igor - Fotolia
An effective software patching strategy is essential to enterprise desktop security, but the patch management process can be a complex and resource-intensive undertaking. That's why many organizations turn to third-party products to facilitate their administrative efforts.
A proper patch management system will identify, install and verify both operating system and application patches. Such a tool helps free up in-house resources while streamlining ongoing maintenance. Yet choosing the right patching product for your organization is no small task, especially given how widely products can vary. This is the first of two articles that will look at five top patch management tools and how they benefit IT.
Altiris Patch Management Solution
The Altiris Patch Management Solution is a component of the Altiris Client Management Suite from Symantec Corp. You can purchase the component separately or as part of the suite. Altiris enables desktop admins to centrally manage patches on Windows, Mac OS and Linux systems, whether running on standalone computers or as virtual desktops. In addition, IT can control patching operations on more than 150 Microsoft and third-party apps.
The Altiris software includes detailed analytic capabilities to help IT professionals model patching processes, determine overall risks and gather key performance metrics. Admins can analyze trends and track progress against these metrics as well as access predefined reports from a centralized dashboard. The utility is geared toward the large enterprise and includes workflow automation templates such as zero-day patching and patch change management.
Altiris Patch Management also supports asset discovery, multiple patch deployment and vulnerability scanning, among other features. However, it lacks capabilities you might find in some other products. For example, Altiris doesn't support patch removal, offline patching or enforcement of compliance with corporate policies.
Concerns have also been raised about the product misreading app version numbers and not being able to properly install patches if the target applications are running. In addition, product information can be difficult to find, and technical support resources such as FAQs or forums are not as robust as with other products. Even pricing can be difficult to pinpoint. That said, Symantec still covers the basics by providing webinars and white papers as well as email and phone support.
GFI LanGuard is an endpoint protection product that lets you manage, secure and troubleshoot your network as well as the systems and software running on that network. One of the main features of LanGuard is its patch management component, which lets admins manage OS and application patching in all supported languages. LanGuard provides the means to auto-download missing patches, roll back patches, and deploy custom software and scripts.
Unlike many products, LanGuard supports both agent-based and agentless implementations. It also includes features such as wake-on-LAN capabilities and the ability to group desktops and servers by attributes.
However, some users have reported reliability issues, such as patches being applied more than once or the inability to patch commonly used applications. Even so, LanGuard lets you manage both security and nonsecurity patches in addition to its other assessment and auditing features.
In 2013, LanGuard won the Windows IT Pro Community Choice Award for Best Security Product (bronze) and the Tech Awards Circle award (silver). It was also a runner-up in the Windows Security Readers' Choice Awards. Although the awards apply to the product as a whole, much of the credit undoubtedly goes to LanGuard's patching capabilities.
Lumension Endpoint Management and Security Suite
Lumension Endpoint Management and Security Suite is a comprehensive set of management tools that cover administrative tasks such as power and configuration management, device and application control, and, of course, the patch management process -- delivered via the Patch and Remediation component.
Like LanGuard, the Lumension suite has won several awards in the past year, but it is too comprehensive to directly give credit to the Patch and Remediation component. That said, the component offers a number of noteworthy features. One is its support for a wide range of operating systems, not just Windows, Mac OS and Linux, but also systems such as CentOS, IBM AIX and Solaris.
In addition, the Patch and Remediation component supports integrated asset discovery, automated policy baselines, enhanced wake-on-LAN and power management reporting. Plus, it includes a patented fingerprinting technology that can determine whether an endpoint is patched or unpatched across the various systems and applications.
Lumension supports additional capabilities such as distributed patch payload caching, vulnerability asset management, policy baselines for automated system management and custom scripting.
However, the Endpoint Management and Security Suite does not support patch removal or offline patching, nor does it support as many apps as other patch products, sticking mostly to Microsoft and Adobe products. For example, the component currently doesn't support Google Chrome or Mozilla Thunderbird.
Lastly, some critics have suggested that the product is slower than other systems when responding to published patches and is limited in its ability to recognize different languages. On the other hand, the Patch and Remediation component offers many important features, such as multipatch deployment, vulnerability scanning, patch prioritization and patch scheduling.
In my next article, we'll compare two more products and look at the entire patch management process.
Is Microsoft railroading enterprise IT with rapid Windows 8 updates?
Microsoft patches IE flaws and introduces whitelisting plugin
Updated patch management guide for Windows desktops
Top 10 desktop security and Windows articles of 2013
A Windows security checklist for IT