BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Patch management is one of the central tasks of endpoint administrators, so it's no surprise that there are many third-party patch management products to choose from. The available offerings vary widely in capabilities, so be sure to shop around before picking one for your organization.
We've already examined patching products from GFI Software, Symantec/Altiris and Lumension. Let's look at two more and compare how they all stack up for enterprise desktop security.
ManageEngine's Desktop Central
Desktop Central is a Web-based desktop and mobile device management product that automates administrative tasks such as distributing software, managing assets, monitoring software usage, tracking software licenses and managing patches.
Admins can use Desktop Central to deploy Microsoft and non-Microsoft patches, including hotfixes and security updates, on both Active Directory and workgroup-based networks. In addition, they can use the automated deployment features to scan systems, identify missing patches, and download the patches and install them on specific systems.
Desktop Central provides patch management capabilities for both standalone and virtual desktops. Administrators can perform patch-based deployments to all systems or system-based deployments to specific systems.
Admins can also test and approve patches before performing a bulk deployment, as well as automate the handling of patch interdependencies and sequencing. The Desktop Central server is hosted on-premises and provides mechanisms to check for missing patches and download and deploy those patches.
In addition, Desktop Central lets desktop administrators configure severity levels for missing patches in order to control how those patches are deployed. Plus, admins can generate detailed reports about system vulnerability levels, missing patches, task status and other information.
However, Desktop Central is limited to Windows and Mac OS computers. Within these environments, the product is generally well-regarded, as was demonstrated when it won the Windows IT Pro Community Choice Awards for Best Microsoft Windows Patch Management Product of 2013 (bronze).
Some features could have been more streamlined, but these issues have been relatively minor, and most ManageEngine users have expressed satisfaction.
SolarWinds Patch Manager
SolarWinds Patch Manager stands apart from GFI LanGuard and the other products we previously reviewed in that it is concerned only with Windows and fewer than 30 applications that run on that operating system. Despite the limited scope, SolarWinds still beat out Desktop Central by taking the silver in the Best Microsoft Windows Patch Management Product Awards.
Plus, Patch Manager offers some interesting extras you don't get with a lot of other products. For example, it includes patch catalogs from Adobe, Dell and Hewlett-Packard. In addition, it provides a wide range of technical support options, such as FAQs, blogs, forums, mailing lists and recorded demos, along with typical email and phone support.
With Patch Manager, IT staffers can use Microsoft's Windows Server Update Services, or WSUS, or System Center Configuration Manager, or SCCM, to manage thousands of Windows servers and desktops. Admins can choose which patches to implement based on release dates and other criteria, and they can schedule updates to occur at the most convenient times.
Patch Manager supports advanced shutdown, reboot and wake-on-LAN capabilities, in addition to approval delegation and acquisition processes. Patch Manager can also detect rogue, unauthorized or improperly configured computers, as well as trap frequent errors.
The biggest challenge with Patch Manager is its Windows-only support and limited number of applications. It is also missing features found in some of the other products, such as policy baselines, patch removal and compliance policy enforcement.
Still, SolarWinds has continually upgraded Patch Manager since its acquisition a few years ago, adding features and support for more applications. It's still a Windows-only solution, but perhaps even that will change in the not-too-distant future.
Choosing a patch management system
Selecting something as important as a patch management tool is never an easy choice. Not only must you consider licensing costs, you must also choose a product that meets the needs of your organization while facilitating secure and efficient patch management.
To this end, you must take into account which operating systems and applications are supported, as well as which features are included, such as asset discovery, patch prioritization, policy enforcement and the degree to which the product can be customized.
Don't limit your scrutiny to the five products we've reviewed. These are among the most popular patch management systems, but you should look at other products as well, such as LANDesk Patch Manager and Secunia Corporate Software Inspector.
Patch management should be part of a comprehensive configuration management strategy. The last thing you want is a patch management product that makes that process any more difficult than it already is.
Before configuring Windows systems, plan for a desktop audit
Schedule software updates rather than try to keep up with rapid patching
Endpoint management changes with work habits, challenging IT
A Windows security checklist for IT admins
Guide to Windows 7 patch management