this function. Deployments can occur immediately or be scheduled.
Administrators also can deploy user-defined hot-fixes, which can be any Microsoft-issued patch along with the proper command-line switches and parameters.
As with other products, the time it takes to deploy a patch depends on the amount of network traffic available to transfer the patch. PatchLink compresses the patch for transfer, which speeds up the process a bit.
One nice feature is that administrators can create profiles comprising a selection of hot-fixes and service packs. Systems can be compared against these defined profiles to check for compliance. However, these profiles must be updated manually to reflect any new hot-fix releases.
The reporting engine in SPM 2000 is not as robust or flexible as the engine in HfNetChk Pro. It creates an HTML report based on the last NetQuery that shows all patch information by computer.
Mandy Andress is president of ArcSec Technologies, a security company focusing on product reviews and analysis