icetray - Fotolia

Tip

Get to know enterprise patch management tools

Unpatched software and OSes can create a huge security hole in any organization. IT should know what tools can fill in the gaps.

If IT professionals can master enterprise patch management -- a vital cog in any security strategy -- they can address many of their security challenges.

Enterprise patch management is certainly nothing new, and almost every business struggles with it in some way. Just look at any of the annual security surveys -- patching, or lack thereof, is at the root of many security challenges, including confirmed data breaches.

Windows desktops are at the heart of these problems. Both the operating system and third-party software updates are practically impossible to keep current. A simple security assessment can reveal that dozens or often hundreds of workstations are missing Windows updates and patches for common business software such as Java, Adobe Reader and Google Chrome.

What can IT do?

Many people keep chasing a magic security solution, and numerous vendors in the antimalware and endpoint security markets are trying to capitalize on it. The reality is, instead of adding a pricey product with a lot of bells and whistles, IT should focus on the basics to solve underlying patch management problems.

IT can turn to Windows Server Update Services or System Center Configuration Manager, but those tools aren't a cure-all and can leave many gaps in the system.

There are some other low-cost, feature-rich enterprise patch management tools IT can turn to for help. Not only do these tools patch Windows systems, they also address third-party software updates, which can pose the biggest security risk.

One such tool is called Ninite, a web-based patch management system from Secure by Design Inc. that doesn't have all the complexities associated with traditional enterprise patch management tools. It works as a nice alternative to address the patching challenges in small and medium-sized businesses, and even large enterprises.

Adding an agent that can truly improve endpoint security can reduce the number of vulnerable systems in an organization.

The free version of Ninite is a lightweight Windows application designed to install software on PCs with a single installer executable. Ninite can prevent third-party web browser toolbars and add-ons, as well as random software that's often bundled with program installations. IT pros do not need to do anything after they launch the program.

Secure by Design offers a Pro version of Ninite that allows Windows administrators to change update settings on a device-by-device basis. IT pros can establish update policies to refresh software as soon as it's available or to only allow specific versions to install.

Other patch management options

Other alternatives for installing software updates on enterprise desktops include PDQ Deploy and Chocolatey. GFI LanGuard is another popular option, especially given its third-party software patching capabilities. Some of these tools won't support all the software an organization runs, but that's probably not a deal breaker because these programs still update the majority of software.

Some people will argue that tools like these are not enterprise-worthy, but the supposedly enterprise-grade tools have their own issues, too.

With some of these enterprise patch management tools, IT must install agents on workstations, which a lot of IT administrators don't like. That's a somewhat dated mindset, however, because these tools won't slow any modern systems down.

Enterprise patch management may be old and boring, but adding an agent that can truly improve endpoint security can reduce the number of vulnerable systems in an organization. This is critical given the number of gullible and click-happy users out there who could open data up to a breach.

Dig Deeper on Windows OS and management