M$ update sans Internet

[lewmur]

How can I "update" a Window 2003 Server that has *NO* Internet Connection. Let's face it, the only *secure* machine is one that *doesn't* connect to the Internet.I've designed a LAN system for small businesses that is 99% secure. It has its own e-mail server with all of the Spam and virus protection done on it. None of the workstations in the system is allowed on the net except to access sites that are *TESTED* for security on a daily basis. Even their access to these sites is via Portable Firefox. For sites that *require* ActiveX, they connect to a "sacrificial box," via VNC, and that box alone, which is *NOT* part of the LAN, connects to the Internet. (That box can be wiped clean and restored from a "ghosted" drive in a matter of minutes.)The sacrificial box is also used to "test" the sites can be used directly by the workstations. If any changes have been made to the site since it was last deemed "safe," then access must be made through it until the site is rechecked by the "security administrator." (Usually, that means *MOI.*) BTW, I *don't* consider M$'s update site be "trusted."Now for the kicker. The 2003 machine can be used to promulgate Windows Updates to the rest of the LAN. But how can it do it if *IT* can't access the net? Is there a way to d/l updates in "file" form to the "sacrificial box," and them load the on the 2003 Server? The only reason for having this server if for promulgating new apps and updates. All of the data is kept on a Linux server. (Updates to it can only be done by the admin.)

[Peachy]

How are you "promulgating" the Windows updates? SUS? From my experience you would need at least one SUS server connected to the Internet. One solution would be to only connect the SUS server on Microsoft's monthly Super Tuesday update day, have the server synchronise with Microsoft and then disconnect it from the Internet. There is a Microsoft site called the Windows Update Catalog: 1. Go to the general Windows Update Web site. 2. Under Other Options, select Personalize Windows Update. 3. Select the "Display the link to the Windows Update Catalog under See Also" option. 4. Click Save Settings. 5. Under See Also, you will now have Windows Update Catalog.

[Marsden11]

99% effective is not good enough. Who or what "tests" sites on the net? Relying on definition files? Someone's judgement? Your system is so full of holes it borders on high comedy. Live your fantasy... Your systems are smarter than you give them credit for.

[lewmur]

99% effective is not good enough. Who or what "tests" sites on the net? Relying on definition files? Someone's judgement? Your system is so full of holes it borders on high comedy. Live your fantasy... Your systems are smarter than you give them credit for.

<{POST_SNAPBACK}>

Thank you for your helpfull reply.

[Agent007]

Just wondering, where would the holes be? and what would you recommend instead?thanks..

Your system is so full of holes it borders on high comedy. Live your fantasy...

<{POST_SNAPBACK}>

[nlinecomputers]

If I were to guess. Not trusting the Windows update site for a start. If you don't trust Microsoft to enough to trust the method of downloading updates why do you trust any of the patches offered? Microsoft's FTP site is somehow going to be more secure?I have a friendly banter with Marsden about whether or not one can keep a Windows box more secure then a Linux box but this is just freaking paranoid. Don't want to keep the server connected 24/7? Overkill but I can accept that. But you can connect up long enough to get updates, downloaded them to a local SUS and then disconnect as Peachy recommends.The VNC thing is also strange. Why not use RDP? Whole lot faster. And if VNC can see each other then both boxes are connected to the net.Personally if your worried about bad websites get a proxy server. If you use Linux running squid you can download block lists to keep the bad boys off your net quite well. I sure Marsden and Peachy know of Windows based block lists for ISA server.

[Jeber]

A discussion of the issue without resorting to making personal comments about the poster would be deeply appreciated. There's no need for it, and the rules don't allow it.

[Guest LilBambi]

Yes, we all love a good discussion as much as the next person, but Jeber's right, let's keep it to the topic so we can actually help our fellow highlander with his problem.The discussion topic is:

How can I "update" a Window 2003 Server that has *NO* Internet Connection.

Peachy has given one way (a sound recommendation) and Nathan has given some additional info on that possibility.Are there any other suggestions on how to do what lewmur wants to do? Edited March 8, 2005 by LilBambi

[Marsden11]

Sure... let's throw the notion of "best practices" out the window. We have the manufacturer of the operating system and add on applications offering what it believes are "best practices" for hardening a given product. This advice is not just based on its own internal use but also of that of its many partners and customers. That is a huge amount of usage data. This is also a huge difference between the Open Source design space and rest of the world design space. Is there a tool for determining "best practices" for let's say SendMail? None that I have ever seen. There is a tool for Exchange 2003. Again based on Microsoft's internal use plus that of its partners and customers. If I want to find this same information regarding SendMail, I have a full day of Google searches of applicable SendMail forums to gather this data.Back to my point...You want the benefits of WU without the connection. That approach would not be considered "best practices." You have chosen to disregard tons of usage data in favor of what you believe is a better solution. Where is the verifiable data you have based your decision on? Can't use "what ifs", "maybes", or "what might happens"... You don't trust the source for whatever reasons. Fine. Why are you using the product???This is akin to driving a car with airbags. They are there for your safety in the event of an accident. But you don't trust them to operate properly so you disconnect the airbag systems and pack your car with pillows every time you head to the store for a gallon of milk.Most would consider that action a bad practice because you have ignored the huge amount of data that shows that airbag systems do operate effectively...Again, if you don't trust the best practice mechanism to keep your systems secure then why are you using the product in the first place. It sounds more like a "make work" scenario than anything else...

[Jeber]

I believe lewmur is asking for suggestions on how to do what he'd like to do, not a philosophical dressing down for wanting to do it. As long as what he wants to do is not illegal or immoral, we should be addressing "how", not "why".

[Marsden11]

That does not answer my question. If he does not trust the product then why is he using it?You say we should be offering help on how to. I disagree. Either use the product as it was intended or use another platform. I don't know about you but I don't purchase software, I hire it to do a job, provide a solution or meet a business need.If you want to limit posts here to just straight "help"... 75% of all posts here on this forum would be deleted...

[Guest LilBambi]

We appreciate your question, however, if you wish to ask that question, please start a thread about it. This thread is about helping a fellow Highlander get his updates without an Internet connection.

[Marsden11]

I've been asked...

Just wondering, where would the holes be? and what would you recommend instead?

1- Not leverageing the data out there that shows the system and method works.2- Who or what creates the safe list?3- Who or what creates the bad list?4- Who or what applies either list in a timely fashion?5- Who or what had a bad hair day? Is sick, on holiday, missed an update or any number or possibilities...6- As an employeee on your LAN I don't like your notion of trusted sites. I bring in a CD or DVD of cached websites that I prefer to surf...7- Not connected to the net does not work. Once a connection is made on any machine to do whatever, your idea of no connection is broken.8- Sure you can go to the Update Catalog but you still have to connect to your LAN via a single point. Either by CAT5, CD, or DVD. What is your procedure for verifying the data that crosses either of those mediums is secure? If I can inject data into an IP stream and hijack a TCP/IP connection then what prevents me from spoofing a check sum?9- Who approves or disaproves the judgment of the tested sites status.10- Is it a single individual or a group?The question really becomes, "how deep do you really want to go?"

[Marsden11]

This thread is about helping a fellow Highlander get his updates without an Internet connection.

In the absolute context of his requirements, it can't be done without a "connection" of some type where the intoduction of unwanted code can be prevented.Any method presented to help him is merely a kludge against his requirements of no connection...

[AxedMe]

If you don't trust Microsoft to enough to trust the method of downloading updates why do you trust any of the patches offered?  Microsoft's FTP site is somehow going to be more secure

good point

The VNC thing is also strange.  Why not use RDP?  Whole lot faster.

And more fun

Personally if your worried about bad websites get

mozilla firefox?

[Guest LilBambi]

well, lewmur,guess Peachy and Nathan have given a couple solutions for your specific question about how to get the updates on a computer that is not connected to the Internet.After getting them from the Windows Update Catalog on another computer, I would suggest checking the computer/files against updated antivirus, anti-trojan and anti-spyware scans and then you could probably burn them to CD to use on the non-connected computer(s).That will likely be as good as you can get. You'd have to religiously get updated virus sigs, etc. for the unconnected computer(s) burned in this way anyway to mitigate possible issues of introducing virii through other disks that may be used on the systems (ie, CDs, floppies, USB, etc.) anyway.

[Peachy]

Actually, lewmur,If you really are that paranoid, you can always ask Microsoft to send you the updates on a CD-ROM. There's no way anyone could steal the CD in transit and replace it with a hacked copy. Service Pack 2 is available on CD-ROM as well as Security Roll-ups up to Februrary 2004. It would be nice if Microsoft offered an updated Security Roll-up CD current to Februrary 2005.

[lewmur]

Actually, lewmur,If you really are that paranoid, you can always ask Microsoft to send you the updates on a CD-ROM. There's no way anyone could steal the CD in transit and replace it with a hacked copy. Service Pack 2 is available on CD-ROM as well as Security Roll-ups up to Februrary 2004. It would be nice if Microsoft offered an updated Security Roll-up CD current to Februrary 2005.

<{POST_SNAPBACK}>

What is paranoid about not wanting a server with confidential data on it, to connect to the internet when the *ONLY* reason for that connection is to perform updates? If I can use a computer without anything sensitive on it, doesn't it make common sense to use that approach? Particularly when 99% of those updates deal with the *LACK* of Internet security? Actually, I'm finding all of the flack I've recieved about this to be offensive as well as a gross overeaction. You'd think I'd made a personal attack on Bill Gates and his family. Edited March 9, 2005 by lewmur

[nlinecomputers]

Well I'm confused. First you said:

The only reason for having this server if for promulgating new apps and updates. All of the data is kept on a Linux server.

Now you say.

What is paranoid about not wanting a server with confidential data on it

Does your 2k3 server have data on it or not? If not why care what happens to it, besides the annoyance of rebuilding it? Certainly you can risk sacrificing it as well?

[lewmur]

Well I'm confused.  First you said:Now you say.Does your 2k3 server have data on it or not?  If not why care what happens to it, besides the annoyance of rebuilding it?  Certainly you can risk sacrificing it as well?

<{POST_SNAPBACK}>

Some of my clients systems have Linux servers but others insist on Windows. But why should I risk *ANY* system when there is no need to do so? Edited March 9, 2005 by lewmur

[Peachy]

There is nothing wrong with not connecting a file server directly to the Internet. In fact, that's a "best practice". But you're asking if you can do Windows Update without having to connect to Microsoft. Yes and no. You always need at least one of your servers to download the updates. That's why I suggested creating a SUS-only server to handle downloading updates. You can have secondary SUS servers that synchronise with the one that gets the official updates. The synchronisation can be manually done; it doesn't have to be scheduled, and in fact that's the default setting with SUS. I would recommend that you just get a low-end notebook and use that as the up-to-date SUS server and carry it around with you to your clients to synchronise their SUS servers that are not connected to the Internet.Or, setup a SUS server at your office and have your clients synchronise with your SUS server over a VPN connection.

[lewmur]

There is nothing wrong with not connecting a file server directly to the Internet. In fact, that's a "best practice". But you're asking if you can do Windows Update without having to connect to Microsoft. Yes and no. You always need at least one of your servers to download the updates. That's why I suggested creating a SUS-only server to handle downloading updates. You can have secondary SUS servers that synchronise with the one that gets the official updates. The synchronisation can be manually done; it doesn't have to be scheduled, and in fact that's the default setting with SUS. I would recommend that you just get a low-end notebook and use that as the up-to-date SUS server and carry it around with you to your clients to synchronise their SUS servers that are not connected to the Internet.Or, setup a SUS server at your office and have your clients synchronise with your SUS server over a VPN connection.

<{POST_SNAPBACK}>

Thank you. This is the type of suggestion I was looking for.

[Peachy]

You're welcome!