With this article, our Windows patch management series shifts its focus to products from third-party vendors. In general, these products fall into three categories: 1) free products with relatively limited capabilities, such as basic vulnerability detection and patch installation (akin to Microsoft Baseline Security Analyzer); 2) full-blown products with additional comprehensive reporting and deployment features (such as the soon-to-be-released Windows Update Services); and 3) patch management add-ons that integrate into current enterprise management systems (similar to the SMS Software Update Services Feature Pack).
We kick off our discussion with a look at Shavlik Technologies, which was one of the pioneers in this area. Its solutions fall into the first two of the aforementioned categories.
In general, Windows patch management products fall into three categories:
Shavlik is a privately owned security company founded in 1993. Its technological advancements have been significant enough to attract attention from Microsoft, resulting in cooperative efforts and the development of the Microsoft Baseline Security Analyzer (MBSA), which is based on Shavlik's HFNetChk (the acronym designating HotFix Network Checker) released in 2001. HFNetChk is a feature-limited version of Shavlik's flagship product HFNetChkPro. Both products are based on the same scanning technology, which relies on information stored in an XML file for verifying patch level. This file, called mssecure.xml, and already discussed in our series, is available for download in the compressed and digitally signed (to ensure its authenticity and integrity) version, msssecure.cab, from two Web sites Microsoft's, at http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.cab, and Shavlik's, at http://xml.shavlik.com/mssecure.cab.
Both vendors currently use their own copies of the XML file for their tools. While Shavlik decided to make this switch starting with version 3.83 of HFNetChk, it still offers an option to override the default and point to the Microsoft Web site with the application of an -ms switch (you can also point to an alternative location of mssecure.cab with -x switch when running MBSA). When a scan is initiated, tools check the version and locale of the operating system, service pack level, components and applications installed. Based on this information, applicable security patches are determined.
Before we dive deeper into the functionality of Shavlik's patch management solutions, a quick skim of the available solutions is in order:
- HFNetChk.exe, which at press time is in version 3.86, is the most basic command line utility, available as a free download from the Shavlik Download Center at http://www.shavlik.com/downloads.aspx. Its /hf switch gives it a close resemblance to MBSA (not surprising, since both tools originate from the same team of developers). HFNetChk evaluates security patch levels on the target computer (or computers) running Windows NT 4.0, 2000, or XP for the base operating system as well as a number of Microsoft products and components, such as IIS 4.0 and 5.0, SQL and Exchange, MDAC, Microsoft Office, and Internet Explorer 5.01 or later. Although the most recent version (3.86) is a bit old it was last updated November 20, 2002 the next release, v4.0, is currently in Beta and will be in production soon.
- HFNetChkPro Security Patch Management, in version 4.3 as of press time, is a GUI-based product (with an optional command line interface) that offers a comprehensive set of patch management features. HFNetChk serves as the scanning engine, but HFNetChkPro's feature set goes far beyond vulnerability detection, including flexible and dependable patch deployment functionality.
- Account Inspector 3.9a, Enterprise Inspector 2.2, and HFNetChk Admin Suite Security Patch Management (including a free version for a limited number of computers) are security analysis and configuration tools integrated with HFNetChk as the patch scanning engine and HFNetChkPro as the patch deployment mechanism.
MBSA and Shavlik's HFNetChk scanning engine have a number of similarities. Neither requires agents on client's computers (the same applies to HFNetChkPro, when it comes to patch installation). This not only eliminates the need for complex and time-consuming deployment (by allowing their immediate use), but it also fits well in the centralized administration scenario. On the other hand, some admins might consider this a drawback, as network utilization is increased due to increased management traffic as a result of the tools running on an administrative workstation. The HFNetChkPro thread setting (the number of threads can range between from 1 to default 64 you can configure it with graphical interface or -t command line switch) can mitigate this problem with its control of a number of target computers on which patches are simultaneously scanned or deployed. Configuring scanning on a per-IP subnet-basis further helps with bandwidth throttling.
The agentless nature of Shavlik's utilities has other implications. A user who initiates a scan must be a member of a local Administrators group on target computers. While this might be inconvenient in some scenarios (especially when it comes to vulnerability detection in multidomain environment), it provides a level of security, preventing unauthorized information gathering. In addition, remote systems must be running Server service, Remote Registry service, File and Print Sharing, and default administrative shares. They also require XML parser, which is included with IE 5.0 or later and can be added to IE 4.0 by installing MSXML 4.0 SP1 downloadable from http://www.microsoft.com/xml. When scanning computers residing behind a firewall, TCP ports 139 and 445 and UDP ports 137 and 138 must be open. Finally, patching requires Windows Task Scheduler be enabled on target computers.