Friday, December 9, 2011

Giving the Gift of Updates

The holidays are a time for family and friends.  For many geeks that means a lot of pro bono computer repairs and this year has started no different for me.  I started thinking of ways to quickly fix and secure the endless stream of laptops heading my way and here are some methods that have proved helpful.

Although it seems people are keeping their Windows machines patched, the third-party applications are another issue.  My family members still aren't adhering to the safe-browsing advice that I gave them so each "repair" is normally a complete OS wipe and reload.

After being asked to "fix" two laptops in a row with physically damaged DVD drives, I went ahead and dedicated a thumb drive to the Windows 7 install media.  The process is simple and it actually speeds up the installation process.  You also aren't dependent on potentially broken hardware.

The first step is to download the tool from Microsoft and install it.  Next find a suitable USB drive that is  at least as large as the installation DVD.  Then, choose the source iso file and select USB device.  Once the process is started, you will be presented with:

Once it is done, you will have a USB drive that you can use to reinstall or repair broken Windows 7 installations.

Another trick to speed up post-installation tasks is to use Ninite to create a single installation executable.  If you haven't used Ninite before, its extremely easy.  Just browse to the website and select the software you want to install:

Once you are done, click the "Get Installer" button at the bottom of the page and you will have a single executable for downloading and installing all of the software.  I know Ninite has saved me hours this year alone, but remember that you will need internet access for it to work.

Also, you can use Ninite for another purpose as well.  Last year, I renamed the Ninite binary to updates.exe and left it on the user's desktop.  I asked  them to run it with admin credentials every few weeks.  Although Windows Update was working properly, no one was patching anything else.

This year, I took it a step forward and created a task to run the updates.exe for them.  Now they will be prompted for credentials every once in a while (possibly increasing social-engineering risks), but at least they will hopefully be better protected from client-side attacks.

First I copied to the updates.exe to the 'c:\Windows\Tasks' folder to secure its permissions.  Then I created a task to run it every two weeks named "updates" with Schtasks:

schtasks /create /sc weekly /mo 2 /tn updates /tr c:\windows\tasks\updates.exe /rl highest

To test that the task is working properly:

schtasks /run /tn updates

The Ninite exe will only download applications that are either not installed or out-of-date.

Finally, Secunia's Personal Software Inspector (PSI) supports auto-updates for many products as well.  You can get the install from here and just like Ninite, its free for personal use.  It is a great tool which can be used by your non-"computery" friends and family to see what software they need to update.  The dashboard is helpful and easy to understand. 

I hope these methods equate to less OS installations next year and possibly less infected machines.


No comments:

Post a Comment