Fixes for Cracks in Windows

Configuresoft tool eases patching process-for relatively low cost.

It goes without saying that organizations with many Windows systems have been installing a lot of security patches lately. eWeek Labs tests show that harried managers can get some relief from this chore by using Configuresoft Inc.s Security Update Manager.

But there are catches. The first is that organizations must already have Configuresofts ECM (Enterprise Configuration Manager) monitoring application installed. (For eWeek Labs March 19, 2001, review of ECM, go to The other catch is that, unlike competitors such as PatchLink Corp.s namesake PatchLink Update, which can handle a mix of operating systems, Security Update Manager is a Windows-only tool.

Given that crackers focus mainly on Microsoft Corp.s operating system, that Windows-centric worldview isnt necessarily a weakness. Security Update Manager also adds a twist by linking with Microsofts patch Web site, which made it easy for us to get the information and the latest patches with almost no effort.

Security Update Manager is relatively easy on the wallet, running $25 per managed server and $5 per PC. The required ECM software puts a bigger load on the bottom line, running $775 per server and $30 per PC. In contrast, PatchLink requires a $995 console but costs only $12 per license for each managed server or PC. Security Update Manager started shipping at the end of November.

Pinpointing Problem PCs

Security Update Manager is best thought of as a labor-saving distribution tool and as a fault-reduction utility. During our tests, based on detailed software information already collected by ECM, Security Update Manager quickly reported which systems and PCs had known vulnerabilities based on security bulletins published by Microsoft.

The product does this by connecting to an XML database created by Microsoft and then comparing the configuration of the machines in the network with the information provided by the bulletins. Security Update Manager tracked which patches we applied to our systems, thereby eliminating time wasted on "just-in-case" installations of security patches.

Because Security Update Manager is so tightly coupled with Microsofts bulletin publishing system, we didnt need to visit the Web site to check for new patches. Security Update Manager notified us via e-mail when new patches became available.

We ran an assessment to see which of our machines, if any, had the weakness. Then we downloaded the patch and tested it on one system before using Security Update Manager to deploy the patch to other systems.

We could have accomplished some of these tasks using Windows built-in Windows Update tool. However, this would mean going to each system individually, manually running the check and downloading the patch from the Web site. Using Security Update Manager, we were able to assess machines for weaknesses, schedule update deployments for those machines and easily check the status of the job.

Failed deployments were noted on the console, so we could take further action.

Security Update Manager is also a fault-reduction utility, for lack of a better term, because it automatically checks for security updates, thereby eliminating the need for a system administrator to constantly check for new updates. This means system managers will be notified quickly when patches are available and will deploy patches more systematically.

The product made it easy for us to group machines however we wished—for example, by function or patch level—so we were able to ensure that critical patches were distributed to the most vulnerable machines first.

This, combined with Security Update Managers ability to handle deployment jobs with all the common command-line switches (such as using -z to prevent a reboot at the end of the process), meant that we were able to keep machines updated with little fuss.

The product also made it easy for us to determine which patches were necessary for previously patched machines. For example, it determined when a "rollup" patch for Windows 2000 Server already contained fixes for other vulnerabilities, thereby eliminating the need for a second patch to be deployed.

Senior Analyst Cameron Sturdevant can be reached at [email protected]