2

We are hosting a few servers at a colo facility and we have arranged for another company to perform some monitoring and server maintenance work of our machines. This provider is suggesting that we "turn off" Windows Update in the Windows Server 2008 R2 servers and use some third party tool to manage the updating of the machines. They claim that this offers a more granular approach to patch management and that it will be of value when we grow to a larger number of serves, since we will be able to easily apply the same patches to all the servers or perform bulk operations like that.

Edit. The third-party tool that they will use is Kaseya.

What do you think? Is disabling Windows Update something to frown upon? Or is it okay when a legit third-party tool is in place? Have you got any experiences (good or bad) with this kind of setup? Thanks.

CesarGon
  • 440
  • 3
  • 14
  • 27
  • What's the 3rd party tool? – Zypher Feb 17 '10 at 19:33
  • @Zypher: Adding an edit now. – CesarGon Feb 17 '10 at 19:38
  • Kaseya is the company. What is the product? What's wrong with using WSUS? – John Gardeniers Feb 18 '10 at 00:53
  • @John: I am not sure about the server-side product they will be using, but I don't think that will directly affect our machines. I only know that they require a Kaseya Agent 5.1.0.1 to be installed on our servers. Regarding what's wrong with using WSUS, well, I don't know. That's why I am asking this question here! :-) – CesarGon Feb 18 '10 at 23:44
  • WSUS will cost you nothing and works very well, using the update mechanism built into Windows. It can be administered remotely, either by yourself or a third party. Seems to me that it will meet your needs admirably. – John Gardeniers Feb 19 '10 at 01:09
  • @John: Thanks for the explanation. The company that we have hired apparently use Kaseya; they won't charge us for it. – CesarGon Feb 19 '10 at 23:55

3 Answers3

5

There is nothing wrong with using a trusted 3rd party tool. In fact some of them are heads and shoulders above Windows Update/WSUS. That particular tools seems to use an agent, which personally I'm very wary of putting agents onto servers, you have to do due diligence and have the prove to you it won't effect your performance.

However, in your situation I would want to get comfortable with the company you have contracted before making that kind of move. Have them take over admin first, using the tools you are using, then slowly integrate their processes as you get more trust in them. You don't want to find out 3 months from now that they just do a horrible job at administering your servers and have to go through the pain of removing the tools they like.

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • 1
    +1 for getting to know the provider first - I know removing Hercules was a bit of a pain. Also make sure their patch software plays nice with machines that were patched using something else previously to avoid unpleasant surprises. – voretaq7 Feb 17 '10 at 20:07
  • And another +1 for your comments re: agents. – Maximus Minimus Feb 17 '10 at 23:13
1

The Windows folks at my last company did something similar (They used Hercules, since gobbled up by McAfee)

There's nothing inherently wrong with this approach and it worked very well for them (you had the ability to not install patches that were, for example, known to break MS Exchange, and if a patch failed to apply to a machine you got nice reports as to why). The real benefit was the ability to roll back patches and revert to the previous working system state, which worked fairly reliably the few times I saw it used.

I would note that this is best used in combination with a scanning/auditing tool like Nessus, which is a good idea anyway to be sure your machines are well-patched and reasonably well-secured.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
0

I'm not familiar with the product so I can't comment on how good or bad it is. I would however be interesting in knowing how many servers constitutes "a few", as using a third party product may very well be overkill in your situation. I also harbour a deep suspicion of any external company recommending a specific product apparently out of the blue, mostly that their motives may not be entirely unselfish. Are they, for example, resellers for that product and therefore in for a cut of any potential profits (or a nice fat ongoing maintenance contract)?

I would say that you need to consider your situation carefully. If stock Windows Update is just fine for your requirements and if you have no issues with your current use of it, or if some simple reconfiguration is all you need, then do you really have any reason to go to the next level up? If you do need to step up, would WSUS be adequate or not? Only jump if you've established an actual real requirement and identified a genuine return on investment from using it.

Maximus Minimus
  • 8,987
  • 2
  • 23
  • 36