Fixes for Cracks in Windows

By Cameron Sturdevant  |  Posted 2002-01-07 Print this article Print

Configuresoft tool eases patching process—for relatively low cost.

It goes without saying that organizations with many Windows systems have been installing a lot of security patches lately. eWeek Labs tests show that harried managers can get some relief from this chore by using Configuresoft Inc.s Security Update Manager.

But there are catches. The first is that organizations must already have Configuresofts ECM (Enterprise Configuration Manager) monitoring application installed. (For eWeek Labs March 19, 2001, review of ECM, go to The other catch is that, unlike competitors such as PatchLink Corp.s namesake PatchLink Update, which can handle a mix of operating systems, Security Update Manager is a Windows-only tool.

Given that crackers focus mainly on Microsoft Corp.s operating system, that Windows-centric worldview isnt necessarily a weakness. Security Update Manager also adds a twist by linking with Microsofts patch Web site, which made it easy for us to get the information and the latest patches with almost no effort.

Security Update Manager is relatively easy on the wallet, running $25 per managed server and $5 per PC. The required ECM software puts a bigger load on the bottom line, running $775 per server and $30 per PC. In contrast, PatchLink requires a $995 console but costs only $12 per license for each managed server or PC. Security Update Manager started shipping at the end of November.

Pinpointing Problem PCs

Security Update Manager is best thought of as a labor-saving distribution tool and as a fault-reduction utility. During our tests, based on detailed software information already collected by ECM, Security Update Manager quickly reported which systems and PCs had known vulnerabilities based on security bulletins published by Microsoft.

The product does this by connecting to an XML database created by Microsoft and then comparing the configuration of the machines in the network with the information provided by the bulletins. Security Update Manager tracked which patches we applied to our systems, thereby eliminating time wasted on "just-in-case" installations of security patches.

Because Security Update Manager is so tightly coupled with Microsofts bulletin publishing system, we didnt need to visit the Web site to check for new patches. Security Update Manager notified us via e-mail when new patches became available.

We ran an assessment to see which of our machines, if any, had the weakness. Then we downloaded the patch and tested it on one system before using Security Update Manager to deploy the patch to other systems.

We could have accomplished some of these tasks using Windows built-in Windows Update tool. However, this would mean going to each system individually, manually running the check and downloading the patch from the Web site. Using Security Update Manager, we were able to assess machines for weaknesses, schedule update deployments for those machines and easily check the status of the job.

Failed deployments were noted on the console, so we could take further action.

Security Update Manager is also a fault-reduction utility, for lack of a better term, because it automatically checks for security updates, thereby eliminating the need for a system administrator to constantly check for new updates. This means system managers will be notified quickly when patches are available and will deploy patches more systematically.

The product made it easy for us to group machines however we wished—for example, by function or patch level—so we were able to ensure that critical patches were distributed to the most vulnerable machines first.

This, combined with Security Update Managers ability to handle deployment jobs with all the common command-line switches (such as using -z to prevent a reboot at the end of the process), meant that we were able to keep machines updated with little fuss.

The product also made it easy for us to determine which patches were necessary for previously patched machines. For example, it determined when a "rollup" patch for Windows 2000 Server already contained fixes for other vulnerabilities, thereby eliminating the need for a second patch to be deployed.

Senior Analyst Cameron Sturdevant can be reached at

Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel