Related link: http://isc.sans.org/survivalhistory.php
Ahh security patches. With more and more desktop computers connected to the Internet 24 hours a day, even the home user has grown accustomed to running the various update programs for Windows to make sure that his software is patched (or at least he should!). Even with Microsoft’s increased focus on security, it seems that new critical vulnerabilities, the kind that let remote users gain Administrative privileges on your machine, come out every few weeks.
For a corporate desktop, you generally have an IT department and hopefully firewalls to limit a worm’s ability to scan for machines to infect. With a firewall, when the latest security vulnerability is announced you can safely download and install the patch from behind the firewall (or your IT department can do it for you). As new machines are installed (or imaged), the systems administrator can follow through with the latest updates, again behind the safety of the firewall.
For the home desktop, it isn’t necessarily that easy. Some home users have software firewalls now, but many don’t. And even if you had a firewall, it may not be configured and running when you first connect that new machine to the Internet. The home user is left with the risky proposition of exposing the machine to attack during the potentially long download of patches. As the SANS study shows, it can take as little as 20 minutes for an attack to be attempted on a new machine on the Internet, so you are left running across the battlefield to get your bulletproof vest, hoping nothing hits you on the way.
I’ve already talked about how to scan for viruses with Knoppix, and many of the advantages to using Knoppix for virus scanning hold equally true for grabbing Windows patches. Since Knoppix isn’t vulnerable to Windows worms, you can keep the computer connected to the network and download the patches you need when Knoppix is running.
Microsoft offers standalone patches (including service packs) for Windows on their TechNet site in the form of individual .exe files so system administrators can download the patch once, and then apply it on all the machines on a network that need it.
So, say you have a new Windows XP machine on the network, and it has a number of vulnerabilities that need to be patched with Service Pack 2. Boot into Knoppix with the network cable attached. Then go to TechNet. Since Service Pack 2 is a hot item right now, you can find it linked to directly off of the main TechNet page, but if it weren’t, you could simply use their search to find it (for other standalone patches you can search by the Knowledge Base or Security Bulletin ID as well). In this case the download page is here.
Now it is important that if you are presented the option to download a large “network version” or a smaller version of a patch, to download the larger version, as this will ensure that you don’t have to be connected to the Internet when you apply the patch.
Under Knoppix, mount your Windows partition with read/write permissions (right click the partition’s icon on your desktop and click Actions->Change Read/Write Mode) and then download the patch and save it into your Windows partition. If you have NTFS, you will have to go through the Captive NTFS wizard (K menu->KNOPPIX->Utilities->Captive NTFS) to write to the partition.
Once the download has finished, reboot into Windows with the network cable unplugged. Then you can install the patch without exposing your system. Once the patch is finished, you can then plug the network cable back in and get back to business.
Since Knoppix can mount even brand new Windows images, you could potentially boot Knoppix before your new machine has booted Windows at all, download the patches you need directly to the machine, and then install them with the system disconnected from the network–the result being that the system gets fully patched without Windows being exposed to the Internet once.
What’s your favorite method for safely rolling out patches in Windows?