Manage Learn to apply best practices and optimize your operations.

Five essentials of a patch management solution

Learn the key criteria you need to consider when purchasing a patch management solution to ensure it is effective.

What you will learn from this tip: The key criteria you need to consider when purchasing a patch management solution to ensure it is effective.

Patch management has matured significantly in recent years. It has catapulted from a minor, back-burner item, to a business imperative at the core of an effective network security plan. A new industry has grown out of the need to effectively manage and deploy patches, and the number of patch management tools available has proliferated. Not only have corporations developed more effective policies and processes for testing and deploying patches, but vendors have also responded to customer needs to create tools that work.

When deploying patches, you could opt to deploy all of them from a central location, but the server may not be able to handle the load and the network connections may not be able to handle the bandwidth. Therefore, consider the impact to production systems and network bandwidth when selecting between a centralized model, a distributed model with patch deployment servers strategically placed throughout the environment or a hybrid of both. Whether you create a solution in-house or purchase one of the many products available, there are key criteria you need to consider to ensure your patch management solution is effective.

1. Scanning flexibility
One of the most important functions of a patch management application is the ability to scan the network and identify missing patches. The more complex the network architecture is, the harder it can be to achieve this goal. You need to select a solution with the flexibility to handle collecting information and deploying patches across subnets and to remote sites as your environment dictates.

Some tools use agent software installed on client systems to collect and report information back to the patch management tool, while others scan the network with agent-less technology. Both methods have their pros and cons. With agent-less patch management systems, there is no need to deploy software or ensure that each new system gets the agent loaded in order to receive patch updates. However, agent-based systems typically use less bandwidth and enable secure communications between the client and server, as well as being more scalable and taking some of the processing load off the server. Some products, allow for both agent-less and agent-based systems or mixing both in the same environment. Be sure to explore all the options and their impact on your network before making a choice.

2. Comprehensive scanning
The tool you use must be as comprehensive as possible in seeking out systems and identifying missing patches. However, it is a waste of time and resources if the patch scanning results in too many false positives. The scan should accurately identify devices that are missing patches, but also take into consideration when patches are updated or superseded. Otherwise, you will be inundated with outdated, useless information that just adds to the chaos and confusion.

The solution you choose should have some method of validating patches. Check with each vendor and do your homework. Find out how good each product is at accurately determining which patches are needed and which have already been applied. The solution should also have some level of intelligence to assess the software installed on the target system to determine the correct version of the patch or whether a patch was replaced or updated.

3. Efficient patch deployment
Arguably, the single greatest feature of a patch management solution is the ability to automate patch deployment. The product you use should efficiently install patches and updates across your network, taking into consideration bandwidth and other concerns such as spanning multiple domains or IP ranges. It should also be intelligent enough to determine if patches should be applied in a particular order to avoid conflicts and ensure that one patch does not overwrite or undo a previous patch.

4. Current patch information 
The ability to scan your network for missing patches and effectively automate the deployment of patches is limited by the information your patch management tool has at the time. You should update your patching tool frequently, so that scanning yields results that are relevant to the vulnerabilities and exploits facing your network today, not last month.

Once you select a tool that is flexible enough to accommodate your environment and effectively scan all of your client machines, you need to ensure that the vendor has a solid track record of producing timely updates for the software. Being able to scan your systems using outdated patch information makes the scan results meaningless.

5. Detailed reporting 
Reporting is an important feature in virtually every enterprise network management product. Technicians who deal directly with the systems need information to work with. Network and security administrators need a broader view of the overall patch status, current deployment progress and issues that need to be addressed. Executive management needs higher-level reports that show the big picture of the state of patching in the enterprise. Consider the types of reports you might need and investigate the reporting capabilities of the tools available before making your selection.

Once you have selected a patch management tool, it should be tested to see how it will impact your computing environment. In small environments, you can test your patching tool by installing the software in a control group and running it for a few days. In large, more complex environments, you may need to test your product in a lab for a few weeks before deploying it on your network. While some vendors use testing programs to test their products in various environments and scenarios, it is always important to test any product before deploying it on your system.

These criteria are critical considerations when selecting a patch management tool. As you explore your options and choose the tool that is right for your network, keep in mind whether the tool is capable of scanning the complete range of operating systems and applications in use, as well as whether the product has the scalability to keep up as your needs expand.


  • Get the latest news and advice about patch management in our resource center.
  • Find out how you can manage patches for your AD domain controllers in eight steps.
  • Learn how to manage patches in heterogeneous environments.

About the author:
Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the Guide for Internet / Network Security (, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions, you can visit Essential Computer Security (

This was last published in June 2005

Dig Deeper on Microsoft Patch Tuesday and patch management