4

We have a small "secured network" in our office. And by small I mean it's a Windows 7 PC connected to a firewall which connects to an internet connection. It's for processing card transactions in compliance with PCI DSS.

One of the requirements of PCI DSS is that any machines in the secure network are regularly patched and kept up to date. Another is that the firewall must be locked down to only allow outbound connections to authorised servers. The firewall only makes outbound exceptions by IP Address.

From this we can derive the facts:

  • The server must be up to date with patches
  • The server must be allowed to connect to Windows Update
  • The firewall can only allow it to do this by IP
  • Windows Update appears to have no consistent IP range
  • The Win 7 box does not have Small Business Server on it
  • Therefore the box will not run WSUS

Is there really no way that we can allow the box to receive updates? Or is there something we are missing?

One Monkey
  • 179
  • 1
  • 11

3 Answers3

6

Or you might put an WSUS Server on the internet (And "authorize" it) and solve the problem of the everchanging ip-adress.

                                    The Internet (tm)
                                   \------------------------/
                                   |                        |
                                   |                        |
O---------------O     +------+     |       O-----------O    |
|Secured Machine+---->+Router+-----+------>|WSUS Server|    |
O---------------O     +------+     |       O-----------O    |
                                   |                        |
                                   |                        |
                                   /------------------------\
pacey
  • 3,833
  • 1
  • 15
  • 31
  • +1 And "authorize" it – Oskar Duveborn Nov 25 '10 at 13:38
  • Hi, yes, I wondered why this got no votes. I think this one's a goer. Well it would be if the company's solution wasn't: buy a different firewall. – One Monkey Nov 25 '10 at 13:43
  • I was under the impression that a machine running WSUS wasn't available. If it is, could you not have it in another firewall zone and allow your secure network to connect to it by IP address? That's slightly better than "having it on the Internet". – Keith Stokes Nov 25 '10 at 14:01
  • I just thought another machine on the same net won't be an option so. But you are right that's the nicer solution. – pacey Nov 25 '10 at 14:02
  • 1
    On the other side of the firewall, as far as PCI is concerned, isn't on the network. We do have an "unsecure" (by PCI standards) network that has many boxes available. The wonder of PCI. – One Monkey Nov 25 '10 at 16:06
4

If you don't want to apply patches manually and don't want to set up an WSUS server (IIRC it requires Windows Server) I can highly recommend WSUSOfflineUpdate, which allows you to download any Microsoft update to an USB stick and later apply this semi-automatically to the Win7 machine (semi-automatic means you have to start this by hand, but it identifies and installs all updates automatically, as Windows Updates does). If updates depend on each other and need reboot cycles, it can even do this by itself.

Sven
  • 97,248
  • 13
  • 177
  • 225
2

You can manually download the patches on a machine outside of the secure network and manually apply to the machines inside the secure network.

Keith Stokes
  • 927
  • 6
  • 7
  • 2
    +1. The Microsoft solution is WSUS, so if you don't want this you will have to roll out a WSUS server. – pehrs Nov 25 '10 at 13:11