Windows Patch Management, St. Bernard's UpdateEXPERT

by Marcin Policht

We conclude our overview of Windows patch management solutions with a look at UpdateEXPERT, a unique offering that allows agent-based and agentless implementations, as well as implementations with a mix of both.

Unlike the vendors whose products we looked at earlier in this series, St. Bernard Software did not start off in the patch management market. Its initial customer base was built for its Open File Manager program, middleware software that resolves the problem of backing up files open for use. Its success was followed by the introduction of UpdateEXPERT patch management solution, which is currently in version 6.3 and will be the subject of this article. Other St. Bernard products are the iPrism and ePrism product lines, which monitor and filter Internet Web browsing and e-mail traffic, respectively.

Like the products from PatchLink and Bigfix that we recently covered, UpdateEXPERT supports multiple operating systems: Windows (NT, 2000, XP, and 2003), Red Hat Linux (versions 7.3, 8, and 9), and Solaris (versions 8 and 9), as well as a wide range of Microsoft applications and services, including Exchange and SQL Server, Terminal Services, Windows Media Services, and Microsoft Office.

Although a majority of vendors favor an agent-based philosophy in their solutions, St. Bernard took a unique approach to this issue: It allows both agent-based and agentless implementations, as well as implementations with a mix of both.

As we discussed throughout our series, patch management products generally belong to one of two categories, depending on whether they rely exclusively on centrally operated systems for software deployment and inventory or whether this functionality is supplemented with client-resident agent software. Although a majority of vendors favor an agent-based philosophy in their solutions, since its benefits considerably outweigh its drawbacks (for a more detailed discussion on this subject refer to one of our earlier articles), St. Bernard took a unique approach to this issue: It allows both agent-based and agentless implementations, as well as implementations with a mix of both.

This flexibility has implications on the way UpdateEXPERT operates that must be recognized and considered at the design stage. As with other previously presented products, UpdateEXPRESS' architecture is multilayered, which helps make it scalable (although its scalability is more limited than that of BigFix's or PatchLink's products because of the lack of an intermediate distribution layer). At the top of the hierarchy, the vendor manages a central database, which continuously checks for updates of all patched products, downloads newly released ones, and tests them independently using its own processes. Following the comprehensive testing, which includes cross-referencing new and existing patches, each new one, along with associated metadata (such as checksums, which are used to preserve integrity and identity, designation of its intended targets, or its dependencies and conflicts with other patches) is distributed to management servers (constituting the second layer of hierarchy), residing on customers' premises.

Management servers running "Master Agent" software constitute an entry point for regular updates from St. Bernard and are the central point for customers' internal patch management (including deployment and inventory collection). Its features are accessed via one or more management consoles (consoles can be installed on any Windows NT or later system with reliable network connectivity to the system running Master Agent). It serves as an interface for tasks like initiating scans (for both agent and agentless target systems), defining policies (UpdateEXPERT relies on policy-based management, which categorizes target systems according to their characteristics and specifies set of actions that will be applied to them), and generating patch inventory reports.

Targets can be discovered through a network-based scan (using specific IP ranges or subnets), by collecting computer information stored in Active Directory, or manually (either one-by-one or en masse by importing specially formatted text files). It is also possible to leverage existing Active Directory groups when setting a scope for deployment or policy definition (administrator-defined groups can also be created directly with the management console). Policies automate patch deployment by triggering installation whenever criteria defined within them result in a match for target computers. You can, for example, define a patch baseline applicable to all clients that satisfies a specific set of conditions (such as an operating system version or software installed on them) and deploy missing patches to all of them in one step (UpdateEXPERT will inform of missing prerequisites or potential issues, if applicable). Reporting reflects patch installation results, which are determined by an exhaustive examination of relevant file characteristics (such as checksum, size, or version information) in the form of Conformance Reports, summarizing discrepancies between the patch level of each computer and its corresponding baseline.

Operations performed by the Master Agent can be supplemented by optional "Leaf Agents" running on target systems (forming base levels of the hierarchy). Leaf Agents are installed using either Agent Install Wizard from a management console or locally by executing the Agent Installer program included with the product's main installation program. Decisions regarding target selection for where Leaf Agents should be installed is arbitrary and changes from one environment to another, depending on the requirements. In particular, client agents are intended for situations where machines are locked down (via restricted administrative access or through the use of encryption), reside behind firewalls (in environments like a DMZ), operate disconnected from a corporate network for an extended amount of time (a common situation when one considers laptops or other computers used for remote access), or are located on remote network segments (where agents offer more efficient bandwidth utilization and can offload Master Agents in some of the patch-related tasks). They are also more secure, since they communicate with the Master Agent via a PKI-encrypted TCP/IP connection.

>> Deploying UpdateEXPRESS

When client agents are not loaded, UpdateEXPERT uses Remote Procedure Calls to access remote machines (which typically implies a need for reliable networks), requires administrative rights on them, and is inherently less secure (unlike Leaf Agents, for which no additional encryption is involved).

Administrative rights can be handled by specifying alternate credentials for a specific scope of managed computers, running Master Agent in the security context of a domain user account with a sufficient level of privileges, or granting elevated rights to the computer account where Master Agent runs as a Local System account. This last option applies only to an Active Directory environment where computer accounts function as security principals.

In addition, target computers must be able to accept RPC connections, which require such services as RPC, Remote Registry, and Netlogon to be operational. File and Print Sharing must also be enabled (with default administrative shares present).

The capability to operate with both agent-based and agentless clients provides the best of both worlds to select preferred solutions whenever appropriate. You can arrange immediate deployment to a group of clients with no agents installed on them. Avoiding installing client agents may be preferable in situations where system stability is the highest priority, and introducing another piece of software is viewed as a potential risk. However, at the same time, you can also make your distribution more efficient or secure by taking advantage of enhancements that the agent-based technology provides. In some scenarios, this is the more appropriate option.

Several additional features distinguish UpdateEXPRESS from its competitors. It is possible to distribute patches by storing them on portable media (with the "Packaged Updates" feature). This resolves the problem of updating stand-alone clients or those residing on isolated networks. Integration with HP OpenView (via Smart Plug-in programs) offers some interesting possibilities — patch management-related features are accessible from the single interface of the HP OpenView network management console. The plug-in also allows control over the operational status of UpdateEXPERT agents and the monitoring of events generated by them on target systems, and it responds to them in a specific manner.

Like other solutions, UpdateEXPERT features a remote rollback capability (introduced in version 6.3), simplified through the use of Uninstall Wizard. Besides interactive, immediate uninstallation, the procedure can be scheduled and performed simultaneously for several patches. Reboot notification informs clients of a pending restart of their computers, and reboots are minimized through "Smart Reboot Elimination."

St. Bernard boasts of providing its patch management solution with its UpdateEXPERT to an impressive list of clients, including, the U.S. Department of Justice, Federal Aviation Administration, and sectors of the Army. The mix of standard feature and unique features makes it an interesting offer worth considering. For more information, refer to the section of St. Bernard's Web site dedicated to UpdateEXPRESS.

This article was originally published on Thursday Dec 16th 2004
Mobile Site | Full Site