OT: Patch Management

[Guest]

I just took a network admin position for a company with about 30 servers and
250 desktops. We are a strict Microsoft shop -- all servers are running 2000,
as are most desktops, and we have a small sprinkling of XP in the IT
department and on laptops.

There is currently no patch management system in place.

I'm looking to evaluate some third party applications for patch management,
so I'd like to get everyone's suggestions. What do you (or don't you) use,
and why did you come to this conclusion?

Thanks!

 

[Danny Sanders]

See:
http://www.microsoft.com/downloads/...9B-E780-43E5-AA84-CDF6450D8F99&displaylang=en

and
http://www.microsoft.com/windowsserversystem/sus/default.mspx

watch the word wrap.

Reason for choosing? It's free and it works.


hth
DDS W 2k MVP MCSE

 

[Steven L Umbach]

As Danny referred to Software Update Services is freely available and works
well. It installs on a server running IIS on your domain, preferrerably one
that is not using IIS for anything else. The nice thing about SUS is that
you can download the updates to your SUS server from Microsoft, approve the
ones you want to issue, and the domain computers will pull the updates from
your SUS server. It can also distribute Service Packs and domain clients can
be configured via Group Policy to automate the whole patching process
without requiring the domain user to be a local administrator. When you
setup SUS I suggest you use the manual/advanced option so you can specify
the drive to store the downloaded updates. --- Steve

 

[Guest]

As Danny referred to Software Update Services is freely available and works
well. It installs on a server running IIS on your domain, preferrerably one
that is not using IIS for anything else. The nice thing about SUS is that
you can download the updates to your SUS server from Microsoft, approve the
ones you want to issue, and the domain computers will pull the updates from
your SUS server. It can also distribute Service Packs and domain clients can
be configured via Group Policy to automate the whole patching process
without requiring the domain user to be a local administrator. When you
setup SUS I suggest you use the manual/advanced option so you can specify
the drive to store the downloaded updates. --- Steve

Thanks for the responses.

I've used SUS before, but not in an environment this large. The two problems
that we have with SUS is that it currently only supports OS patches (we'd
like something that does SQL, Office, etc. as well) and there's no method for
determining what workstations actually successfully download the updates (in
other words, reporting is nil).

Thanks again.

 

[Steven L Umbach]

OK. I have never used it myself but Microsoft SMS is the not free patch
mangement solution that can do a lot more. I don't know if it will fit your
bill but you may want to check it out at the link below. --- Steve

http://www.microsoft.com/smserver/evaluation/capabilities/patch.asp

 

[Guest]

I've used SUS before, but not in an environment this large. The two problems

It works nicely and depends a lot of on how you intend to distribute the
load (with multiple SUS for e.g.). Various configuration options exist that
can help to address this issue.

that we have with SUS is that it currently only supports OS patches (we'd
like something that does SQL, Office, etc. as well) and there's no method for

True but WUS should fix this and more. It is currently in BETA and looks
promising http://www.microsoft.com/wus.

determining what workstations actually successfully download the updates (in
other words, reporting is nil).

Many excellent third party add-ons, mostly free, are available to help in
reporting under SUS SP1. Try SUS Reports
(htthttp://www.lovas.info/susreporter/), SUS Log Reporting Utility
(http://www.susserver.com/) or http://sourceforge.net/projects/susrep/ just
to name a few.


Do let us know if this helps. Thanks!