In the first of this two-part series, I compared WSUS (Windows Server Update Services) with its predecessor, SUS (Server Update Services).
WSUS boasts a variety of new features, better administration and a broader
One aspect of WSUS may be seen as either a pro or a con, depending on the situation. WSUS uses group policy within a Windows domain to manage and distribute patches. Managing the WSUS patch environment requires access to both the WSUS policy management interface as well as the Group Policy snap-in. In some organizations, the person tasked with managing patches does not necessarily have the administrative authority they would need to administer the Group Policy snap-in as well.
Another consideration is that because WSUS relies on a machine-based GPO, configuration changes can take some time to propagate. The default timeframe for Group Policy refresh is 90 minutes. To force a configuration update sooner requires a reboot of each machine to get the update to take effect. Immediately pushing out patches on an urgent basis is much more complicated with WSUS than it is with most third-party patch management tools.
Arguably, the single biggest feature of commercial, third-party patch management applications in comparison to WSUS is that they are not limited in scope to only assessing and patching Microsoft operating systems and products. Even the most Microsoft-centric businesses still typically have a variety of non-Microsoft applications and operating systems running in some capacity. Relying on WSUS for patch management means manually assessing and patching these other products.
Products such as Patchlink's PatchLink or UpdateExpert from St. Bernard are capable of scanning systems across the network to discover vulnerabilities in both Microsoft and non-Microsoft products and manage the scheduling and deployment of any necessary patches. Products such as these generally provide more functionality and some extra bells and whistles, but they come at a price, particularly when compared with a free product such as Microsoft's WSUS.
If you are operating an entirely, or at least predominantly, Microsoft-centric network, WSUS is definitely worth taking a close look at. But, to do your due diligence and make sure you are choosing the best product for your needs, you should also examine some of the commercial patch management products available.
Tony Bradley, a consultant and writer, focuses on network security and antivirus and incident
response. He is the author of About.com guide for
Internet/Network Security, which offers a broad range of security tips, advice, reviews and
This was first published in October 2005