The lowdown: Patch management software

What is it? Patch management software helps systems administrators distribute fixes to operating system software, applications and, in some cases, to system settings without having to manually install them on each target system. While most patch management tools target Microsoft Windows systems, many now support Linux, Unix, Solaris and Mac OS X. They're often part of a configuration management system, designed to enforce specific security and configuration policies.

How do I decide which computers to patch and which patches to install? Make sure your patch management tool provides some way to audit networked systems to determine their patch levels, plus a way to group systems based on how they're used. Some tools provide policy-based management, allowing you to tie specific security or configuration profiles to a group of systems using a database or directory service. If you use directory services to manage other aspects of security and authentication, a directory-based patch system may be a better fit than a system that stores information in its own database.

Can't patches break my applications? It's important to study the effects of patches before you roll them out. Some tools include either a local database or a remote knowledge base to help determine which patches are important enough to deploy. Good services will also indicate any known conflicts between a patch and other software, plus any patch dependencies'i.e. what previous patches and other software need to be installed before the patch will work.

Do I need 'agent-based' or 'agentless' patch management? Agentless patch management uses a combination of remote software calls and processes that run when a user logs in and scan systems for vulnerabilities. They're fine for Windows-based networks without remote or occasionally connected users. But if you have remote or notebook PC users who need patches, want to quarantine unpatched systems, or want to push patches at will, you'll want an agent-based system, which installs a small software program on the client to communicate with the patch management server.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above