Taking Patch Management to a New Level
a doubt, one of the most tedious chores that network administrators must routinely
perform is patch management. Hardly a week goes by that Microsoft doesn't release
some sort of patch. It is the network administrator's responsibility to download
the latest patches and apply them to all of the organization's computers. As
tedious as patch management is though, it is one chore that really shouldn't
be neglected. Not only do the various patches resolve security vulnerabilities,
once a patch is released the specific vulnerability addressed by the patch is
made public, making the vulnerability much more likely to be exploited on un-patched
Available Patch Management Solutions
There are many patch management tools available from Microsoft and from third party software vendors. Microsoft's two primary patch management solutions are SMS Server and the Software Update Service (SUS). Both are good solutions, but have their limitations. SMS Server is a comprehensive patch management solution, but has a hefty price tag and a steep learning curve. SUS is a free patch management utility that is easy to use, but it has some major limitations. SUS cannot deploy patches related to Microsoft SQL Server, Microsoft Exchange Server, or Microsoft Office. Furthermore, SUS cannot deploy patches to machines that are running Windows NT.
These various limitations mean that SUS and SMS Server simply aren't good fits for many organizations. As an alternative to these two products, many companies are turning to third party patch management solutions. One particular patch management solution that I really like is GFI's LANguard Network Security Scanner. Although GFI's LANguard has been around for a while, GFI has recently released version 5.
GFI LANguard is much more than a patch management product though. Any patch management solution will scan your network for missing patches. GFI LANguard raises the bar by also scanning the network for other types of potential security vulnerabilities.
The nice part about this feature is that you don't have to do any extra work to perform a full-blown security scan against your network. When you scan your network for missing patches, GFI LANguard will also check for things like open shares, open ports, and unused user accounts. The software also checks for security vulnerabilities related to audit policies, password policies, user accounts, groups, and computers.
When the scan is complete, GFI LANguard offers a dozen different reports that you can view. Many of these reports pertain specifically to security vulnerabilities that have been detected. Best of all, reports exist that focus solely on specific types of vulnerabilities. For example, you can choose to look at only the most serious security vulnerabilities, or to look only at vulnerabilities pertaining to your password policies.
Scanning a Network
Although LANguard offers a lot of features, the user interface is surprisingly simple. To get things started, you must initially choose which credentials you would like to use for the scan. You can choose between the currently logged on user, an alternate set of credentials, or a null session. From there you simply enter the IP address range that you wish to scan and click the Scan button. Because of the amount of time that it takes to scan all TCP and UDP ports, the software will scan only well known ports by default, but you can perform a full TCP / UDP scan if necessary.
When the scan completes, a number of different reports are compiled. These reports are viewable directly through the user interface in the Scan Filters section. Reports cover a variety of topics such as missing patches and security vulnerabilities (sorted by severity and type). In addition to the basic missing patch and security vulnerability reports, you can also view security information on a per computer basis or look at the entire network as a whole.
Once the initial scan is complete, you will probably want to deploy any missing patches or service packs. To do so, go to the Security Scanner container at the top of the user interface and then right click on the computer that you want to update. You will have the option of deploying the patches onto the selected computer or onto all computers. LANguard will send the users a message before the deployment process begins and will stop any necessary services on the user's machines.
I mentioned that one of the big drawbacks to Microsoft's SUS is that there are
a limited number of Microsoft products that it can manage patches for. This
is not the case with GFI LANguard though. GFI LANguard can handle patch management
for all Microsoft server products, operating systems, and even for Microsoft
Office. It even has the ability to deploy patches for non-Microsoft products
(although the need for such patches is not automatically detected). Although
GFI LANguard is clearly superior to SUS, GFI recommends using GFI LANguard as
a compliment to SUS rather than as an alternative to it. In fact, GFI has published
a white paper that details the specifics of using SUS and GFI LANguard together.
You can read this white paper at www.gfi.com/whitepapers/patch-management.pdf.
Another reason why using GFI LANguard in conjunction to SUS is an ideal patch management solution is because of the timeliness of patch deployment. You probably remember the SQL Slammer virus, which exploited a hole in SQL Server. A patch was available from Microsoft very soon after the virus first appeared and yet millions were affected with the virus because they did not patch SQL quickly enough. GFI LANguard allows you to deploy patches immediately to all of your computers. You also have the option of scheduling both scans and patch deployments. Additionally, you have the option of setting up various types of alerts. That way if a security scan detects a critical vulnerability you can be notified immediately so that you can take action.
course all of these are really trivial issues. Although it would be nice to
see such features appear in the next version, the current version does an excellent
job of detecting security vulnerabilities and of deploying patches.
Copyright 2004, Relevant Technologies, Inc. All rights reserved.
is an award winning technology author, and has published over 2,000 articles
for a variety of web sites and printed publications including ZDNet,
TechRepublic, Microsoft's TechNet Portal, and Windows