Five Great Patch Management Tools
New OS and software vulnerabilities are constantly being identified. Battles with bugs and defects are endless. New features and capabilities mean progress, and progress doesn’t stop. What does this all mean for the common IT Administrator? Patching, patching, patching.
With this onslaught of constant patch releases for Operating Systems and Applications, how can you protect your systems from security risks, win your battles against software defects, and keep current with advancements made in software development? One might say WSUS (Windows Server Update Services) by Microsoft can handle these hotfixes and patches. True, but if you’ve ever used WSUS, you know it’s overly cumbersome to use, riddled with pesky caveats, and most importantly: only works with Microsoft product updates. What about SCCM (System Center Configuration Manager) by Microsoft? SCCM is WSUS on steroids, built for the Enterprise. However, and by no secret, SCCM is a beast to manage, with massive administrative overhead. This offering by Microsoft is robust, but typically only manageable by large organizations with teams dedicated to such a role.
Patch management solutions should be scalable, easy to use and cover a wide variety of vendor software. Below I’ll briefly review my top five favorite tools for patch management. Some are purely standalone systems, while others offer additional integration with WSUS or SCCM.
Recommended Tool: SolarWinds Patch Manager
SolarWinds’ award-wining solution, Patch Manager (PM), is well rounded and a breeze to work with. Alongside Microsoft patching, SolarWinds PM includes support for a wide variety of 3rd party applications, simplifying and centralizing the entire patch process, from download, to publish, to patch. Integrating with WSUS and Microsoft update agent, SolarWinds PM can automatically patch systems based on custom schedules. Have SCCM deployed? No problem, as SolarWinds Patch Manager cleanly integrates with SCCM, supplementing your installation with value-adds such as on-demand patching, filtered views, notifications, and more. Create custom packages using a simple point-and-click wizard (no scripting knowledge required!).
The Patch status dashboard is consistent with what you’d expect from SolarWinds, providing familiarity, especially if you’re already using SolarWinds for Server or Active Directory monitoring. Built-in reports determine the status of patches and demonstrate to auditors that systems are patched and compliant. I’ve seen this solution implemented and countless environments. It’s absolutely outstanding and continues to be a top choice in my book.
LANDesk Patch Manager
LANDesk is well established amongst systems and asset management software vendors. LANDesk Patch Manager is one component in the suite of products offered by the company. Patch Manager is most effective as an agent-based install, giving you deep visibility into our network. Detect and remediate OS and third-party app vulnerabilities on systems running Windows, Red Hat, SUSE, and Mac OS X. The solution’s Wake-on-WAN feature eliminates any requirements for network configuration by implementing intelligence into an agent, increasing your patch success rates and reducing automated deployment times. Global scheduling ensure that devices are patched at the best possible time no matter where in the world, even over client VPN.
LANDesk Patch Manager can be deployed in a standalone mode or as an add-on to the LANDesk Management Suite, offering seamless integration for full systems and asset management, ticketing and more.
Shavlik has two offerings for Patch Management: Shavlik Protect+Empower and Shavlik Patch. Shavlik Protect is a complete patch management solution that offers agentless patching, OS and third-party application patching, inventory, and much more. Deploy patches to your physical or virtual assets, including Microsoft Windows, Mac OS X, and third-party from a central, intuitive console. Like other patch management solutions, you can expect top-notch results when building comprehensive patch policies, detailed reports and intricate automation tasks. I’ve seen Shavlik perform very well in large environments with complex requirements. Remediation is often a team effort with large scale patching, but overall administration was fairly painless for a single FTE to manage.
Shavlik Patch maximizes your investment in SCCM by adding third-party patching with a native add-on solution to SCCM. It reduces risk from unpatched third-party applications.
ManageEngine Desktop Central
Managing software on your desktops and servers is a no-brainer. But why stop there? Wouldn’t it be nice to have a full picture of your environment to include desktops, laptops, servers, smartphones, tablets and phablets? This is exactly what ManageEngine is attempting to accomplish with it’s integrated desktop and mobile device management (MDM) solution called Desktop Central. The solution supports Windows, Mac and Linux, as well as mobile OS’s like iOS and Android.
From a patch management perspective, Desktop Central automates patch deployments on Windows and Mac, including numerous third-party applications that run on top. Built-in templates for package creation make it easy to create your own software distributions and manage the install/uninstall process. Power management capabilities cannot only save you money on utility costs, but it can also ensure that your systems are online to be patched.
Desktop Central integrates with ManageEngine’s ServiceDesk Plus for contextual visibility, really bring the entire solution all together.
If I could give an award for best-looking UI, I’d give it to GFI LanGuard. Its clean and non-distracting interface makes it a pleasure to work with. This solution has been recognized in the industry for its specialized ability and commitment towards best-in-class solutions for SMBs. GFI LanGuard supports various Operating systems, including Microsoft, Mac OS X, and Linux, and more than 60 third-party applications. Vulnerability assessments help in discovering risks and threat early on, enabling you to automate remediation upon detection. Built-in alerting keeps you up-to-speed with the dynamic environment.
Audits can be stressful, and GFI knows this. Advanced analysis reports detail installed applications, antivirus and other security application status, open firewall ports, file shares, and even application-specifics such as default configurations. Some additional bonuses I’d like to point out with GFI LanGuard is its change management component, asset inventory capabilities and mobile app. While not necessarily a requirement for patch management, these add-ons are handy and may be something worth checking out if you’re not already incorporating such tools in your environment.