|Windows patch management tools|
Different approaches to patch management tools
An organization with more than a few workstations or servers needs some kind of automated way to handle patch management, and there is a plethora of free patch management tools choose from. Because there's more than one way to accomplish patch management, it's not uncommon for two or more parts of the same organization to be updated and managed using different applications.
You can find that situation in environments where a branch office or division of a company is moved or acquired. Suddenly, what worked before is not what works for the new parent. In this and almost all other cases, the best approach is to pick one system and consolidate on it as aggressively as possible.
There are two types of patch management tools out there.
These tools scan local machines or computers on a network, audit whatever's in reach and then produce detailed summaries or digests about what is installed where as well as what might need to be installed or updated. They do the research and make recommendations, but they don't make any actual changes.
Management or deployment tools:
- Microsoft's own Windows Server Update Services
- Gravity Storm Software's Service Pack Manager
- Ecora Patch Manager 5.0
These programs do the actual work of downloading and applying patches to local or remote machines. In many cases, they are also reporting tools -- they audit computers to see what's installed and what's needed, then download the needed updates and push them out according to an administrator's directives.
If you use multiple auditing or reporting tools, one caveat is that if there are inconsistencies between the depth or breadth of reporting provided by each tool, you should be aware of that ahead of time so you're not thrown off. If you are using multiple patch management or deployment tools, the problem isn't so much that one tool duplicates or undoes the work of another, but that the administrator (or administrators) becomes confused by the presence of multiple tools to get the same job done.
Using third-party tools for Windows patch management
The debate rages on about if and when to use third-party patching tools in lieu of waiting for Microsoft's Patch Tuesday. Here are some reasons to say yes to third party patching tools.
Yes to third-party patching tools
- Additional features: Third-party patch management systems often have additional features that aren't present in the standard Microsoft way of doing things. For instance, Service Pack Manager 2000 allows the administrator to create multiple arbitrary groups of computers to better govern who gets what updates.
- Automation: Some third-party applications have automated functions that are above and beyond what's available by default, and they don't require scripting to be effective.
- Additional coverage and information: Many of these tools have detailed reporting and research functions -- for instance, the ability to automatically generate a summary of what's installed on a given machine and relevant details from Microsoft Knowledge Base articles that apply to each fix.
No to third party patching tools
- Internal consistency: If you have one department that's using a third-party tool and another that's using the standard Microsoft patch deployment methods, it can become confusing for people trying to maintain standards across organizations -- and it might not be convenient or politically possible to get everyone to use the same tools. In such a case it might be best to fall back on Microsoft standards.
- Retraining: When people come in from another company or department where no such third-party tools are in use, you'll need to retrain them. If this happens often, it can be a drain on time and energy.
- Unneeded additional features: Not every organization needs the advanced features offered by third-party products. Sometimes the defaults work just fine.
These are not the only reasons to use or not use third-party tools for patching. If you need more convincing on either side of the topic, check out security expert Serdar Yegulalp's article on third-party patch management tools.
Free patch management tools!
Numara patch management
In any IT network, one vulnerable workstation is one too many. Numara™ Patch Manager is the complete patch management solution that scans, updates and downloads patches for Microsoft Operating Systems and applications across your entire network — directly from your desktop.
Download Numara Patch Management
PatchLink Security Patch and Vulnerability Management Solution
PatchLink is a security patch and vulnerability management solution that combines vulnerability assessment, patch management, network access control and reporting to help organizations address the emerging security threats while minimizing costs and complexity.
Download PatchLink Security Patch and Vulnerability Management Solution
UpdateEXPERT Premium is an advanced policy-based patch management solution that greatly speeds and simplifies the patching of systems whether your organization is an SME or large enterprise.
Download UpdateEXPERT Premium
This was first published in October 2007