If your organization works on an image-based model, meaning a generation of machines is cloned from a master image, to implement a ‘best practice’ of System Administration you want the master image to be perfect. One important thing to help with that is going to be a consistent workflow.
I have established the following workflow centered around Secunia PSI and Microsoft Baseline Security Analyzer to ensure that applications are kept up to date and your machines are secure as possible.
To be done after Patch Tuesday (the second Tuesday of the month) monthly.
- Load the latest image on that model computer, with a generic machine name and off the domain.
- Install known updates (Firefox, Thunderbird, Flash, Java, Adobe Reader, Windows Updates, Office Updates, Antivirus).
- Make known changes and corrections to the image, if any. (Check the To Do list for that model for software to be installed, uninstalled, and properties/permissions to be changed.)
- Install Secunia PSI.
- Configure Secunia. Switch to Advanced mode and under ‘Settings’ uncheck: “Show only easy-to-patch programs” “Start Secunia PSI on boot” “Enable program monitoring.”
- Run Secunia PSI and compile a list of Insecure and End-of-Life applications.
- Run through this list and decide on how to proceed (update, uninstall, or ignore).
- Update, uninstall, or ignore as decided and test the updated software.
- Run Secunia again and uninstall if all programs check out. (It will likely be updated before the next image update.)
- Run Microsoft Baseline Security Analyzer to determine if any configurations need to be addressed or patches are missing.
- Gather the image, archive the older version, and use the current one in all future deployments.
- Publish the list of changes and version to the documentation for the appropriate threads (hardware model and audience).