Taking Patch Management to a New Level
a doubt, one of the most tedious chores that network administrators must routinely
perform is patch management. Hardly a week goes by that Microsoft doesn't release
some sort of patch. It is the network administrator's responsibility to download
the latest patches and apply them to all of the organization's computers. As
tedious as patch management is though, it is one chore that really shouldn't
be neglected. Not only do the various patches resolve security vulnerabilities,
once a patch is released the specific vulnerability addressed by the patch is
made public, making the vulnerability much more likely to be exploited on un-patched
Available Patch Management Solutions
There are many patch management tools available from Microsoft and from third party software vendors. Microsoft's two primary patch management solutions are SMS Server and the Software Update Service (SUS). Both are good solutions, but have their limitations. SMS Server is a comprehensive patch management solution, but has a hefty price tag and a steep learning curve. SUS is a free patch management utility that is easy to use, but it has some major limitations. SUS cannot deploy patches related to Microsoft SQL Server, Microsoft Exchange Server, or Microsoft Office. Furthermore, SUS cannot deploy patches to machines that are running Windows NT.
These various limitations mean that SUS and SMS Server simply aren't good fits for many organizations. As an alternative to these two products, many companies are turning to third party patch management solutions. One particular patch management solution that I really like is GFI's LANguard Network Security Scanner. Although GFI's LANguard has been around for a while, GFI has recently released version 5.
GFI LANguard is much more than a patch management product though. Any patch management solution will scan your network for missing patches. GFI LANguard raises the bar by also scanning the network for other types of potential security vulnerabilities.
The nice part about this feature is that you don't have to do any extra work to perform a full-blown security scan against your network. When you scan your network for missing patches, GFI LANguard will also check for things like open shares, open ports, and unused user accounts. The software also checks for security vulnerabilities related to audit policies, password policies, user accounts, groups, and computers.
When the scan is complete, GFI LANguard offers a dozen different reports that you can view. Many of these reports pertain specifically to security vulnerabilities that have been detected. Best of all, reports exist that focus solely on specific types of vulnerabilities. For example, you can choose to look at only the most serious security vulnerabilities, or to look only at vulnerabilities pertaining to your password policies.
Scanning a Network
Although LANguard offers a lot of features, the user interface is surprisingly simple. To get things started, you must initially choose which credentials you would like to use for the scan. You can choose between the currently logged on user, an alternate set of credentials, or a null session. From there you simply enter the IP address range that you wish to scan and click the Scan button. Because of the amount of time that it takes to scan all TCP and UDP ports, the software will scan only well known ports by default, but you can perform a full TCP / UDP scan if necessary.
When the scan completes, a number of different reports are compiled. These reports are viewable directly through the user interface in the Scan Filters section. Reports cover a variety of topics such as missing patches and security vulnerabilities (sorted by severity and type). In addition to the basic missing patch and security vulnerability reports, you can also view security information on a per computer basis or look at the entire network as a whole.
Once the initial scan is complete, you will probably want to deploy any missing patches or service packs. To do so, go to the Security Scanner container at the top of the user interface and then right click on the computer that you want to update. You will have the option of deploying the patches onto the selected computer or onto all computers. LANguard will send the users a message before the deployment process begins and will stop any necessary services on the user's machines.
I mentioned that one of the big drawbacks to Microsoft's SUS is that there are
a limited number of Microsoft products that it can manage patches for. This
is not the case with GFI LANguard though. GFI LANguard can handle patch management
for all Microsoft server products, operating systems, and even for Microsoft
Office. It even has the ability to deploy patches for non-Microsoft products
(although the need for such patches is not automatically detected). Although
GFI LANguard is clearly superior to SUS, GFI recommends using GFI LANguard as
a compliment to SUS rather than as an alternative to it. In fact, GFI has published
a white paper that details the specifics of using SUS and GFI LANguard together.
You can read this white paper at www.gfi.com/whitepapers/patch-management.pdf.
Another reason why using GFI LANguard in conjunction to SUS is an ideal patch management solution is because of the timeliness of patch deployment. You probably remember the SQL Slammer virus, which exploited a hole in SQL Server. A patch was available from Microsoft very soon after the virus first appeared and yet millions were affected with the virus because they did not patch SQL quickly enough. GFI LANguard allows you to deploy patches immediately to all of your computers. You also have the option of scheduling both scans and patch deployments. Additionally, you have the option of setting up various types of alerts. That way if a security scan detects a critical vulnerability you can be notified immediately so that you can take action.
I really like GFI LANguard, but like any software packages, there are pros and cons associated with using it. The following list outlines some of the things that I did and didn't like about LANguard:
The interface is very easy to use
- A very good
collection of reports that you can use to assess the security of your network
- Scanning results
can be saved in XML format and later compared against previous scans
- Can schedule
security scans and automatically deploy any newly available patches
- The alerting
feature can notify you by e-mail of serious security issues
- The information
that is collected during the scans is well organized
- The software
greatly reduces the time commitment involved in keeping patches up to date
- The software
can distribute patches to non-Microsoft products
- The software
can detect the need for patches to Microsoft products not covered by SUS and
can automatically deploy such products
- It works as
a perfect compliment to SUS
would like to have seen better integration with other GFI products
- I would like
to see the alerter expanded to allow alerts to be sent to instant message
clients, phones, and pagers
a scale of 1 to 5 with 1 being the worst and 5 being the best, I give GFI LANguard
a 4.7. GFI LANguard is an excellent product. It is an affordable product with
several pricing structures that starts at $315 (USD) for up to twenty-five IP
address scans. Unlimited IP address scanning costs $995 (USD). GFI LANguard
Network Security Scanner is available from www.gfi.com/lannetscan
and the company offers a free, thirty day trial. I did not give the product
5 because it does not integrate with some of GFI's other products. For example,
GFI's ServerMonitor is designed to monitor servers, send alerts, and take corrective
action. GFI LANguard also has an alert feature that will allow users to take
corrective action against security issues. It would be nice to have a central
console that would allow users to configure alerting and responses across all
GFI products that offer alerting capabilities. I would like to see the alerter
expanded as well so that alerts could be sent to pagers, cell phones, and instant
course all of these are really trivial issues. Although it would be nice to
see such features appear in the next version, the current version does an excellent
job of detecting security vulnerabilities and of deploying patches.
Copyright 2004, Relevant Technologies, Inc. All rights reserved.
Posey is Relevant Technologies' vice president of research and is a
Microsoft Certified Systems Engineer (MCSE). He previously served as the director
of information systems for a large, nationwide chain of healthcare facilities,
and as the Department of Defense's senior network engineer at Fort Knox (US).
During his time at Fort Knox, Posey was responsible for managing highest level
network security practices, and disaster recovery initiatives. He has also served
as editor-in-chief of several technical publications, and as a network administrator
for one of the country's largest insurance companies.
is an award winning technology author, and has published over 2,000 articles
for a variety of web sites and printed publications including ZDNet,
TechRepublic, Microsoft's TechNet Portal, and Windows