Patching your Small Business Network – Part 2 – Deciding on your patching strategy

The key decisions you need to make in terms of patching your small business network are around how much you want to do, how much reporting/verification you want and how reliable the technology is.  In the small business space you’ve got a few options available to you, and as such you need to decide which one you wish to follow before implementing it.

1. Do nothing and let whatever the default settings for Windows Update are work as they are configured.
• The upside to this option is simple – you do nothing.  Windows Update should out of the box be configured to download and install patches on the workstations, or at the very least notify the user that there are patches to be deployed and request they then approve and deploy them.  This process occurs on each workstation in your network and depending on if the users have local administrator rights (and many small businesses they do because it’s just easier to do it that way) they can in fact change the settings to do whatever they want to do. 
• Whilst the upside here is there’s minimal administrative effort on behalf of the network administrator, the downsides here are not so good.  The negatives for this are that you have no control over what the users do, when they install patches that might be critical to the security of your environment and added to that, that each machine will individually download whatever patches are needed for it and it alone.  Lets do some math on that – say each machine in your 30 user network needs 1GB of patches, that’s 30GB of downloads that need to come down for them all.  Now if you are in the USA where bandwidth is cheap and fast, not a problem, but if you are here in Australia where it’s a little more costly, then sure – it’s a negative.
2. Implement central control over the settings for Windows Update and force them to pull updates directly from Microsoft
• Ok – so this is a little better than option 1 above – you would implement a Group Policy (assuming all machines are domain joined) to force all machines to have specific settings with respect to downloading and installing updates.  This would remove the users control over these settings and ensure with the right application of GPO that your machines would at least be looking to download and install the patches as you wanted them to.  You’d still be stuck with the download of patches for each individual machine, so the data usage could be quite high, but at least you’d have some assurance that things are being patched and controlled.
3. Implement WSUS and manually approve what patches to deploy and to which machine.
• WSUS is FREE with every single Windows Server out there, including Windows Server 2012 R2 Essentials.  WSUS is a centralised repository of patches that are downloaded ONCE from Microsoft to your server and then deployed to the machines that require them.  This requires some configuration initially to install and configure WSUS on your server.  It requires Group Policy configuration to then control the machines within your domain to report in to the WSUS server.  From there, the Windows Update client on the machines will talk to WSUS, find out what patches are available vs what the workstation needs and then install the patches, and report back to the WSUS server that the patch installed fine or not.  That gives you a central point of control over what works and what doesn’t.  You will need to manually approve the patches needed before they are downloaded and deployed  to the workstations but this is a pretty simple task overall. 
• The downside to WSUS is that the patches needed for each machine will reside on the servers hard drives, even after all the machines have been patched.  Therefore it takes up space.  How much space depends on if you do regular maintenance on the server which can then reduce the overall requirement for disk space.
4. Implement WSUS and automate it for patch deployment
• This is a natural progression on option 3 above – where you use WSUS to do the download and deployment of patches, Group Policy to control configuration and then automate the approval process.  If you do this then you can pretty much set and forget it and your machines will be patched AND you can see where things are at if you want to do anything specific yourself.  SBS 2003 R2, SBS 2008 and SBS 2011 all had this level of cool automation built into it that meant it was very simple to deploy and monitor the environment.
• Downside to this – is that the inbuilt WSUS auto approval rules are really silly and should never be used, but stay tuned because I’ve got ways to help with that.
5. Use some third party tools to do the patching for you.
• The options above all involve things you do, things you manage using your onpremise resources, such as your server etc.  This option involves using various cloud patching offerings such as Microsoft Intune, Kaseya and the like to patch your machines for you.  Typically they will involve doing a one time installation of a management agent from your service provider and then the process can be managed from a web console with various rules being applied to automate the patching.  These solutions are always subscription based where you will pay a set amount per machine, per month, so there is this cost to consider as well.

Ok – so these are pretty much the options you have in terms of patching your network.  The next article, I’ll show you how to implement option 2 so that you can start gaining control over your network.