Patch Management In The Enterprise, Part I

Agent Vs. Agentless

When it comes time to decide what patch management solution is best for your organization, the question of "agent vs. agentless" will be one you will need to answer. Solutions using an agent require that a piece of software be installed on every managed workstation and server. This software communicates back to a central server at regular intervals to provide information about the machine in question, and to look for new tasks, such as a patches ready for deployment. Agentless solutions don't require this client-side software; they target workstations and servers by scanning the network using standard Windows protocols.

There are pros and cons to each solution. The classic argument for the agentless solution is that it does not require another application running in the background gobbling up resources (memory and processor time). As hardware prices have decreased over time and computers have started shipping with more memory, this has become less of an issue. Another issue with agent-based solutions is that it is more difficult than one would think to get the agent software installed on thousands of workstations across a large geographical area. That's especially true when you have a large percentage of remote clients using dial-up or VPN services to connect to the network. If this is the case, IT support staff may need to resort to sneakernet installations of the agent software.

Agentless solutions have inherent issues as well. Given the fact that they often scan the network using standard Windows protocols, such as NetBIOS, there is a chance that they will be unable to locate every workstation and server that needs to be managed. There also may be issues with credentials, as certain organizations will not want to be logged into the scanning console using an account with a high privilege level, for fear of a potential compromise. Organizations sensitive to the costs associated with bandwidth consumption may opt to avoid agentless solutions, as they generally will consume more bandwidth than an agent-based product.

When making such a decision, be sure to factor in the specifics of your environment. If you have a widely dispersed infrastructure with a large percentage of remote clients needing to be patched, an agent-based solution might be a better fit. If your organization is specific to one physical location and LAN, an agentless solution might be a better match.


The downtime associated with a worm infection can cost an organization millions of dollars. As such, having an effective patch management strategy in place is critical. Given the increase in worm and virus activity over the last couple of years, it is clear that security patches must be tested and applied in a timely fashion. Regardless of how secure the perimeter of your network is, malicious code can still find its way onto your network.

The next instalment of our patch management series will be available shortly. It will cover specific solutions that are available for the purpose of providing vulnerability analysis and deploying security patches.