In this two-part series, SearchWindowsSecurity.com contributor Serdar Yegulalp identifies tools and techniques for easing the pains of patch management. Part one discusses three different tools for automating processes and updating your systems. Part two will offer three techniques to simplify patching.
Keeping one system patched with the latest security updates and hotfixes is usually easy enough. Keeping 10, 100 or 1,000 machines up to date -- now that's agonizing. It's even worse if you inherited someone else's network, and have no idea what was patched and what wasn't, or how recently patches were made. The good news is you can approach this problem with a bevy of tools, which handle everything from auditing an existing group of systems for patch-readiness to automatically pushing patches to systems that need them.
Automate your auditing
Don't drive yourself crazy inspecting systems "by hand" to see what patches or service packs they need; use a program designed for exactly that function. One of the best third-party programs for doing this is Security Bastion's Service Pack Manager 2000, which audits for Windows service packs and patches, and looks for updates to Microsoft server products like ISA Server, SQL Server and Exchange Server. Any missing patches can be downloaded and rolled out to the target machines. A free five-computer version of the program is available for unlimited use.
Use Software Update Services to patch from within
Microsoft's Software Update Services tool lets you use Windows's Automatic Updates function to retrieve published updates from a local server rather than Microsoft's servers. The administrator can download and publish the patches that need to be rolled out to the organization, cutting down on the amount of external bandwidth used, while garnering tighter control over which updates are published. SUS is now being revamped as Windows Update Services.
Use PsExec for quick-and-easy remote command-line patching by hand
If you're trying to patch a system remotely from a command line and don't want to go through the hassle of setting up remote access, consider PsExec. This is a freeware utility that lets you interactively run command-line (not GUI) programs on a remote system. It's also a good way to perform the auditing and inspection often needed to insure that a patch installed correctly (i.e., to make sure files now have the proper date and time stamps, etc.). The utility can be found at Sysinternals.com.
Click here to read part two of this series, "Quick tips for easier patching".
For More Information
This was first published in November 2004