What Is WSUS and how does it work?

Microsoft Windows Server Update Services (WSUS) is an add-on Windows operating system product for installing Microsoft product updates. Typically, every corporate network has it by default.

However, relying on WSUS to protect your corporate network might not be a good idea. In this article, we will share the downsides of WSUS which make it an unreliable solution for protecting your organization from cyberattacks.

1. Set Up and Product Configuration

WSUS is difficult to set up and configure due to a long list of system requirements for both the Server and Client sides of the product. Additionally, it is time-consuming to configure the system, so that it both checks and automatically applies updates.

Even if you spend time modifying the settings, WSUS can still fail at synchronizing on particular devices. You will have to look for a problem manually if it occurs on an unsynchronized device.

What Syxsense offers instead:

Syxsense can be completely set up in under 5 minutes with a lightweight agent. After it is set up and configured, Syxsense provides 100% visibility into your corporate system. You will be able to see all the endpoints (servers, desktops, laptops, and more) that are based on Windows, Mac, and Linux.

Additionally, you’ll be able to check the device inventory and its history to make sure that there are no serious vulnerabilities and the results of the completion of your tasks are satisfying.

2. WSUS Isn’t Actually Free

Though WSUS is stated to be free, it is supported exceptionally on Windows Server, which requires an expensive license. Overall, WSUS’s hidden hardware, software, and operational expenditures can reach over $120,000/a year for a system with 500 devices.

What Syxsense offers instead:

Due to its cloud-native architecture, Syxsense requires neither on-premise servers nor maintenance by end-user, which makes it much less expensive while increasing the effectiveness of all IT security processes.

3. Lack of Reliable Automation

WSUS doesn’t allow to automate IT workflows with complex logic, so system administrators will have to complete more manual work to organize security processes properly. As threats continue to evolve, automation is becoming critical for IT departments.

What Syxsense offers instead:

Syxsense Cortex is a drag-and-drop visual interface that allows automating complex IT and security processes without creating a single line of code. It is possible to automate linear sequences of actions and even the sequences that have more than one possible further action.

4. Insufficient Reporting

WSUS doesn’t provide adequate reporting on network-wide vulnerabilities, and IT security specialists have to patch together reports from several sources and hope they have accounted for everything. Besides, WSUS offers no exportation of reports to different file formats. This lack of reporting can result in unpatched vulnerabilities going unnoticed and failed audits.

What Syxsense offers instead:

Syxsense reports give the proof of patched and secured devices necessary for compliance agencies like HIPPA, SOX, PCI, or documentation for executives.

5. Device Discovery

Device discovery with WSUS is a very time-consuming process, as discovery takes place once in a determined period, and can’t be done more often on-demand.

What Syxsense offers instead:

Due to a two-way open connection, Syxsense provides adaptive device discovery, which means that you can see every device on your network and its inventory in real-time.

It is possible as you get all the necessary fresh data directly from the device avoiding its storing in a database. Thus, you can discover any new device connected to your network on-demand. Also, automatic discovery takes place after the pre-identified periods.

6. Patch Inefficiency

WSUS doesn’t push a given patch instantly. All the agents have to check in and approve patch installation on the workstation, which could be days depending on the environment.

What Syxsense offers instead:

If any approvals are needed, Syxsense can be controlled remotely with micro-agent technology.

However, to install new patches, the software doesn’t require any approvals. Syxsense allows to schedule maintenance windows out of office hours and automatically pushes all the necessary patches within the scheduled time-lapse.

7. Compatibility & Third-Party Patch Management

Most companies include non-Windows operating systems into their infrastructures, and WSUS is designed to work with only Windows solutions.

WSUS also works inefficiently with third-party applications, like Oracle or Mozilla. To patch such software, you will have to design a complex workaround, and still, you won’t get an intuitive catalog that is easy to work with. Given that third-party applications increasingly serve as a backdoor for cybercriminals that let you into corporate systems, this is one of the biggest downsides of the WSUS.

What Syxsense offers instead:

Syxsense deals equally well with devices based on Windows, Mac, and Linux. Additionally, Syxsense has an industry-leading database of third-party application patches and the database is constantly updating.

8. Inability to Quarantine

Even if you detected an infected device, it is impossible to isolate it from the corporate network via WSUS to save other devices from infection until you fix the issue.

What Syxsense offers instead:

Syxsense software allows quarantining an infected device to protect the whole corporate network from malicious programs. And though the quarantined device is isolated and doesn’t threaten other endpoints, you still have full access to the device which allows you to remediate it from the same console.

9. Patch Status Updates

WSUS doesn’t update on patch status for all devices properly. Moreover, it doesn’t send notifications on the reason for the failed updates.

You may think that you patched your system, however there may still be critical vulnerabilities left unfixed. This leaves your organization vulnerable to cyberattacks.

What Syxsense offers instead:

All the patch statuses are updated in Syxsense in real time, so you can be sure that your network is 100% protected.

10. Inability to Distribute Software

It is impossible to distribute new software through WSUS, so in case you decide that your employees have to work with a new solution, you have to install it manually or buy another software to distribute the application automatically.

What Syxsense offers instead:

Syxsense can not only update existing software, but also automatically distribute new software from the cloud over all the devices in the corporate network.

Is WSUS Worth It?

Securing Remote Devices for COVID-19

As the COVID-19 pandemic continues to stretch across the globe, many organizations are protecting their employees and communities by maintaining a remote workforce, creating an entirely different health concern: keeping devices secure.

Connecting these large numbers of home users to corporate resources is pushing enterprise VPN’s to a breaking point. Imagine hundreds, if not thousands, of remote devices checking-in to the same corporate environment via VPN. These devices will require security updates at least monthly, and that can cause severe contention across that same connection.

For Windows devices, which many administrators patch using WSUS, the average combined Patch Tuesday of Windows and third-party updates from December 2019 to the present is 1.5GB – 1.6GB per device. An organization managing 500 remote devices alone may expect up to nearly a terabyte of outbound traffic to keep the devices patched and up-to-date.

If you’re still using WSUS for patch management, there’s a better strategy for managing and protecting your business.

WSUS Creates Massive Headaches for Remote Work

With or without VPN, WSUS alone can be a nightmare. First of all, it’s a Windows-only solution thus limiting its usefulness. Devices require direct access to the WSUS server (whether one or many WSUS servers which increase the headache) and sync failures are common. Administrators are forced to manually approve each and every update as well as there is no support for any third-party applications whatsoever.

There’s a massive dependency on Group Policy management, which limits the effectiveness for roaming devices, as well as the on-premise content repository that must be constantly maintained. Even if patching is successful, how do you know? Reporting is always limited and end-users are known to defer reboots indefinitely. It’s hardly an update service, and more of a burden.

What should organizations do?

The simple solution is to migrate all patching services, both operating system and third-party (which WSUS cannot provide), over to a cloud-based architecture. Forget managing Classifications on-premise with WSUS. Forget standing-up WSUS replica servers, which increase administration and storage costs. Forget relying on the work-from-home users to connect via VPN to manage them.

Syxsense is a fully cloud-based solution that helps organizations better secure their endpoints through software patching, deployment, remote assistance, and vulnerability scanning. By default, Syxsense provides auto-approval strategies to ensure the right updates are approved while leaving the optional and problematic updates to the side.

The solution follows the same security protocols as VPN to adhere to any industry: 2048-bit encryption, multi-factor authentication, and even location security so that only specified networks have access for management.