The following patch management questions were recently posed to site expert Jason Chan. Check out his responses for help choosing the best patching tools for your environment.
Question: If I'm primarily supporting Windows systems (2003, XP, 2000), should I choose Microsoft or a third-party vendor for patching tools?
Jason: Microsoft Systems Management Server (SMS) will certainly do the trick, but it is not free. It is also do much more than patch management (i.e. systems management support, inventory, etc.). Windows Update Services (WUS), soon to be Windows Server Update Services (WSUS), will do a decent job with OS patches, but it cannot do third-party patching (i.e., Acrobat reader, Firefox, etc.). It is not really a full-fledged patch management system.
Assuming you want to buy a patch management tool, I would say there are a number of viable options for Windows environments -- and I wouldn't necessarily recommend sticking with a Microsoft product. On the free side, though, combining Microsoft Baseline Security Analyzer (MBSA) with WUS would be one of the better free solutions.
Question: Will a tool dedicated to scanning find more holes than a complete patch management tool?
Jason: Vulnerability scanning tools tend to find more overall security issues than patch management tools. The scanners look for problems with the password policy, enabled services, file permissions, etc. -- basically all vulnerabilities unrelated to patching. On the other hand, patch management tools (as you would expect) will typically focus on missing patches.
Do you have a question for Jason Chan? Ask him today!
More information from SearchWindowsSecurity.com
Tip: Get steps for properly installing WUS
Learning Center: Read about the benefits of patching Windows with MBSA
Quiz: Test your knowledge of Windows service packs and security updates with this Exam Cram quiz
