This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
PatchLink Update 6.3
REVIEWED BY MIKE CHAPPLE
Price: $1,495 per update server, plus annual subscription fee starting at $18
Keeping systems patched can be a nightmare for enterprises. Medium- and large-sized enterprises will find this automated patching tool from PatchLink an excellent, cost-effective solution.
PatchLink Update provides a Web-based manual installation process for one-off installs. It's also possible to automate installation by using a script or Group Policy Object with the standalone installer. Agents can be automatically deployed through the console using Active Directory/LDAP lookup or IP/DNS scanning.
One of the product's major shortcomings is weak integration with AD. Although you can deploy the agent through AD, it's not possible to manage devices through AD organizational units (OUs) or import OU membership information into PatchLink's group-based management structure.
PatchLink will enforce minimum baselines automatically according to standards you create for admin-defined or platform-based groups of devices. When a patch becomes available, you may create a rollout schedule based on your specific needs.
As noted above, tighter AD integration would allow enterprises to leverage the time they've already invested in creating an OU structure to apply policies to different parts of the organization.
We were impressed with PatchLink's ability to create custom patch packages and deploy them to the enterprise or specific groups on a scheduled basis. These packages can also be used to change configuration settings, install software and run automated scripts.
We also like the flexibility to grant end users varying degrees of control over the PatchLink agent. For example, administrators may choose to allow users to delay patch deployments and system reboots.
The Windows-centric product provides a baseline level of support for other OSes, including Mac OS X and several Unix/Linux variants. It also supports many Windows applications, but only a handful of Mac apps and none for *nix.
Determining which systems are unpatched and verifying successful deployments are major pain points for enterprises. PatchLink uses digital signatures for each patch and scans the host system to determine patch level. If the initial patch fails, it attempts to redeploy it up to three times.
Customization and filtering are limited. For example, you can filter your report based on devices or device groups, but not on complex criteria such as creating a report listing devices missing patches for a certain period of time.
Testing methodology: PatchLink Update was tested in a Windows Server 2003 and Windows XP environment within VMware Workstation. We ran the PatchLink Web server on IIS 6.0.
This was first published in February 2007