It might be a banal subject for some network managers, but security update management is essential. With hundreds of workstations, scores of servers and almost as many operating systems making up the average corporate environment, making sure they all receive the required patches can be a headache-inducing task.
Enter St Bernard Software. Its UpdateEXPERT has long been seen as the market leader in update management software, and version 6.2 adds extra functionality to an already impressive product.
This release is aimed at enterprise functionality, so support for Active Directory features heavily, along with support for more complex network architectures, such as wide area networks (WANS) and demilitarized zones (DMZs).
Multiple machines can now be used as management consoles, which means that several administrators can manage the system and see the results of changes made on other consoles. This is useful due to the increasingly complex nature of patch management.
Support is included for Windows NT4, 2000 and XP, as well as IIS, SQL, Exchange, Internet Explorer, Media Player, Windows Media Services, Net meeting, Office and Outlook 2000, XP and Microsoft Data Access Components.
The fact that it is aimed exclusively at the management of a Windows environment could be of concern. However, it is a fact of life that most of the patches issued are by Microsoft, so this could be less of a problem than first thought.
Other additions to 6.2 include support for disconnected machines, so that laptops can be managed while disconnected from the network – the updates are carried out as soon as a designated machine is reconnected.
The software operates through the management consoles and (optional) machine agents. Information on each workstation on the network is gathered through remote access or by the optional client agent and the inventory is fed back to the master agent machine to compare against a list of relevant updates from Microsoft. Required patches are then sent out to workstations and servers.
The main graphical user interface of the software is based on Windows Explorer and, as a result, is straightforward and familiar. It is split into three windows, and includes a browser to view the critical updates in circulation. The software supports a smart plug-in for HP OpenView.
The patches themselves are all independently assessed, tested and maintained by St Bernard Software in a database that it claims is updated as often as three to five times a week. There is also an online resource center which allows you to research problems you might come across, and the specific functions of individual Microsoft patches.
One of the newer additions to the UpdateEXPERT armoury, are "leaf agents." These are installed on client machines that either have Microsoft Networking turned off (such as in a DMZ) or only have a very slow network connection.
The leaf agents allow for encryption and compression of data, resulting in quicker, more secure communications, but at the cost of having to visit each machine to install one. Machines with leaf agents installed can talk to the master agent via a dedicated TCP port number, negating the need for networking.
Following the straightforward installation process, you must download the latest version of the UpdateEXPERT patch database in order to determine what patches must be deployed, and where.
The patch update process is entirely configurable. After the network manager has determined the patches they need installed across the network, they are downloaded to the specified directory on the master agent machine.
The patches are then pushed out to the machines in question either straightaway, or at a designated time. The latter might be the best option, except in the case of extremely critical updates, to save on both bandwidth and workstation resources during busy times.
You can also specify a "baseline" policy, where all machines on the network can be compared to make sure that the right level of patch security has been met.
One thing you must be aware of is that target machines have enough free space for all the required data, including the patch itself, the installer service and the install wizard file. As some of the larger patches can be extremely large, this could create problems on networks made up of older workstations.
The software provides seven different report functions, so you can view the patch situation on a machine basis, as well as separate reports on error detection, validation, deployment status and errors, to name a few.
Overall, UpdateEXPERT offers an extremely intuitive, yet comprehensive, solution to managing the rollout of patches within the enterprise. Recent additions, including support for Wans and DMZs, have improved its appeal to the larger corporation. Its price is also reasonably competitive.
The fact that the software will only manage the deployment of patches to Windows products might put some people off, despite this being the main area of concern for such a product.