Patch Management: The Enterprise Advantage

 
 
By Larry Seltzer  |  Posted 2003-06-04 Print this article Print
 
 
 
 
 
 
 

Modern patch management systems for the enterprise make it practical to keep systems up to date and protected, but the poor consumer still has to trust Microsoft.



Sorry for the broken record treatment to all my regular readers, but I think its perhaps the most important security point in real world IT: Too many vulnerable systems are left in exposed situations, even when patches have been made available. For large networks that require active management, the answer is a patch management system like the one described in this eWEEK review.

The vendors in this category of administrative tool have made a lot of progress. And yet there is a recurring tension in patch management between the inherent sense in patching against known vulnerabilities and the desire to not disturb a system that is functioning correctly. The proper answer (here comes another lecture) is that you should test patches on a test bed of representative systems, or at least on a non-critical set of guinea pig systems on your network, as the eWEEK review suggests. These patch management systems make it easier to implement those best practices, but that doesnt answer every concern, and it still amounts to work for you to do.

So what do you do if there is a problem? Most, if not all of the systems allow you to roll the patch back. There are two problems with this approach: it can be time-consuming and complicated to determine there is a problem and to remediate it by unpatching the system; and if the problem causes the system to blue-screen, or be otherwise unstable enough that the patch management system cannot function, youll need a plan B.

Standard Plan B, of course, is to restore the pre-patch backup you certainly made. You dont need to backup the whole system. On Windows (the NT derivatives: Windows NT4, 2000, XP and 2003) you can backup "system state," which saves all the registry and critical system files likely to have been patched. If something totally murders your system you can then manually boot into the Windows Recovery Console and restore the system state backup (there is no such console on NT4 - yet another reason to upgrade from it - but you can make a recovery floppy). Its a heavyweight operation, but it should always work and it will be necessary only on rare occasions. I have a scheduled script that runs every night to backup system state and critical data files to a second hard drive in my most critical systems. Knowing I have this, and therefore knowing I can lose only at most a days work, gives me the confidence to install any patch.

I hear people complain sometimes that patches (they usually mean Microsoft patches, but other operating systems have at least as many) are more trouble than theyre worth. This is the kind of thinking that brought us the Slammer incident. Its a bad idea to apply patches blindly and without a plan, but its an even worse idea to dismiss patches for critical problems and leave your systems exposed.

As with so many other software fields, these vendors will need to keep ahead of what Microsoft itself offers. This week at TechEd in Dallas, Microsoft pledged to improve their patch distribution process, both to unify the installers for the patches and to cut the distribution channels to a minimum. For larger networks there is now Microsoft Software Update Services (SUS), which basically lets you set up your own in-house Windows Update server. Its not in the class of any of the products eWEEK reviewed, and its not supposed to be. But Microsoft needs to continue to improve the baseline of services included with Windows, and SUS is an improvement.

You enterprise types think you have it rough? Pity the poor consumer or small business users who doesnt have your experience and resources. There are no modern patch management systems for your dentist and his Windows Me system, just Windows Update, assuming he has the initiative to go there regularly. Microsofts approach over the last few years has been to make it easier for consumers to automatically apply patches; apart from allowing them to be uninstalled through the normal Add/Remove facilities, the assumption is that consumers arent going to test patches before applying them, and how could they? Its hard to know how this part of the system can improve. The enterprise can protect itself, but we still have the network equivalent of a public health problem.

 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel