With regards to Windows Updates, just how screwed are we?
We have a small "secured network" in our office. And by small I mean it's a Windows 7 PC connected to a firewall which connects to an internet connection. It's for processing card transactions in compliance with PCI DSS.
One of the requirements of PCI DSS is that any machines in the secure network are regularly patched and kept up to date. Another is that the firewall must be locked down to only allow outbound connections to authorised servers. The firewall only makes outbound exceptions by IP Address.
From this we can derive the facts:
- The server must be up to date with patches
- The server must be allowed to connect to Windows Update
- The firewall can only allow it to do this by IP
- Windows Update appears to have no consistent IP range
- The Win 7 box does not have Small Business Server on it
- Therefore the box will not run WSUS
Is there really no way that we can allow the box to receive updates? Or is there something we are missing?
Or you might put an WSUS Server on the internet (And "authorize" it) and solve the problem of the everchanging ip-adress.
The Internet (tm)
\------------------------/
| |
| |
O---------------O +------+ | O-----------O |
|Secured Machine+---->+Router+-----+------>|WSUS Server| |
O---------------O +------+ | O-----------O |
| |
| |
/------------------------\
If you don't want to apply patches manually and don't want to set up an WSUS server (IIRC it requires Windows Server) I can highly recommend WSUSOfflineUpdate, which allows you to download any Microsoft update to an USB stick and later apply this semi-automatically to the Win7 machine (semi-automatic means you have to start this by hand, but it identifies and installs all updates automatically, as Windows Updates does). If updates depend on each other and need reboot cycles, it can even do this by itself.
You can manually download the patches on a machine outside of the secure network and manually apply to the machines inside the secure network.