Vulnerability management and patch management are close relatives. In most companies, think of them as siblings who hate each other. That’s usually how it plays out. It doesn’t always have to be that way, but it takes some thought and strategy from both sides. Here are some ideas for patch management strategy.
I spent some time exploring HP Compaq 6910p upgrades because used HP Compaq 6910p laptops are dirt cheap these days. I picked one up for $75 as an alternative to a Black Friday cheapie.
If you look for one yourself, either look for one with a valid Windows 7 or Windows 10 license on it, or get one at a deep enough discount to make it worth your while.
Here’s what I did to turn an outmoded laptop from 2008 into something better than what I could have bought on Black Friday.
Sometimes rebuilding a PC is faster than trying to fix it, and if you’re dealing with a virus infection, it’s better to rebuild than try to clean. It’s impossible to know if the system is 100% clean after infection–unless you rebuild.
If you’re the family CIO, here’s how you can go about rebuilding a Windows PC in a hurry.
If you need to patch a small quantity of Windows servers or desktop PCs and don’t want to download four gigabytes of updates, or, worse yet, can’t download updates, WSUS Offline Update is your buddy. Don’t let its name fool you–it doesn’t require a Microsoft WSUS server in order to operate. But if you have a local WSUS server, you can point it at that to download updates, which is faster than downloading from Microsoft.
It’s a script that can download all existing updates for a given operating system, and then, you can run it off a network drive or removable media on individual systems to install missing patches and service packs. It’s a reliable way to quickly patch a small number of systems. I’ve had to use it a few times in my career and it’s worked well for me.
Patching hundreds of systems with it isn’t something I recommend–if you have a lot of machines, you need to stand up an enterprise patching solution–but this tool definitely has its uses, especially in small environments, or even for one-offs in large environments.
I can think of another good use for it: If you have a development network that doesn’t have an Internet connection, this will let you download and apply updates to it so your development network matches production, which is critical for a properly-working environment.
In the bad old days I used to use batch files to apply updates. This is better, because it will apply only the missing updates, and it does a reasonably good job of applying the updates in the proper order. Using batch files, sometimes I would have to run the file, reboot, and repeat a half dozen times to end up with a clean system, which didn’t make the security team happy. When I started using the predecessor to this tool, my security team and boss were a lot happier.
In my younger days, I administered WSUS on a small (300 servers or so) network. Every once in a while, I ran into an issue where a server just didn’t want to talk to WSUS. These days, some companies prefer to push patches with SCCM but it uses the same mechanism to push patches.
Apparently my old problem still happens from time to time. So I did some research to come up with a solution. This mechanism is still largely a black box, but it’s a lot better documented now than it was in my day. Here’s what I came up with for troubleshooting WSUS or SCCM. Read more
Some revolutionary advice surfaced this past week–stop patching everything. And while I understand the argument that people need to stop letting the difficulty of patching everything paralyze them and cause them to do nothing–as I’ve seen some organizations do–and I agree that some patches are more critical than others, as someone who once had to prioritize patches, I can assure you that prioritizing the patches was more work than deploying them and recovering from the fallout was. We eventually found it was much less work just to install all the missing patches every month.
And guess what? Nothing bad happened from doing that.
I was actually surprised at who the top three were. They weren’t the three usual suspects. But in the case of the top two, they did, to their credit, roll out fixes within 30 days of disclosure.
So now that I’m killing you with suspense….
A very good question came in as a comment to my earlier post, the benefits of practicing IT at home. What do I mean by putting some Windows 7 machines on a domain? It’s one of several good home network projects.
I mean standing up a server with centralized user accounts and shares, running on Windows Server or Samba, whichever you can afford. Make it a print server too, and print from it, just like you would from an office. Then extend it, and extend your sysadmin skills. Here are several ideas for projects of varying length, difficulty, and expense.
There are only six patches in this month’s edition of Patch Tuesday, and only one of them is critical, but it’s a big one.
The critical patch fixes a flaw in Remote Desktop Protocol, something typically only present in the business-oriented flavors of Windows. But if you don’t know whether you’re affected, it behooves you to let Windows update whatever it wants to update. Read more
Sometimes you like to use backdated software, perhaps to avoid bloatware. But perhaps you have some old software you’ve forgotten about. If you want to know, Secunia has a free product called PSI that will scan your system and alert you to any outdated software you may have. Then you can either update it, if it’s something you use and want to keep up to date, or uninstall it. Read more