Hi all – Welcome to my channel, I’m Alex Hubbard, I’m a Senior System Administrator and Cybersecurity Engineer. If you’re new to the channel, please subscribe below. If you’ve been here before, welcome back. Be sure to check out my Instagram @ach_sysadmin.
Today we are going to discuss patching. Patching is very important in today’s ever changing threat landscape. However, for a small business admin, the budget may not be there to implement a robust program. So what are some options for tackling this problem?
Something to keep in mind, this article (and associated video) reflect my own personal opinions after over 15 years in the industry. I am not affiliated with any of the companies I speak about in this video, I have merely been an admin to a couple of them and researched the rest. Making the determination if any of these solutions are a fit for your environment is solely up to you.
Option 1 – Legacy Solutions
Allow Host(s) to Self-Update
This is not a good practice in today’s vast threat landscape. There are numerous vulnerabilities that come out daily and not just for Windows, Mac or Linux operating systems, but any of the third party applications that run on these platforms. Operating this way gives you, as the administrator, no visibility into what patches a system may have or may be missing. Additionally, users (even I am guilty) will put off rebooting to apply an update for as long as feasibly possible. Allowing systems to self update, you have no control over when the system reboots to effectively get the applied patch. It could be days, weeks or in some cases, months, before a system is rebooted. While this option does not cost anything, I don’t view this as an option for any business, big or small. It leaves your systems highly vulnerable.
Windows Server Update Services (WSUS)
WSUS, or Windows Server Update Services used to be the go-to for many businesses. You’re likely to find this solution still in production today. This is what I would consider a legacy approach. Given the proliferation of users that work remotely, a cloud-based solution is the best option. WSUS is an on-prem service that, in most cases, requires your users to be connected to the corporate network either directly or via VPN. You are prone to have remote users who hardly connect to your corporate network and therefore will be delayed in receiving any approved patches. WSUS may be a good option if you are a Windows administrator that has a fleet of desktops and servers that don’t go anywhere. The upside to WSUS is that it is built in as a service, to Windows Server, so there is no cost associated directly with the product. This is a subtly better option than allowing your hosts to self-update. Windows Server Update Services is also limited to Microsoft products natively.
PDQ Inventory/Deploy, BatchPatch and Other Stand Alone Tools
There are plenty of stand alone tools out there that will help you patch systems. PDQ-Inventory/Deploy and BatchPatch are just two that come to mind. Both are fantastic tools that are cost effecitve, coming in at a base price of around $500-$1000. Both are still what I would consider to be a legacy approach. They still require the system to be connected to the corporate network. And while you can automate them to some extent, you cannot get the real time response like you would with a product like AutoMox or Patch Manager. These options do provide you with the ability to patch third party applications. BatchPatch and PDQ are valid solutions if you’re working in a location without the budget for a cloud based tool. In my opinion, they still leave room for security holes.
Option 2 – Cloud Based Patching Solutions
Cloud based patching solutions are, and should be, the go-to. They are reliable, fast and give you the most up to date reporting and metrics on your fleet. Leveraging a cloud solution will allow you to patch a vulnerable system in minutes, regardless if the system is connected to your corporate network.
Automox is what I would call a premium product. It comes with a cost of $3-5 per endpoint per month. So this could get expensive if you have a large fleet. Automox allows the admin to setup and configure various groups and patching schedules across all three major platforms, Windows, Linux and MacOS. Leveraging Automox, administrators are also able to patch and deploy third party applications. I’ve had the pleasure of administrating Automox for a few employers over the last several years and it has been a solid product. It is my go-to recomendation for patch management.
Manage Engine Patch Manager Plus
Manage Engine’s Patch Manager Plus is another good solution for a small business who is looking to implement a patching solution. They even have a free offering good for 20 computers and 5 servers! Expanding on that, if you need a plan with more clients, their starting price comes in at $245/yr for 50 computers. Not a bad price to get started. They do offer both on-prem and cloud solutions. I would obviously encourage you to go with the cloud solution. Patch Manager does come with a bit of a learning challenge. As someone who has administered this platform, it is not quite as easy to get the hang of as Automox. All in all, it is a great solution if you’re a small business admin on a tight budget. Patch Manager supports all the major operating systems, Windows, Linux and MacOS along with third party patching.
Option 3 – RMM Tools
The below two options are geared more toward a Managed Service Provider. They do more than just patch management, but I am only looking at them from a patch management stand point for the purpose of this video. While they are geared more toward an MSP, they may be options for a small business given their free or inexpensive offerings. They do come with their limitations. I have not worked with either product extensively, although I have tested them in the lab for a short period of time.
Itarian is an RMM tool that has a decent offering where you get 50 endpoints, free of charge. All you have to do is sign up. They have agents that support all major operating systems, Windows, Linux and MacOS. While they have agents for these systems, they only support patching on Windows based systems. I spent time looking through their documentation and could find no reference on how to patch a MacOS or Linux based system. Given that they have agents that run on MacOS and Linux, I would say you’d likely see Itarian support patching them at some point down the line. This is decent option if you have a small fleet of Windows systems that you want some visibility into.
Action1 is another RMM tool that will handle patch management for up to 100 endpoints for free. However, the caveat to this is they do not support MacOS or Linux. They do not seem to have an agent available for those operating systems. Action1 may be a good solution if you have a slightly bigger Windows based fleet.
One can surmise from reading through this article (or watching my associated video) that legacy based options are no longer the best play here. You really need a cloud based solution to keep your systems up to date with minimal hassle.