Although we are a SMS/SUS ITMU shop, we have had several problems/issues over the past 3 years with ensuring that a patch gets applied and stays applied. This is why I aggressively began looking at available Patch Management products 2 ½ years ago. Products evaluated include: BigFix, Ecora, Marimba, St.Bernards updateEXPERT, GFI Languard and CAs Unicenter. I may have missed some that we did look at, but they fell off the list early. Our situation was we had 50,000+ workstations and servers, of which not all had SMS. We were using GPOs in some regions, logon scripts in others and manual in others. SMS was only on about 60% of these workstations, and in most cases, not on the servers. We started using in-house written utilities to validate patches and other tools like LanGuard, and it was apparent that for some reason, patches were missing or not completely installed. We worked with Microsoft on the ones that Microsofts tools had said it was on and when we drilled d own, we found out it was not fully installed. Of course this became very frustrating, but it was apparent that we needed a faster and better way of checking.
Our baseline for the product was simple, as the product need to be centrally managed, and agent based. For example, when you do a scan of your environment you are only getting a point in time snap-shot, and this was not working for us. We also wanted and needed a very stealthy product, as we did not want to disrupt our users with pop-ups and other information in the initial install. We wanted to get the product installed, facilitate the training, and then turn on theses other features. The other main requirement was it had to cover more than Microsoft, as we have hundreds of other products in-house, which also have security patches. Now let me comment on some of the results we uncovered during our evaluation, and this is in no means is saying the other products are not very good. For us, they just did not work in our situation, and some of them just point you back to the Microsoft site to pull the patch in. This did not work for us, as I gold certify our patches before they move to QA or testing. Other products did not have the flexibility to turn off some of the pop-ups and most of the products did not cover every software product we have installed. And on a side note, we wanted a better way for eradicating a virus if it did make it in, and we needed a tool that could look for payloads left behind. As you know, you can patch as fast as you can, but some still get in. And unless you are doing full scans once a week with your AV tool, you will never find the machines that may have gotten infected. We also had some very strict times when servers and some workstations could be patched, and SMS does not always provide the flexibility we need. Our servers can only be cycled on Sundays between 8 a.m. and 10 a.m. We also have roaming tablet PCs that need patches, but had a very small window and most of the time on slow links. Trying to set this up within SMS proved to be a challenge, as the server team was also looking to take some control back for this process. Also our maintenance window did not always meet the slow or down time. With the fore mentioned, this is why PatchLink was selected. It gave us this and much more, beginning with the first installation of the agent. It helped identify problem areas within the company, as well as for the first time, gave a signal point of view of just what was on and what was missing. This product and new process gave us a better way to plan the remediation of machines that had fallen behind. The other very interesting thing is we found servers that had software on them that we were not aware of, and of course it was vulnerable. We were then able to work with the teams and remove software that should not have been on the server to begin with. Every day we find more uses for PatchLink, as it has been a great tool in our overall arsenal of tools used to protect our environment. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
