Agentless Patch Management

The fastest way to get Security Controls configured and patching machines is to do so agentlessly, as described in Best Approach for Applying Patches in an Agentless Environment. Once the console is installed it can take as little as a few minutes to setup machine groups to scan an environment. The time to configure will be based on the complexity of the environment and the range of maintenance windows.

Example

An office that contains three floors, with approximately 500 end users per floor as well as a data center with 200 servers, could be broken out many ways. You might create a separate machine group for each floor based on the IP range of the workstations. Servers might be broken down into three more groups: Test, Development, and Production. You might consider breaking the Production department into separate groups such as domain controllers and Exchange / SQL Servers to allow flexibility in scheduling jobs.

Time to Implement

It will take approximately five minutes to create three groups covering the three floors of workstations. Plan on 10-30 minutes to create the server groups; they can be created by OU, by browsing and selecting machines, or by importing identities from a file. Plan on another 15 minutes to schedule the jobs that will scan and optionally auto deploy patches.

The overall time to configure the machine groups and to schedule the scans in this example environment is approximately 45 minutes. Once this is done we are configured and ready to go.

Port Requirements

For agentless scans you will need to be able to resolve the machine by the method you used to create the machine group. You must also be able to access TCP ports 137 - 139 or port 445 on the target machine. File and print sharing and remote registry must be enabled in order to perform the scan. For added security, firewall rules can be applied between vLANs or on the local machine firewall that restrict port access to all but the console’s IP. Depending on the environment, complexity, rules, and change control requirements, the amount of time this will add to the initial configuration may vary.

Related Topics

• Console Software and Hardware Recommendations
• Port Requirements and Firewall Configuration
• Distributed Environment Management
• Best Approach for Applying Patches in an Agentless Environment
• Automating Patch Management in an Agentless Environment
• Agent-Based Patch Management
• Agent Rollout Options
• Installing and Supporting Agents on Internet-Based Machines
• Agent-Based Product Level and Patch Deployment Process
• Guide to Surviving Patch Tuesday
• Microsoft SQL Server Database Maintenance
• Performing Patching in a Disconnected Environment