• United States
Neal Weinberg
Contributing writer, Foundry


Mar 11, 20033 mins

* The Reviewmeister takes a look at patch management tool PatchLink

Here’s the Reviewmeister’s position on installing security patches for Windows servers: It’s a job that’s too important to neglect and too tedious to have to keep track of yourself.  So, we looked at a bunch of tools that automate the distribution and management of security patches.

Patch management tools should identify accurately which patches are missing on each system, provide an easy means to deploy patches and provide administrative reports tracking patch status across multiple machines.

The products we tested attack the problem in two ways – with or without agent software. Agent-based products – such as those from PatchLink and BigFix – can greatly reduce network traffic by offloading processing and analysis to the target system, saving data until it needs to report to the central server. But they also force an administrator to manage software on all systems the product analyzes.

Today, we’ll provide the lowdown on PatchLink and we’ll cover BigFix later this week.

PatchLink has two components – PatchLink Update Server and the agent. The Update Server is installed on a Windows 2000 Server with SP2 and Internet Information Server (IIS). The installation process sets up a Microsoft Data Engine (MSDE) database, which can be upgraded to a full SQL Server after installation. This upgrade is recommended for large organizations.

You easily can push the agents to targeted machines using the Agent Install Wizard, or agents can be installed during the logon process.

For management purposes, administrators connect to the PatchLink server through a Web interface, which lets you view reports, deploy packages, create packages and view system inventory.

PatchLink, the company, monitors Microsoft and other vendors, such as Citrix Systems and Adobe, for newly released patches. PatchLink engineers test the patches, put them into PatchLink’s proprietary package format and deploy them to customers’ local PatchLink servers through a periodic subscription-checking process, which occurs over Secure Sockets Layer at a time the administrator configures.

Administrators receive e-mail informing them of a new patch on the PatchLink server. If it is a critical patch, it also is downloaded to the Update Server on the customer’s network. Noncritical patches will be downloaded at the administrator’s request.

PatchLink automatically caches critical patches on the Update Server, a marked difference from BigFix and the agentless products. Caching patches is useful and the recent Sapphire/Slammer SQL Server worm proves the point. If a worm or other malicious act is taking place that slows down the Internet, how will administrators download patches to their critical servers? With cached patches, you already have the files at your location.

On the other hand, cached patches must be stored somewhere, so your system needs to include adequate disk space.

We very easily deployed all necessary patches to one machine and deployed a single patch to multiple machines with PatchLink Update Server. We controlled whether the system rebooted automatically and could set our own deployment flags, providing detailed control not found in the other products.

One of the best administrative features PatchLink offers is its ability to let administrators configure groups of machines with baseline patch settings. If a computer in the group is missing any patches defined in the baseline set, they are automatically installed on the computer.  For the full report, go to