Patching Windows operating systems and applications is a monumental undertaking. More than 100 new vulnerabilities were recorded on average each day in 2004, making the task of acquiring, testing and deploying patches virtually a full-time job.
The patch management process has to account for how and when patches will be obtained and what sort of testing will be done prior to implementing them in your Windows environment. Once that bridge has been crossed, you have to determine how to most effectively and efficiently deploy and install the patches.
You have basically two choices for automating patch deployment. The patches can either be pushed from a central server out to the various client systems, or the client systems can contact the central server and pull the patches down. Which is better? Is pulling more efficient than pushing or vice versa? The answer depends on your environment.
You can benefit from the advantages of pushing patches depending on how your network is configured and the robustness of your patching server and network infrastructure.
Pros: Pushing patches from a central server provides more control in terms of scheduling the deployment. This way deployment won't impact the network during production hours or your ability to deploy the patch in segments or phases to different groups of machines or portions of the network, so the network bandwidth or server processor will not become saturated.
Cons: In order to push the patches out to client machines, the patch server must have an up-to-date inventory or client listing. Devices that are new or may be missing from the inventory listing will be skipped and remain vulnerable even after the patch deployment is completed. In order to effectively use a push deployment system like this, some process or procedure would need to be in place to ensure devices are added to the inventory as they are deployed to the network or to perform frequent periodic updates of the inventory listing.
For distributed environments, where the patch server may have to communicate across subnets and through firewalls to reach all of the client machines, establishing a deployment methodology where the clients pull from the server may be more effective. The patch server can be placed in a central location, possibly even in a DMZ where all of the client machines can reach it freely, and the clients can contact the patch server to get the patches they need.
Pros: Patch management software or a logon script can be used to initiate the communication from the client machines to the patch server. Registry entries or other keys can be used to identify the clients that need patching and those that don't. Configuring the network so clients automatically connect with the patch server to determine their need for patches -- and install the necessary ones -- can be more efficient and may provide a higher deployment success rate than pushing.
Cons: The down side is that using a logon script means somehow ensuring that users actually reboot or login on a regular basis to get new patches, and if all users login at the same time, the network bandwidth could be maxed out with patch installations.
Push and pull tools
Some patch management applications rely on one method or the other, while the better solutions, such as St. Bernard's UpdateExpert or Shavlik Technologies' HFNetChk are capable of doing either or both. You have to examine the patch deployment issue from the viewpoint of your unique network and assess the pros and cons of each deployment method to determine which one, or which combination of the two, will be most effective for your network. Networks with a lot of roaming users or computers that may be turned off may benefit more from a pull solution to ensure clients get the updates they need.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.
More information from SearchWindowsSecurity.com
- Webcast: Testing patches for a speedy rollout
- Tip: Teach users how to patch their own systems
- Step-by-Step Guide: Patch management must-do list
This was first published in July 2005