Configuresoft eases patch headaches

Patching Microsoft Corp. software often is a labour-intensive task, but one that is essential to ensure enterprise networks are protected against known security vulnerabilities. ConfigureSoft Inc. aims to alleviate the task of tracking patches, which have totalled 26 in the past six months, and ensure software is locked up tight.

ConfigureSoft released Security Update Manager (SUM) last month, which lets network executives track Microsoft patches, and automate the discovery of network machines that need patches. The software also automates patch deployment.

“We are always having to check for hotfixes being a regulated government organization,” said Tim Seymour, network administrator in The Office of the Surgeon General, U.S. Army. “We are drawn to the auditing features of SUM because we have to audit our compliance to the regulations we work under.”

Seymour, who has yet to deploy SUM, says the software can eliminate “false positives,” such as reports that an individual hotfix is not installed when it is, but as part of a “rollup” patch, a collection of hotfixes.

SUM, a module for ConfigureSoft’s Enterprise Configuration Manager, works by comparing patches released by Microsoft with server and desktop configuration data collected by ECM. The ECM software can run an assessment on 2,000 machines in less than two hours, according to ConfigureSoft.

ConfigureSoft has linked SUM with Microsoft’s XML Security Database, which provides a knowledge base of new patches. When a new patch is released, SUM screens the patch to determine the products and current service packs that are affected to ensure only relevant patches are applied. The software also lets administrators search for machines to be patched by such criteria as application and registry entry.

SUM includes an automated deployment mechanism for centralized rollouts. Users can choose to modify automatically generated target lists, and specify additional patches to install and schedule deployment times and reboots.

The software also includes a Patch Monitor to ensure that patches are installed properly.

“Configuration data collected by ECM is key,” says Alex Goldstein, CEO of ConfigureSoft. “ECM knows the machines and which ones have patches and service packs. Marrying that data with Microsoft’s Security Database lets us create a list of target machines.”

ConfigureSoft isn’t the only vendor attacking the patching problem. Bindview with its bv-Control, Patchlink’s Patchlink Update, Ecora’s MyEcora and Shavlik’s Network Security HF Checker all track patches installed on networked computers. Microsoft also has two tools for checking patches HFNetChk and Personal Security Advisor for the desktop.

Pricing for SUM is US$25 per server and US$5 per workstation. ECM is priced at US$775 per server and US$30 per workstation. ECM supports Windows 2000 and NT servers, Windows NT 4.0 and Professional desktops, and Microsoft SQL Server 7.0 and higher. The company is on the Web at