Categories
Admin Tips Work

Security Tip: Automatic application updates with Ninite

NiniteThis isn’t a free tip, but works well for the networks I manage. One of the challenges for any Systems Administrator is keeping software up to date. I’m not so concerned about actually having the latest version of software so much as making sure if there are any security updates these are taken care of in a low effort way.

In your network documentation you should consider every application you have installed on your workstations and determine a software update strategy for each. Our Microsoft products are taken care of by Server Update Services, our Antivirus looks after itself and now we have Ninite for the rest.

If you haven’t come across Ninite before, it is a neat wee tool to install your favourite applications with a couple of clicks.

Ninite Pro adds some awesome features which allow this, such as a command line/silent mode, one touch software updates and caching software downloads. I subscribed to the $20/month plan for up to 100 computers.

There are lots of cool things you can do with the command line reference etc, but all I need is the update mode (which updates any of the Ninite supported software which you have installed on your computer), and to set it up to run on a regular basis. In my case, every time a computer is turned on.

Here is my standard configuration for Ninite

  1. Setup a service account with a secure password for Ninite in Active Directory and document the password in LastPass. It will require permissions to install software on your workstations.
  2. Setup a network share for Ninite and add permissions for the Ninite service account.
  3. Put your copy of NiniteOne.exe in the share and create a Logs folder
  4. Setup a Scheduled Task in Group Policy > Control Panel Settings > Scheduled Tasks
    1. Run whether the user is logged on or not, run tasks as your service account. Configure for Windows 7.
      Currently investigating a better option for this. That would require storing the user credentials for Ninite service account in Group Policy which is actually easily accessible by malicious users.
    2. Triggers – At system startup. You may wish to delay task for 10 minutes, I have it running immediately.
    3. Actions – Start a program
      \fileserverNinite$NiniteOne.exe /silent \fileserverNinite$Logs%ComputerName%.txt /updateonly /disableshortcuts
    4. Conditions – Start only if the computer is on AC power
  5. Test it out, when you restart your test workstation a log file should be created for the workstation in the Logs folder, and any software supported by Ninite should be updated and cached in the network folder for a quick install on other machines.

 

Categories
Admin Tips

Security Tip: Block Internet Explorer invocation of Java with Group Policy

Given the non-stop barrage of security vulnerabilities being found and exploited in Java, every Systems Administrator should disable Java for Internet Explorer or have a really good reason not to. (Don’t worry, we can still cater for you if you have specific sites that require Java!)

Unfortunately it is notoriously hard to do. Microsoft had a go but US CERT found Microsoft’s method didn’t block it completely. US CERT’s KB article provides a registry file which blocks the invocation of Java Web Start for non-trusted sites.

I’ve converted the registry file into xml files ready for importing into Group Policy registry preferences. You’ll need two, one in a user policy and one in a computer policy.
For your convenience you can download them below.

Please test before using at your own risk!

https://dl.dropbox.com/u/1683671/Group%20Policy/DisableJava_ComputerRegistry.xml

https://dl.dropbox.com/u/1683671/Group%20Policy/DisableJava_UserRegistry.xml

Then just add any business sites that require Java to your trusted sites list. If you want to do it through Group Policy check out Alan Burchill’s article on IE Site Zone mapping but in my experiences only a couple of people have needed sites with Java and I add them on a per-user basis.

This is a low effort, maximum gain security tip for your organisation (just make sure you test that it actually is disabling it as it should!)