Print Page      Email Page
Back to Article List

Taking Patch Management to the Next Level
By Brien M. Posey
June 21, 2004

Without a doubt, one of the most tedious chores that network administrators must routinely perform is patch management. Hardly a week goes by that Microsoft doesn't release some sort of patch. It is the network administrator's responsibility to download the latest patches and apply them to all of the organization's computers. As tedious as patch management is though, it is one chore that really shouldn't be neglected. Not only do the various patches resolve security vulnerabilities, once a patch is released the specific vulnerability addressed by the patch is made public, making the vulnerability much more likely to be exploited on unpatched machines.

Figure 1: GFI LANguard Interface

Available Patch Management Solutions
There are many patch management tools available from Microsoft and from third party software vendors. Microsoft's two primary patch management solutions are SMS Server and the Software Update Service (SUS). Both are good solutions, but have their limitations. SMS Server is a comprehensive patch management solution, but has a hefty price tag and a steep learning curve. SUS is a free patch management utility that is easy to use, but it has some major limitations. SUS can not deploy patches related to Microsoft SQL Server, Microsoft Exchange Server, or Microsoft Office. Furthermore, SUS can not deploy patches to machines that are running Windows NT.

These various limitations mean that SUS and SMS Server simply aren't good fits for many organizations. As an alternative to these two products, many companies are turning to third party patch management solutions. One particular patch management solution that I really like is GFI's LANguard Network Security Scanner. Although GFI's LANguard has been around for a while, GFI has recently released version 5.

Security Scanning
GFI LANguard is much more than a patch management product though. Any patch management solution will scan your network for missing patches. GFI LANguard raises the bar by also scanning the network for other types of potential security vulnerabilities.

The nice part about this feature is that you don't have to do any extra work to perform a full blown security scan against your network. When you scan your network for missing patches, GFI LANguard will also check for things like open shares, open ports, and unused user accounts. The software also checks for security vulnerabilities related to audit policies, password policies, user accounts, groups, and computers.

When the scan is complete, GFI LANguard offers a dozen different reports that you can view. Many of these reports pertain specifically to security vulnerabilities that have been detected. Best of all, reports exist that focus solely on specific types of vulnerabilities. For example, you can choose to look at only the most serious security vulnerabilities, or to look only at vulnerabilities pertaining to your password policies.

Scanning A Network
Although LANguard offers a lot of features, the user interface is surprisingly simple. To get things started, you must initially choose which credentials you would like to use for the scan. You can choose between the currently logged on user, an alternate set of credentials, or a null session. From there you must simply enter the IP address range that you wish to scan and click the Scan button. Because of the amount of time that it takes to scan all TCP and UDP ports, the software will scan only well known ports by default, but you can perform a full TCP / UDP scan if necessary.

When the scan completes, a number of different reports are compiled. These reports are viewable directly through the user interface in the Scan Filters section. Reports cover a variety of topics such as missing patches and security vulnerabilities (sorted by severity and type). In addition to the basic missing patch and security vulnerability reports, you can also view security information on a per computer basis or look at the entire network as a whole.

Patch Deployment
Once the initial scan is complete, you will probably want to deploy any missing patches or service packs. To do so, go to the Security Scanner container at the top of the user interface and then right click on the computer that you want to update. You will have the option of deploying the patches onto the selected computer or onto all computers. LANguard will send the users a message before the deployment process begins and will stop any necessary services on the user's machines.

Earlier I mentioned that one of the big drawbacks to Microsoft's SUS is that there are a limited number of Microsoft products that it can manage patches for. This is not the case with GFI LANguard though. GFI LANguard can handle patch management for all Microsoft server products, operating systems, and even for Microsoft Office. It even has the ability to deploy patches for non Microsoft products (although the need for such patches is not automatically detected). Although GFI LANguard is clearly superior to SUS, GFI recommends using GFI LANguard as a compliment to SUS rather than as an alternative to it. In fact, GFI has published a whitepaper that details the specifics of using SUS and GFI LANguard together. You can read this whitepaper at:

Another reason why using GFI LANguard in conjunction to SUS is an ideal patch management solution is because of the timeliness of patch deployment. You probably remember the SQL Slammer virus, which exploited a hole in SQL Server. A patch was available from Microsoft very soon after the virus first appeared and yet millions were affected with the virus because they did not patch SQL quickly enough. GFI LANguard allows you to deploy patches immediately to all of your computers. You also have the option of scheduling both scans and patch deployments. Additionally, you have the option of setting up various types of alerts. That way if a security scan detects a critical vulnerability you can be notified immediately so that you can take action.

Pricing and Availability
GFI LANguard Network Security Scanner is available from The software's license fee is based on the number of IP addresses on your network. The pricing structure starts at $315 and allows you to scan up to 25 IP addresses. There are several pricing structures available for various numbers of IP addresses. A package that allows you to scan unlimited numbers off IP addresses costs $995.

I really like GFI LANguard, but like any software packages, there are pros and cons associated with using it. The following list outlines some of the things that I did and didn't like about LANguard:

  • The interface is very easy to use.
  • A very good collection of reports that you can use to assess the security of your network.
  • Scanning results can be saved in XML format and later compared against previous scans.
  • I really liked the fact that you could schedule security scans and automatically deploy any newly available patches.
  • The alerting feature can notify you by E-mail of serious security issues.
  • The information that is collected during the scans is well organized.
  • The software greatly reduces the time commitment involved in keeping patches up to date.
  • The software can distribute patches to non Microsoft products.
  • The software can detect the need for patches to Microsoft products not covered by SUS and can automatically deploy such products.
  • Works as a perfect compliment to SUS.

  • Cons
  • I would like to have seen better integration with other GFI products.
  • I would like to see the alerter expanded to allow alerts to be sent to instant message clients, phones, and pagers.
On a scale of 1 to 5 with 1 being the worst and 5 being the best, I give GFI LANguard a 4.7. GFI LANguard is an excellent product. The only reason why I didn't give it a 5 is because I would like to have seen integration with some of GFI's other products. For example, GFI's ServerMonitor is designed to monitor servers, send alerts, and take corrective action. GFI LANguard also has an alert feature that will allow you to take corrective action against security issues. It would be nice to have a central console that would allow you to configure alerting and responses across all GFI products that offer alerting capabilities. I would like to see the alerter expanded as well so that alerts could be sent to pagers, cell phones, and instant message clients.

Of course all of these are really trivial issues. Although it would be nice to see such features appear in the next version, the current version does an excellent job of detecting security vulnerabilities and of deploying patches.

More info on GFI LANguard 5.0:
Download a free 30-day trial:

DHTML Menu By Milonic JavaScript