End User Security Consulting Bootcamp

Laugh all you want but there are a ton of folks out there who as either a hobby or the part time job go around and help small businesses or small-office, home-office (SOHO) users that just do not have the same computing priorities us geeks do. Most of those show up at the local Microsoft Connections and TS2 events since that is their only interaction with Microsoft and by far the only way for them to get some IT training on their level (where no TechNet has gone before). So guys, this one is for you. This week Microsoft started doing something interesting with their security patches. They started offering ISO images with the latest security bulletins mainly geared at the enterprise computing environments without SUS, WSUS or SMS. This CD is jam packed with the security fixes in every architecture and language supported by Microsoft and its a great tool. But how does that help you? Well, it gives you a single CD you can take to the client and install the update. I know there are many people looking at this post now and just scratching their head, "Why not just go to Windows Update?" SOHO usually doesn't have broadband. So you can burn about 12 CD's a year and carry them around with you but that sounds like a bit too much of a hassle. You have to document which fix is on which CD, carry around a package of CD's and this doesn't even help you with the stuff outside of Windows because these ISO images do not have anything to update Office. So what is a smallbiz guy to do? First of all, get very very comfortable with Technet Security Center. This is where you can go every second Tuesday of the month (the Microsoft Patchday) and download the latest security updates in terms of bulletins that are named MS06-001 (06 for 2006, 001 for first update) and burn them on a CD yourself. Just create little folders named after the bulletin and save it for the common platforms you support (for example, lets say all your clients used XP Home, Pro and 64 bit edition. You save those). Save them in a directory and just drag them to a new CD every month. This way you have a single CD to carry around and you have all your security patches neatly organized and mobile. You don't need any extra software, XP will burn these files to your CD like a champ. Now you're at the clients site. They have a 56k modem and things are going slow. How do you quickly find out which patches to deploy? Enter Microsoft Baseline Security Analyzer — Install MBSA from your CD, click on Scan and let it update itself and scan the system for missing security patches. Look at the MBSA list of missing security patches (they will be identified with a red X) and navigate to your patch CD to install it — this is why you named folders according to the security bulletin number, so you can easilly track them down. Reboot if neccessary and re-run the MBSA to make sure you took care of everything. Other ideas Most important thing is that you can do this with other applications you support, like Office or Adobe products. You can bring any machine up to date through this process. Another idea is to use a USB thumb-drive. Look at dealnews.com for a deal, you can get a gig for under $50 on a good day and not have to put up with scratched CD's or burning. I'm sure there are many other ways to skin this cat so please drop a comment if you have a practice that you are particularly successful with in SOHO or low-bandwidth environment.