Patch management is an essential network administration task. This consists of scanning machines on the network for missing patches and deploying those patches as soon as they become available. Failure to do so makes a network doubly vulnerable, because not only is the vulnerability there, but it has now also been publicized, making it more likely to be exploited by malicious users, hackers and virus writers.

However, time and again, countless administrators fail to apply the right patches - as proven by worms such as Slammer, the January 2003 worm that spread by exploiting known vulnerabilities in un patched Microsoft SQL 2000 servers. Until recently, the main reason for this was because installing patches was a cumbersome and daunting job. Yet, with the advent of sophisticated automatic patch management tools, this scenario can be eliminated.

This white paper provides an overview of how to use GFI LANguard Network Security Scanner (N.S.S.) and Microsoft Software Update Services (SUS) to keep your network updated.

About GFI LANguard Network Security Scanner (N.S.S.)

GFI LANguard N.S.S. is a leading security scanner that also offers patch management. Security scanning and patch management go hand in hand: Using one tool to do both makes the process more intuitive and more manageable for the administrator.

About Microsoft Software Update Services (SUS)

Microsoft SUS is a free patch management tool provided by Microsoft to help network administrators deploy security patches more easily. In simple terms, Microsoft SUS is a version of Windows Update that you can run on your network. Instead of each workstation having to connect to the Internet to update Windows, each workstation connects to the Microsoft SUS Server instead and updates from there. Microsoft SUS Server alone requires access to the public Internet as it connects to Windows Update.

By connecting to Windows Update, Microsoft SUS Server provides notification of critical updates as well as performing automatic distribution of those updates to your workstations and servers. Microsoft SUS server gives the administrator control over updates: The administrator can test and approve updates from the public Windows Update site before deployment on the corporate intranet. Deployment takes place on a schedule created by the administrator.

Why use the combination of GFI LANguard N.S.S. and Microsoft SUS server?

Microsoft SUS server is a good solution for pushing out operating system patches. It supports all operating system patches, including patches for applications that are part of the operating system such as IIS and IE. However, Microsoft SUS does not offer the following features that are provided by GFI LANguard N.S.S.:

• Deployment of service packs
• Deployment of patches to machines running Windows NT
• Deployment of third party software patches and clients
• Deployment of Microsoft application patches and service packs for Microsoft Office, Microsoft SQL Server, Microsoft Exchange Server & Microsoft ISA server
• Ability to check that all patches have been installed correctly.

Therefore, GFI LANguard N.S.S. and Microsoft SUS jointly make a perfect combination to keep Windows 2000/XP/.NET machines up-to-date, including service packs, Microsoft application patches and service packs, and third party software patches.

How to set up patch management on your network

Step 1: Installing Microsoft SUS server
Because Microsoft SUS server is not really a desktop-based scanning tool, but rather an automated server designed to work in the background, it is a little harder to set up than other patch management tools. However, once it is set up, the patch management process is automated, so it is well worth the extra effort.

Installing it is quite simple. You install the Microsoft SUS server (requires IIS), and configure it to check for updates. Then you must ensure that your workstations and servers have either Windows 2000 SP3, Windows XP SP1 or Windows .NET installed, or that they have the Microsoft SUS client installed. Note that Windows NT is not supported.

You can push out the SUS client using Group Policy quite easily, since the file is only 1 megabyte. After you have done this, you must use Group Policy again to configure the client workstations to get their automatic updates from your SUS server. All this is clearly described in the documents accompanying Microsoft SUS.

Administering the Microsoft SUS server
The administration of Microsoft SUS server is all web-based, allowing you to administer it remotely. The Microsoft SUS server downloads all available updates automatically and notifies you of new updates by email. New updates can be approved for deployment or rejected, ensuring that you still have full control over what gets installed on your network. The approval interface is very similar to updating a single machine using Windows Update.

Approving updates via the Microsoft SUS server administration interface

The Microsoft SUS Client
Once you have installed both Microsoft SUS server and the Microsoft SUS client, all updates are pushed out automatically. As an administrator you can configure how this should happen. You can set the schedule when this should happen, and allow the user to have some sort of control over this process, if you wish. The screenshot below shows the options available. Of course these options can be locked using Group Policy.

Automatic Updates control panel with options

After you have configured the Microsoft SUS client, patches are deployed automatically. The user is notified through a message in the task bar (see image).

User gets feedback that updates are about to be installed

Microsoft SUS Server limitations
Though very good at what it does, Microsoft's patch management tool does have a few limitations:

• It does not push out service packs; you need a separate solution for that
• It only handles patches at operating system level (including Internet Explorer and IIS), but not application patches such as Microsoft Office, Microsoft Exchange Server, Microsoft SQL Server, etc
• It requires Windows 2000 and up, so it cannot patch Windows NT 4 systems
• It cannot deploy custom patches for third party software
• It does not allow you to scan your network for missing patches, so you cannot check if everything has been installed correctly. There is no easy reporting system for this.

This means that you still require a patch management solution to perform the above tasks. Microsoft does not plan to add the above features, since it promotes Microsoft SMS server as a tool for that. So, Microsoft SUS server is ideal for operating system patches if used in conjunction with a patch management tool.

Step 2: Patch management with GFI LANguard N.S.S.
Once Microsoft SUS server is operational on your network, you need to install GFI LANguard N.S.S to perform the following patch management tasks:

• Deployment of service packs
• Deployment of patches to machines running Windows NT
• Deployment of third party software patches
• Deployment of Microsoft application patches and service packs for Microsoft Office, Microsoft SQL Server, Microsoft Exchange Server and Microsoft ISA server
• Checking that missing patches and service packs are installed and issuing an HTML report about this.

Scanning for missing patches with GFI LANguard N.S.S.

How it works: Checking if patches and service packs are installed
Once you have your patch management in place, it is important to regularly scan your network to check that all patches and service packs have been deployed by Microsoft SUS. GFI LANguard N.S.S. quickly scans your network and lists all missing patches and service packs under the Alerts node.

To scan your network, enter the IP range directly at the top of the scanner interface, or use the Scan Wizard (accessed from the File menu) to specify which computers to scan. You can scan domains, specific computers and an entire IP range. Click Finish to start the scanning process. You'll see each machine appear in the left-hand pane as it is found by GFI LANguard N.S.S. The right-hand pane provides detailed progress information.

Once the network scan is complete, missing patches and service packs are detailed under the Alerts node. If Microsoft SUS is updating all client machines correctly, you should only see missing application patches and service packs here.

Right-clicking on a patch or a service pack allows you to deploy the missing service pack or patch to that computer or all computers. The Deploy Patches dialog, shown in the screenshot, allows you to easily specify which patches to push out to which computers.

Deploying patches with GFI LANguard N.S.S.

Patches to be downloaded

After you specify which patches to push out, GFI LANguard N.S.S. gives you a list of service packs and patches that need to be downloaded and copied to the GFI LANguard N.S.S download directory.

Step 3: Reporting
Once you have scanned your network, you can also create a concise report that lists all missing patches and service packs. To generate the missing patches report, go to the File menu > Filters and select 'Missing patches'.

The GFI LANguard N.S.S. missing patches/service packs report

Conclusion

Microsoft SUS is a very good patch management tool. On top of that, it's free. However it does not deploy service packs, nor does it deploy patches to application software such as Office, Exchange or SQL Server. Furthermore, it has no scanning capability: you have to review the logs to check whether patches have been deployed successfully or not.

Microsoft SUS Server is perfect for operating system patch management. Although you can use a patch management product instead, using Microsoft SUS Server saves you time in the long run: Once set up, it is easy to keep your network up-to-date. Coupled with the fact that Microsoft SUS Server is free, this makes for an easy decision. However, Microsoft SUS Server does not perform all patch management. You must therefore use a patch management tool in addition to Microsoft SUS Server.

GFI LANguard N.S.S. in tandem with Microsoft SUS offers all the features found in more expensive patch management solutions at a minimal cost. Most patch management solutions range from $1,500 for a 100-machine license to $8,000 and more for a 500-machine license. The combination of GFI LANguard N.S.S. and Microsoft SUS allows you to update operating systems using Microsoft SUS (Windows 2000, XP, .NET, IIS, IE, Windows Media) and service packs, Microsoft application patches, Windows NT patches and third party software using GFI LANguard N.S.S.

The combined solution of GFI LANguard N.S.S. and Microsoft SUS is not only more powerful and flexible, it is also much more cost-effective: Microsoft SUS is free and GFI LANguard N.S.S. licenses start from as little as $249 for 50 IPs.

About GFI

GFI is a leading provider of Windows-based messaging, content security and network security software. Key products include the GFI FAXmaker fax connector for Exchange and fax server for networks; GFI MailSecurity email content/exploit checking and anti-virus software; and the GFI LANguard family of network security products. Clients include Microsoft, Telstra, Time Warner Cable, Shell Oil Lubricants, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI has five offices in the US, UK, Germany, Australia and Malta, and has a worldwide network of distributors. GFI is a Microsoft Gold Certified Partner and has won the Microsoft Fusion 2000 (GEM) Packaged Application Partner of the Year award.

For more information
Please email sales@gfi.com or contact one of the GFI offices.