State and local facilities automate, too

To properly handle patch deployment, administrators need a system of checks and balances, said Dan Ruesch, information security manager for the South Dakota Air National Guard.

The organization began using Microsoft's Systems Management Server to send patches to the approximately 600 workstations at its air base. That approach worked fine, but administrators had no way of verifying that a patch had been correctly installed.

"We needed a real-time look at computers on the network," instead of sending employees to do it manually, Ruesch said.

For that real-time view, the Air National Guard brought in Shavlik's HFNetChkPro 4.0. "If [Systems Management Server] missed a machine, we can use Shavlik as a check-and-balance system," Ruesch said.

HFNetChkPro can be set to automatically scan a wide range of Microsoft platforms — including Windows NT, Windows XP, Windows Server, Exchange and Outlook — and update machines with the necessary security patches.

City officials in Sioux Falls, S.D., averted a major network infection from a laptop stricken with the Blaster worm because its network administrator had deployed the proper patch using St. Bernard Software's UpdateExpert patch management system.

UpdateExpert "was critical to keeping our network secure," said Monte Watembach, the city government's network administrator. "Even though we have [Microsoft's Systems Management Server], it was too cumbersome to use." With St. Bernard's software, "we actually had the Blaster patch on [desktop computers] before Blaster hit."

One feature Update Expert doesn't support now but Watembach would like to see added is a better way to track remote users who haven't logged on for months.

"When a [remote] user logs into my domain, I would like to deploy all the requisite updates," said Watembach, who is responsible for patching about 900 workstations and servers.

He said he tests patches by deploying them to a small number of users, usually in the IT department. To determine how well a patch will work, it must be tested on the machines on which people are actually doing their work, he added.

Several years ago, officials for the city of Boulder, Colo., didn't apply patches. But when they moved from Windows 98 to Windows NT, 2000 and XP, patch management became more critical, said Allyn McMullin, senior PC specialist with the city's information technology department.

"Vulnerabilities are cropping up more often," McMullin said. To cope with that reality, officials set up an internal server that downloads updates from Microsoft's patch server. IT staffers schedule patch deployments via LANDesk Software's Patch Manager, which is a component of the company's Management Suite.

When news began surfacing about the Blaster worm last summer, Boulder's IT staff used LANDesk's tools to see if all of the city government's desktop computers had the patch. Most of the 1,200 workstations had been patched, but 300 hadn't been. With LANDesk, the IT department was able to patch all of the systems in a matter of hours, McMullin said.

Because LANDesk's product is a suite of tools, IT employees can do more than just manage patches, McMullin said. They can also manage desktops remotely and perform other software upgrades.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.