DIY Service Pack For Windows 2000/XP/2003

Karsten Violka writes "Looking for manageable Windows updates even without an internet connection? Heise's script collection Offline Update 3.0 downloads the entire body of fresh updates for Windows 2000, XP, or Server 2003 from Microsoft's servers in one fell swoop and then uses them to create ISO-Images for CD or DVD. Included is an intelligent installer script that allows you to update as many PCs as desired." Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

autopatcher has been doing this for a while now

[schnikies79]

i keep a up-to-date copy for my dialup friends, which most are.

Autopatcher!

nLite

[Nasarius]

I've been using nLite and RyanVM's update pack to do this for a while now. Great stuff, even works with my Dell OEM version of XP.

Re:Danger?

[LodCrappo]

A NAT in front of your windows box does do a lot to prevent trouble while you're patching up a new install. As long as you immediately get up to date (before using the machine for anything else) then I'd think this is fine. The problem is people who rely on a NAT device for some sort of security *in place of* security patching. Many exploits work just fine through NAT if you're actually using the machine to surf the web or read email, and way too many people seem to not understand this.

Already been done in a better form

[cHiphead]

Its called Autopatcher and its WAYYYY sexier. Lots of installable extras and sexy registry patches to make windows life easier.

http://www.autopatcher.com/

Re:Already been done in a better form

[MCraigW]

I've been using Autopatcher for quite some time now, and I'm quite happy with it. It also has some extra utilities that it will install if you select them, and the ability to make various UI tweaks. I find it is a nice way to install everything on a new PC. I download the latest version, write it to a CD and take it to the new PC. The new PC never has to be connected to the internet to get the latest MS updates.

Stop with the "unpatched PCs are insecure" rubbish

[pandrijeczko]

Anyone with any knowledge of security knows that if you deploy a NAT router/firewall between your unpatched PC and the Internet, whether a simple £50 box in a home environment or behind a DMZ in a corporate environment, then that PC, whether running Windows, Linux or any other OS, is pretty safe as long as you don't run any services out onto the Internet with it and don't do too much else with it. And if you run an Internet connection without one of these in place then more fool you...

On a Windows desktop PC behind a firewall, you are vulnerable to scripts and viruses that it come in from emails, documents & web pages but if you stick the PC on the network and don't use it for any of those things *until* you've put on all the updates, then nothing is going to happen to it. So let's get rid of this stupid notion that the moment you put an unpatched PC on a firewalled LAN, it's going to get swamped with viruses and rootkits - it just won't happen.

No, I'm no Microsoft fan but let's stick to facts rather than "science fiction" FUD stories...

Re:Stop with the "unpatched PCs are insecure" rubb

[pandrijeczko]

PCs behind a NAT router should be given "private" IP addresses - either fixed ones or DHCP assigned ones. These private addresses are in the ranges 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x.

Since every directed IP packet on the Internet contains the sender and receiver IP address, any Internet router that sees a private address in either the source or destination address will drop the packet and not route it. Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.

The trick of a NAT router is that when one of your PCs connects through the router to the Internet, the NAT router substitutes the private source IP address in each packet coming from one of those PCs with the real IP address on the Internet side of the router. So when a response comes back from, say, a web server one of your PCs is accessing, the response hits the router's Internet IP and the router puts the private IP address back in to send it back to the right PC.

It is possible to forward incoming connections to the router onto a PC in the private address space but this feature has to be manually configured on the router and is turned off by default.

So, yes, you can still download a nasty email or script from a server on the Internet, even with a NAT router in place - but then you just don't use a PC for those purposes until you've fully patched them.

Re:encountered (again) another win box without NAT

[KillerBob]

With *BSD, it's entirely possible to set up a low-level firewall that offers just as much protection as NAT without actually doing any address translation. It does this by monitoring the traffic at the packet-level, and can be configured to block certain ports, to ignore all unrequested traffic, or any number of QoS-type monitoring/filtering features that are a royal pain in the ass to set up on a NAT box. Really, the biggest advantage of NAT is that the DHCP allows you to have more than one computer on the network. (granted, that's a pretty big advantage).

There's even a howto on NetBSD's website that explains exactly how to go about setting such a box up.

But you're right... generally, it's easier to go with NAT in the long run.