Thou shalt patch.
But we need patching to be as fast, efficient, and stable as possible. While there’s no substitute for patching, we still need to limit how much time we spend on it, because patching is just the first step in defending our networks. There are so many higher-value security tasks to work on.
Microsoft® provides three ways to update Windows® systems:
• Windows Update – Basically for consumers.
• Windows Server Update Services (WSUS) – Centralized patch management application built in to Windows Server.
• System Center Configuration Manager (SCCM) aka “ConfigMgr” – Includes patching along with everything else ConfigMgr does. Interestingly, SCCM uses WSUS.
Many of you already own a license to System Center Configuration Manager as part of Software Assurance and other licensing packages. But don’t immediately assume you should be using SCCM instead of WSUS for patching. SCCM is a much heavier weight technology than WSUS, and unless you are going to use its added features, it might be wise to stick with WSUS.
In this real-training-for-free event, I’ll show you what SCCM offers beyond WSUS and help you determine which is right for you. And we’ll give particular attention to third-party patch management, which is an important gap in both WSUS and SCCM, despite what you might have read.
Outside of patching, SCCM provides:
- Operating system deployment
- Application installation
- Hardware/software inventory
- Configuration management
Within the bounds of patch management, SCCM provides:
- More control over patch deployment in terms of which systems are patched and on what schedule
- More detailed reporting
- Limited third-party patching support
Notice the emphasis on “limited”—this is probably the most important thing to understand when deciding whether you need SCCM. SCCM provides a utility called System Center Update Manager (SCUP), which helps you package up third-party updates so that you can deploy them through SCCM. As with most things security-related, the devil is in the details. We’ll dive into what you can do with SCUP and alternatives.
Third-party patching is important. In fact, third-party application vulnerabilities bypassed Microsoft (MS) product vulnerabilities several years ago in terms of quantity and threat. Right now, we might be seeing a temporary swing back to MS vulnerabilities with these NSA-related hacks, but I don’t think it will last.
The interesting thing about SCCM is that it still uses WSUS. And using either SCCM or WSUS to manage third-party patches can create a lot of work. I’ll discuss ways you can avoid re-inventing the wheel on each third-party patch that comes along.
In fact, that’s what SolarWinds, my sponsor, will briefly show you: their third-party patch support that integrates with both WSUS and SCCM. This means that no matter which one you use, you get easy third-party patch management seamlessly integrated.