GFI LANguard N.S.S. is a leading security scanner that also offers patch management. Security scanning and patch management go hand in hand: Using one tool to do both makes the process more intuitive and more manageable for the administrator.
GFI LANguard N.S.S. can use the Microsoft Software Update Services (SUS) tool to maintain a centralized database of patches and hotfixes.
Read more about SUS on the Software Update Services (SUS) page.
Why use the combination of GFI LANguard N.S.S. and Microsoft SUS server?
Microsoft SUS server is a good solution for pushing out operating system patches. It supports all operating system patches, including patches for applications that are part of the operating system such as IIS and IE. However, Microsoft SUS does not offer the following features that are provided by GFI LANguard N.S.S.:
- Deployment of service packs
- Deployment of patches to machines running Windows NT
- Deployment of third party software patches and clients
- Deployment of Microsoft application patches and service packs for Microsoft Office, Microsoft SQL Server, Microsoft Exchange Server & Microsoft ISA server.
- Ability to check that all patches have been installed correctly.
Therefore, GFI LANguard N.S.S. and Microsoft SUS jointly make a perfect combination to keep Windows 2000/XP/.NET machines up-to-date, including service packs, Microsoft application patches and service packs, and third party software patches.
How to set up patch management on your network
Step 1: Installing Microsoft SUS server
Because Microsoft SUS server is not really a desktop-based scanning tool, but rather an automated server designed to work in the background, it is a little harder to set up than other patch management tools. However, once it is set up, the patch management process is automated, so it is well worth the extra effort.
Installing it is quite simple. You install the Microsoft SUS server (requires IIS), and configure it to check for updates. Then you must ensure that your workstations and servers have either Windows 2000 SP3, Windows XP SP1 or Windows .NET installed, or that they have the Microsoft SUS client installed. Note that Windows NT is not supported.
You can push out the SUS client using Group Policy quite easily, since the file is only 1 megabyte. After you have done this, you must use Group Policy again to configure the client workstations to get their automatic updates from your SUS server. All this is clearly described in the documents accompanying Microsoft SUS.
Administering the Microsoft SUS server
The administration of Microsoft SUS server is all web-based, allowing you to administer it remotely. The Microsoft SUS server downloads all available updates automatically and notifies you of new updates by e-mail. New updates can be approved for deployment or rejected, ensuring that you still have full control over what gets installed on your network. The approval interface is very similar to updating a single machine using Windows Update.
The Microsoft SUS Client
Once you have installed both Microsoft SUS server and the Microsoft SUS client, all updates are pushed out automatically. As an administrator you can configure how this should happen. You can set the schedule when this should happen, and allow the user to have some sort of control over this process, if you wish. The screenshot below shows the options available. Of course these options can be locked using Group Policy.
After you have configured the Microsoft SUS client, patches are deployed automatically. The user is notified through a message in the task bar (see image).
Microsoft SUS Server limitations
Though very good as what it does, Microsoft’s patch management tool does have a few limitations:
- It does not push out service packs; you need a separate solution for that.
- It only handles patches at operating system level (including Internet Explorer and IIS), but not application patches such as Microsoft Office, Microsoft Exchange Server, Microsoft SQL Server, etc.
- It requires Windows 2000 and up, so it cannot patch Windows NT 4 systems.
- It cannot deploy custom patches for third party software.
- It does not allow you to scan your network for missing patches, so you cannot check if everything has been installed correctly. There is no easy reporting system for this.
This means that you still require a patch management solution to perform the above tasks. Microsoft does not plan to add the above features, since it promotes Microsoft SMS server as a tool for that. So, Microsoft SUS server is ideal for operating system patches if used in conjunction with a patch management tool.
Step 2: Patch management with GFI LANguard N.S.S.
Once Microsoft SUS server is operational on your network, you need to install GFI LANguard N.S.S to perform the following patch management tasks:
- Deployment of service packs.
- Deployment of patches to machines running Windows NT.
- Deployment of third party software patches.
- Deployment of Microsoft application patches and service packs for Microsoft Office, Microsoft SQL Server, Microsoft Exchange Server and Microsoft ISA server.
- Checking that missing patches and service packs are installed and issuing an HTML report about this.
Checking if patches and service packs are installed
Once you have your patch management in place, it is important to regularly scan your network to check that all patches and service packs have been deployed by Microsoft SUS. GFI LANguard N.S.S. quickly scans your network and lists all missing patches and service packs under the Alerts node.
To scan your network, enter the IP range directly at the top of the scanner interface, or use the Scan Wizard (accessed from the File menu) to specify which computers to scan. You can scan domains, specific computers and an entire IP range. Click Finish to start the scanning process. You’ll see each machine appear in the left-hand pane as it is found by GFI LANguard N.S.S. The right-hand pane provides detailed progress information.
Once the network scan is complete, missing patches and service packs are detailed under the Alerts node. If Microsoft SUS is updating all client machines correctly, you should only see missing application patches and service packs here.
Right-clicking on a patch or a service pack allows you to deploy the missing service pack or patch to that computer or all computers. The Deploy Patches dialog, shown in the screenshot, allows you to easily specify which patches to push out to which computers.
(Deploying patches with GFI LANguard N.S.S.)
(Patches to be downloaded)
After you specify which patches to push out, GFI LANguard N.S.S. gives you a list of service packs and patches that need to be downloaded and copied to the GFI LANguard N.S.S download directory.
Step 3: Reporting
Once you have scanned your network, you can also create a concise report that lists all missing patches and service packs. To generate the missing patches report, go to the File menu > Filters and select ‘Missing patches’.
(The GFI LANguard N.S.S. missing patches/service packs) report
Conclusion
Microsoft SUS is a very good patch management tool. On top of that, it’s free. However it does not deploy service packs, nor does it deploy patches to application software such as Office, Exchange or SQL Server. Furthermore, it has no scanning capability: you have to review the logs to check whether patches have been deployed successfully or not.
Microsoft SUS Server is perfect for operating system patch management. Although you can use a patch management product instead, using Microsoft SUS Server saves you time in the long run: Once set up, it is easy to keep your network up-to-date. Coupled with the fact that Microsoft SUS Server is free, this makes for an easy decision. However, Microsoft SUS Server does not perform all patch management. You must therefore use a patch management tool in addition to Microsoft SUS Server.
GFI LANguard N.S.S. in tandem with Microsoft SUS offers all the features found in more expensive patch management solutions at a minimal cost. Most patch management solutions range from $15000 for a 100-machine license to $8,000 and more for a 500-machine license. The combination of GFI LANguard N.S.S. and Microsoft SUS allows you to update operating systems using Microsoft SUS (Windows 2000, XP, .NET, IIS, IE, Windows Media) and service packs, Microsoft application patches, Windows NT patches and third party software using GFI LANguard N.S.S.
The combined solution of GFI LANguard N.S.S. and Microsoft SUS is not only more powerful and flexible, it is also much more cost-effective: Microsoft SUS is free and GFI LANguard N.S.S. licenses start from as little as $249 for 50 IPs.
GFI
GFI (www.gfi.com) is a leading provider of Windows-based messaging, content security and network security software. Key products include the GFI FAXmaker fax connector for Exchange and fax server for networks; GFI MailSecurity e-mail content/exploit checking and anti-virus software; and the GFI LANguard family of network security products. Clients include Microsoft, Telstra, Time Warner Cable, Shell Oil Lubricants, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI has five offices in the US, UK, Germany, Australia and Malta, and has a worldwide network of distributors. GFI is a Microsoft Gold Certified Partner and has won the Microsoft Fusion 2000 (GEM) Packaged Application Partner of the Year award.
For more information
Please e-mail [email protected] or contact one of the GFI offices.
Free version available for download (v3.3, approx 3.5mb)
Product info – “Using GFI LANguard Network Security Scanner to secure your internal network”