In-Depth

A Patchwork Quilt

Patch management is no longer a luxury to have a secure network—it’s a necessity. We test six solutions to the problem of knowing whether or not your servers and desktops are up to date.

• By David W. Tschanz
• 08/01/2003

Effective patching has become a national priority with the country’s cybersecurity plan now urging that the patch management process become simpler. Most administrators are unable to keep pace with the barrage of security alerts coming out at the pace of about one every two to three days. Hence, automation is the only effective solution. But which product should you use to automate patch management?

This review looks at six patch management products for Windows networks. All six programs have the same basic characteristics—they’re designed to scan network clients for their patch status, assess them against an ideal list and deploy patches. All six have access to a database of patches to call upon, a system of obtaining the latest patches and a means of providing administrators with reports about what’s going on. If a patch management product can’t handle these essential functions, steer clear.

BigFix Patch Manager 3.0
Patch Manager 3.0 is part of the BigFix Enterprise Suite of products that includes BigFix Enterprise Server, BigFix Enterprise Console, BigFix Enterprise Client and the BigFix Patch Manager Library, as well as the heart of the process—Patch Manager 3.0.

System requirements for BigFix include Windows 2000 Server and IIS. The BigFix Enterprise Client can be installed on any Windows 95 or later client as well as Linux, Mac OS9 or OSX and Sun Solaris.

I found installation smooth except for a few stops and starts. I felt that the troubleshooting aids were limited, but the tech support people were prompt in their response and the suggested fix worked.

BigFix has an agent-based architecture that uses the agent-side intelligence for patch-configuration scanning of the end-user host and for pulling down the patches pushed out by the BigFix administrator. Agent installation is easy and the footprint small. The administrator can create "Fixlet" messages, in which a group of patches are packaged by BigFix, and then push them out to hosts that meet the requirements for the patch. These requirements are stored in the Fixlet messages and include parameters such as registry keys, application-build levels and OS platform.

Fixlets are central to BigFix’s technology. These are intelligent messages that can detect a problem, proactively alert users or administrators to the problem before failure occurs and deploy a one-click solution. (See Figure 1). Administrators have the ability to write customized Fixlets, making BigFix more than just a patch management tool; it can be a customizable network security system that allows creation and enforcement of policies across the enterprise.

Figure 1. Fixlets—part of the BixFix suite—alert you to potential holes in your security and how they could be exploited. (Click image to view larger version.)

The user interface emulates an e-mail inbox for patches, continually receiving new Fixlet messages. The machine’s administrator monitors the inbox and can ignore patches that are irrelevant to the environment and start processes to apply those that are important.

As an agent-based solution, Patch Manager distributes intelligence to every node in a network, creating a two-way dialog between the server and an individual machine or groups of machines. This distributed structure takes advantage of local processing capabilities to improve performance, enable real-time assessment and streamline the overall patch management process throughout large networks. The actual work is done on the client side—a significant advantage in terms of server load balancing and network traffic.

Using agents means minimal impact on bandwidth; Patch Manager can support up to 15,000 machines per server. It also means the system can be left in a permanent “on” state. Scanning and updating can be done continuously, without causing network congestion. Agentless and less robust agent-based solutions normally get around the traffic problem by scheduling scanning and deployment at very long intervals, but this can leave network computers unpatched for appreciable lengths of time.

Patch Manager provides numerous deployment capabilities, such as the ability to schedule the exact deployment date and time, to deploy multiple patches with a single action and to create policies to deploy a fix automatically to any computers that experience a specified future problem. Administrators can control download restart and bandwidth throttling for remote and dial-up connections. BigFix offers the ability to target fixes to specific computers, groups of computers or to Active Directory domains or organizational units.

Other nice features of Patch Manager are the ability to sort patches based on download size, release date, severity and product type and to create hierarchical machine groups to ease management and deployment. Additionally, Patch Manger provides multi-level administrator privileges and relevance evaluation of patches and affected machines.

The program continuously monitors patches until every machine is fixed.

BigFix mirrors all downloads to clients from a central mirror server, thus limiting external communication to the Internet and reducing the load on valuable external access while facilitating the enforcement of network restrictions.

On the client, Patch Manager requires no user input. The BigFix Enterprise Client has virtually no impact on system performance while it checks for new relevant Fixlet messages or applies actions to client computers. In most cases, patches and updates are applied without user knowledge or intervention. In rare cases, where user input is necessary or desirable, the IT administrator can post a message to inform the user of a pending action and request assistance. Thus, the administrator has control over user involvement.

The Fixlet writing function allows you to create and enforce policies across the enterprise, with the same ease and relentlessness as patching. Let’s say you don’t want your users to install Kazaa and tie up company bandwidth downloading mp3 files. You can write a simple Fixlet that will go out and hunt it down and remove it. And it will keep on doing this until the employee with Kazaa fixation either gives up or gets fired.

BigFix Patch Manager 3.0 is an excellent product with an elegant and extensive architecture and richness to its design. At the same time, it’s the most expensive of all the solutions in this roundup. In a vast enterprise with a substantial IT budget, this is not a real problem, and the expense is easily justified. In a small enterprise, the extra cost may be hard to justify, making it necessary to turn elsewhere.

Ecora Patch Manager 2.0
Yes, you read right. There are two Patch Managers being reviewed. Life got more complicated when Ecora’s PatchMeister became Patch Manager 2.0 (reviewed here); and by the time you read this, it will have morphed into Patch Manager 3.0, further confusing it with BigFix’s Patch Manager 3.0.

Patch Manager is the evolution of Ecora’s free patch management tool released last year. Patch Manager is part of Ecora’s Total Configuration Management platform, which includes Enterprise Auditor 3.0. The platform, which uses an agentless architecture, includes features such as cross-platform configuration reporting in Enterprise Auditor, support in Patch Manager for Microsoft Terminal Services and the ability to push patches to SQL and Exchange servers.

Patch Manager 2.0 requires NT 4.0 with SP4 (either Workstation or Server), Windows 2000 or XP. The Remote Registry Service must be enabled. The machine should have at least a 500MHz CPU, 256MB of RAM , Internet Explorer 5.01 SP2 or higher, 35MB of free disk space available for software, as well as sufficient disk space for the patch repository.

Obtaining and installing an evaluation copy of Ecora’s Patch Manager isn’t straightforward. First, I downloaded the product from the Ecora Web site, then I started the installation process. In the midst of that I had to stop and go online again to “create an Ecora account.” OK, why not? Creating an Ecora account appears to be primarily aimed at providing a lot of demographic information (which you can’t not provide), including your e-mail address. But that’s not all. I had to go to my e-mail account and get my super-secret user ID and password. My classified ID is my e-mail account and my password, a randomly generated series of letters that can be changed. Armed with that I could finally finish installing the product, a good 10 to 15 minutes after starting—content in the knowledge that Ecora has lots of marketing related information about me.

After that 15 minute demonstration of why process improvement gurus have jobs, I was expecting installation to be a tedious and laborious process with lots of fits and starts. It wasn’t.

The program is user-friendly and intuitive. The company has reason to be proud of its patent-pending 3-D Patch Views, which allows an administrator to quickly see all missing patches in the environment by machine, application or a particular patch. You can also view the scan analysis by host, application or patch for a quick snapshot of what needs to be resolved.

Patch Manager 2.0 allows user-defined grouping of servers and workstations so analysis or installation can be done by departments, machine types, time zones and so on, as shown in Figure 2. Service packs and hotfixes can be deployed interactively or on a scheduled basis. Either way, the admin simply has to identify groups or individual machines and select one or more patches; Patch Manager automatically installs patches on the specified machines.

Patch Manager uses both registry checks and file integrity checks to validate if service packs or hotfixes are installed, not just remote registry checks. This eliminates guesswork and helps ensure the accuracy of the patch status analysis.

Figure 2. With Ecora’s Patch Manager, you can define groupings of servers or workstations, tailoring a solution to your particular situation. (Click image to view larger version.)

Patch Manager can be configured to send an alert via e-mail, SNMP or event log when new patches come out. It also provides automatic information regarding all critical events such as patch push failures, security lapses, and so on. It dynamically updates its database of patches, meaning that subsequent analyses of the environment are performed with the most current patch information.

Patch Manager creates HTML reports for easy printing. The reports can also be exported into a CSV file for further manipulation in Microsoft Excel and other tools.

Patch Manager 2.0 does everything it says it will, but the agentless architecture makes it best suited for smaller networks. Deploying clients may not be an administrator’s favorite job, but the payoff is well worth it in scalability and overcoming excess network traffic.

Patch Manager 2.0 is an adequate product, but its rough edges gave me pause. The release I evaluated included a reporting tool that felt tacked on. There was no policy manager function to allow the setting and enforcement of patch policies or the designation of machines to which to apply the appropriate patches. Patch Manager 3.0, which came out as I was wrapping this review, appears to address some of these issues, if the press releases are accurate.

Version 3.0 will include a reporting center, where admins can run reports to better manage on-going enterprise-wide patch activities. Additionally, you can create reports for management to demonstrate what systems have been patched, where missing patches may exist and whether systems are in compliance with corporate standards.

A Policy Manager feature allows you to set and enforce patch policies that describe what systems to scan and patch, how to scan and apply the appropriate patches, and when to scan and patch each system. Once policies are defined, you can automate the patch analysis and remediation process and schedule patching to occur at the optimal time.

GFI NSS 3.2
GFI’s LANguard Network Security Scanner (NSS) is a leading security scanner that incorporates patch management. Security scanning and patch management fit well together; using one tool to do both makes the process more intuitive and manageable. NSS works in conjunction with Microsoft’s Software Update Services (SUS).

SUS is a free patch management tool that’s essentially a version of Windows Update intended to run on a network, with each workstation connecting to the SUS Server instead of Windows Update. It’s the marriage of the two products that provides NSS with much of its patch management capability.

NSS requires Windows NT 4.0 SP 6, Windows 2000 or Windows XP Professional and Internet Explorer 5.1 or higher. A well constructed wizard walks you through the installation process, and in no time you’re up and running. However, if you want to use NSS for patch management, GFI strongly recommends that you install Microsoft Software Update Service Server first.

NSS can deploy service packs, third-party software patches and clients, and Microsoft application patches and service packs for Office, SQL Server, Exchange Server and ISA Server. It can also deploy third-party software patches and clients and check that all patches have been installed correctly. SUS alone does none of these things.

Scanning the network requires that the user either enter the IP range directly at the top of the scanner interface or use the Scan Wizard to specify which computers to scan. You can scan domains, specific computers or an entire IP range. One of the nice features of NSS is that it groups all vulnerabilities into separate nodes, allowing users to expand only the information they wish to view.

Once the network scan is complete, missing patches and service packs are detailed under the Alerts node. Right clicking on a patch or a service pack allows you to deploy the missing service pack or patch to a particular computer or all computers. A “deploy patches” dialog allows you to specify what patches to push out to what computers.

After you specify what patches to push out, NSS creates a list of service packs and patches that need to be downloaded to the NSS download directory. You can also create a report listing all missing patches and service packs.

Other nodes include Netbios names; trusted domains; shares; local users and local groups, services, password policy, registry, hot fixes and open ports. This variety of nodes underscores NSS’ principal roots as a security scanner with patch management capabilities added in.

Using NSS is easy and the documentation is excellent. NSS was slower than the other products at scanning and patch deployment, but it’s unclear whether the cause was SUS or NSS. Reports were clear and easy to use. (Figure 3 shows the product in action.)

Figure 3. LANguard Network Security Scanner combines a network scanner with patch management. (Click image to view larger version.)

While NSS excels at security scanning, it seems to lack the same zip for patch management. In fact, I had a vague sense throughout that patch management was sort of an afterthought tacked on to the product. The security reports could be better looking, and there’s currently no way to store past scans in a database. Still, this is an adequate product for a small network with limited resources and a desire to combine security scanning and patch management.

PatchLink Update 4.0
A year ago, I reviewed PatchLink Update 3.0 and gave it good marks for being a high quality patch management program. So when I received Patchlink Update 4.0 to review, I met it with mixed emotions: It was like greeting an old friend, but with a bit of trepidation as to whether she had changed. And then while I was in the midst of the review of Patchlink Update 4.0, the Scottsdale, Arizona-based company announced PatchLink Update 5’s imminent release and sent along a beta.

Patchlink Update requires Windows 2000 Server (with Service Pack 2 or higher), plus 256MB RAM, 5GB disk space and a 500MHz processor. Software requirements include IIS and an Internet connection. PatchLink recommends running it on a dedicated computer. In addition, the system can’t have SQL Server running, nor can it be a domain controller. The software does work on a member server. During the process the installer moved quickly and smoothly, even doing a system check to ensure minimum requirements have been met.

Upon completion, the system needs to be locked down, and PatchLink is quite serious about assessing the entire system for security and patch status, strongly urging disabling or turning off unnecessary Windows and network services (such as Remote Registry and Microsoft File and Print Sharing, closing unnecessary TCP/UDP ports and so forth. The installation process sets up a Microsoft Data Engine (MSDE) database, which can be upgraded to a full SQL Server after installation—strongly recommended for large networks.

PatchLink Update 4.0 uses a pure agent architecture. Installation was smooth for both the server and agents, with three methods to choose from: single agent install, multiple agent rollout and a network login scripts distribution. Clients need to have an OS at least as recent as Windows 95 OSR2 with Internet Explorer 4.01. Update Agents are available for NetWare as well as Win2K, NT, Windows 95/98/Me/XP, Unix/Linux, and Java environments.

PatchLink includes an inventory system and subscription service to keep an organization’s patches up to date. It does for Novell Directory Services and Active Directory what Windows Update does for the Windows desktop: It detects software product versions on all networked systems and provides the means to correct them (Figure 4).

Figure 4. PatchLink update tracks patches from Microsoft as well as non-Microsoft vendors. (Click image to view larger version.)

The patented Discovery Agent can detect patch fingerprints across different types of computers connected by nothing more than your existing extranet. PatchLink, the company, monitors Microsoft and other vendors, such as Citrix Systems and Adobe, for newly released patches. It then tests the patches, places them in its proprietary package format and deploys them to customers’ local PatchLink servers over a Secure Sockets Layer at an administrator-set time.

PatchLink automatically caches critical patches on the update server, a marked advantage over agentless products. Non-critical patches are downloaded at the administrator's request. Patches are rolled out using a Web-based distribution system. The Update Agent communicates exclusively via Web protocols, even through a proxy server, if necessary. This means you won’t need to open additional holes in your firewall to update computers scattered around your company’s extranet.

Administrators connect to the PatchLink server through a Web interface—a management method that lets them view reports, deploy packages, create packages and view system inventory. Administrators also have the ability to configure groups of machines with baseline patch settings. If a computer in the group is missing any patches defined in the baseline set, they’re automatically installed on the computer. PatchLink also allows administrators to create their own patches out of the box, enabling them to issue registry changes or distribute software.

In addition to deploying patches, PatchLink also inventories the hardware and software installed on a system and can aid in monitoring licensing levels. If a patch is removed from a machine because of a new application installation or because the operating system was reinstalled to an older configuration, the agent will alert the management console about the missing patches. Conversely, if a patch is found to be defective, the admin can uninstall it.

In terms of disaster recovery, if something happens to the system, you can build a new machine with the same name and reinstall PatchLink Update on it. All the agents will report in as if nothing happened. Administrators will lose historical deployment data, but they won’t have to reinstall all the agents.

PatchLink notes that it’s imperative to test all patches before rolling them out and that the company will only guarantee what the manufacturer says about the patch. Once a patch is tested, it can be sent automatically with a single click.

PatchLink Update 4.0 proved to be every bit as good or even better than its noteworthy predecessor, and still remains a solid, reliable product that has a deserved reputation as a leader in the field.

PatchLink Update 5.0 adds Windows Server 2003 compatibility and also provides user management functionality defined as "role-based administration"; fully customizable graphical reporting; and the ability to assess patch compliancy by groups of computers, application or severity. Role-based administration gives you the ability to designate who is permitted to release patches and updates throughout an entire organization—and how. Fully customizable graphical reporting based on the Microsoft .NET framework and powered by Crystal Reports facilitates an IT administrator's responsibility for justifying patch compliance and provides an effective method for briefing management on an organization's current patch status and/or network vulnerability.

PatchLink Update 6.0, planned for an end-of-year release, is targeted at providing security and reducing vulnerabilities on hubs, routers, switches and PDAs, as well as “obsolete” firmware.

St. Bernard UpdateEXPERT 6.0
St. Bernard’s UpdateEXPERT 6.0 (Figure 5) addresses the issue of patch management architecture in an interesting way. It’s the only product that addresses the problem of choosing between agent-based and agentless architectures by allowing the user to select the method.

The rationale is that this hybridization (or duality) provides support in situations where there’s a need to manage servers and workstations that are isolated or otherwise locked down but still require an agent. In these situations, an agentless solution can be deployed for most workstations, with the optional client agent deployed on the locked down machines. UpdateEXPERT uses Remote Procedure Calls (RPC) to manage machines for systems not using client agents. With the agent, it’s possible to throttle bandwidth and distribute the workload back to the managed machines.

Figure 5. St. Bernard’s UpdateEXPERT is the only pro-duct in this roundup that gives admins the choice of agent-based or agentless configurations. (Click image to view larger version.)

UpdateEXPERT requires NT 4.0, Windows 2000, or XP Professional on a Pentium Class machine with a meager 32MB of RAM. The Console and the Agent Installer require that Internet Explorer 5.x or higher be installed. When the Console or Agent Installer runs on NT 4.0 systems, Service Pack 4 or higher must be installed. Disk space requirements vary depending on which components of UpdateEXPERT are installed. But you can generally get away with a paltry 25MB on the machine that is doing all the work and maintaining the local patch repository.

The components of the product that can be installed are the Console, the Master Agent, the Leaf Agent and the Agent installer. Installation is straightforward with the usual options, including whether to perform a typical install or a custom install. The latter allows you to install the Console and Master Agent independently, but will always put the Agent installer on your machine.

During my testing, installation was smooth and without incident.

As with all the other products I evaluated, UpdateEXPERT enables the identification of patches and available fixes, scanning workstations and servers and deploying them to any number of networked machines, validating the process. Essentially UpdateEXPERT determines what software patches are applicable and which ones can be safely implemented for each system and then “pushes” the remediation process by deploying updates out to individual workstations.

The process is fairly straightforward. The system administrator chooses what machines to manage. UpdateEXPERT discovers the patch levels for the machines’ OSs and applications. Using a user-defined list of required patches, UpdateEXPERT compares the individual system’s software patches against this baseline of required patches and produces a conformance report. Then it accesses the patch management database maintained in support of the product, identifies what updates are applicable and which ones can be safely implemented given the configuration of the total system and the repairs being considered.

The program offers recommendations on how to update the machines with patches and warns/prevents “impending doom” due to mismatches, missing prerequisites and the like. UpdateEXPERT automates the patch management process of managing and deploying updates out to individual workstations and servers. Remediation can be customized by department or by individual workstation or server or configured to begin after hours.

After all this is completed, UpdateEXPERT, validates the process and delivers “executive” and conformance reports based on a user-defined set of required patches (baseline) and a summary of action taken during and after remediation.

St. Bernard engineers maintain an Internet-accessible “metadatabase” of patch information and instructions. The database is sophisticated enough to build tailored scripts and an update itinerary for each software location.

There’s a clever integration of a Web site into UpdateEXPERT so that its own expertise (and knowledge of the location of reliable fix resources) is kept up to date. This helps the product organize and streamline the job to avoid errors and omissions. It also keeps the administrator aware of time-critical changes, emergencies and vulnerabilities that may have been missed or require significant research. It presents the status of each station and each server (in terms of updates and vulnerabilities) in a clear format. It notes exceptions, creates relevant scripts and where possible actually installs fixes through the network, tests and validates them, and records the results in its database (which can be interrogated by the administrator at any time).

St. Bernard also deserves an extra- large 24-carat gold star for its excellent documentation. It’s well-written, clear, concise and extremely useful. The online help is also clear and well-organized.

UpdateEXPERT has a few flaws. First is its limited scope—it’s Microsoft-centric and doesn’t support other platforms. Also, while combining agentless- and agent-based architectures in the same product sounds like the best of both worlds, it really doesn’t solve the inherent flaws in agentless architecture vis-à-vis large networks. Trying to keep track of which system is using which methods is an extra administrative task that doesn’t add much value.

For UpdateEXPERT to establish itself as a major player in the field, it needs to go beyond Microsoft and come to a decision about architecture. Having said that, I would strongly urge anyone responsible for choosing a patch management product for a small Windows network hosting only Microsoft applications to thoroughly evaluate this product. There’s a depth and richness here waiting to be discovered.

Shavlik HFNetChkPro Enterprise 4.0
HFNetChkPro 4.0 is the enterprise version of the HFNetChk utility provided free by Microsoft. The enterprise edition adds a management GUI and the ability to push patches out to systems. The architecture is agentless. Installation takes only minutes, with minimal difficulty. System requirements include Microsoft Data Access Components (MDAC) 2.6 SP2 or later, Windows Installer Version 2.0, XML Parser 3.0 SP2 and Jet 4.0 SP3. If any of these components are missing, the installer informs you and provides a link to the Microsoft site to access them.

HFNetChk Pro uses the base HFNetChk engine, which is based on the XML and cabinet (CAB) files Microsoft maintains, to determine which patches are installed and which are missing from the system. Shavlik also has added its own information to the XML file, such as information pertaining to patches and vulnerabilities in MDAC and Java Virtual Machines. When checking for missing patches, HFNetChk Pro uses a combination of checks, including file versions, checksums and registry keys. HFNetChk advises you in its reports of any errors.

As Figure 6 shows, the GUI is spectacular, as is the scan configuration wizard. You have the option to scan one machine, one domain, multiple machines, multiple domains, IP address ranges or variations thereof. You can create a text file listing what should be scanned and import that data into HFNetChk. Scans can be named and listed in the favorites section of the program, which is used to store frequently used scans, for easy launching. Scans also can be scheduled to run periodically.

HFNetChkPro reports on necessary (or required) patches and/or explicitly installed patches. You also can customize thread settings that control how much network traffic the product creates.

There are also automated find-and-fix features that control what machines are scanned and how patches are deployed. In addition, the success of patch installation for each server is tracked. After deploying patches, HFNetChkPro rescans the network to ensure they’re installed correctly. The new PushPatch Tracker shows in real time what’s happening on each server being scanned. This is a major improvement over the previous version’s static console that only showed final results.

Figure 6. Shavlik’s HFNetChkPro has a great-looking, highly informative GUI. (Click image to view larger version.)

Newly added templates let you customize scans by groups of servers or products. The program includes tools that permit you to assess the vulnerabilities addressed by new patches.

After HFNetChkPro deploys patches, it rescans the network to ensure the patches installed correctly. Servers that accepted the patch without problems are displayed in green, while servers that experienced problems are displayed in red.

Guarding against information overload, HFNetChkPro allows administrators to display patch data and advisories based on their severity rating and criticality. Even with this filter on, the system will issue reminders about low-priority patches and routine maintenance updates.

HFNetChkPro also adds a new feature that collects security bulletins and advisories from primary and third-party sources. It's an interesting feature, but it's unclear if it adds value since providing a plethora of opinions doesn’t really help a user sort through the noise—which will only grow in volume as Shavlik adds more contributors to the system.

Patch management takes place through a drag-and-drop method whereby administrators can select a group of computers or IP addresses, drop them on an icon that represents a rule, such as search for a particular patch, and install it if it is missing. The tool works in conjunction with Shavlik's new PushPatch Tracker, which shows in real time what’s happening on each server being scanned. This is a major improvement over the previous version’s static console that only showed final results.

Patch deployment can be performed with a mouse click. One patch can be shuttled out to all necessary systems, or all patches required on a single system can be deployed. The software downloads the patches from Microsoft and stores them in a selected location. The patch to be installed is copied to the target machine and installed at the scheduled time. You can control system reboots and shut down SQL or IIS servers, backing up files for uninstall or using quiet mode for installation. When deploying multiple patches to a single machine, HFNetChkPro creates a batch file for deployment and uses the Microsoft-supplied utility Qchain.exe to install all patches at once with only one reboot.

You can generate reports by machine, patch, operating system, machine detail or missing service packs. Documentation was adequate, though occasionally I found some of the help functions a bit obscure.

HFNetChkPro 4.0 is a good product but it doesn’t belong in the upper tier of solution options. One reason is the agentless architecture, and the other is that it’s built for Microsoft-centric environments and seems designed only for security patches. If you’re looking for a simple patch management application that’s fairly sophisticated for a small network, this is definitely a product you should look at; but if you have more, you’ll need to look elsewhere.

Making the Choice
So, which product should you select for your own patch management needs? If you’re working with a dynamic network containing hundreds or thousands of nodes and a constantly-changing architecture, you should look at the agent-based products, BigFix Enterprise and PatchLink Update. Of the two, BigFix is best for the larger environment (>10,000 nodes) but has the largest price tag. Patchlink Update has an excellent interface and a long history of incremental improvements that keep it at the forefront, which is why I’m partial to it. Smaller networks may benefit from the relative simplicity and central management of agentless products. St. Bernard’s UpdateEXPERT and Shavlik’s HFNetChkPro are the leaders here, though there are other worthy contenders.

The bottom line, though, is that if you’re responsible for protecting a network of any size from the thousand perils on the Internet, you need to get a patching strategy in place. Using any of the products in this roundup is much better than just hiding and trying to pretend the problem doesn’t exist. Not doing something about patching is tantamount to criminal neglect.