How to patch a new system without getting infected

With Sasser and friends out there, it seems like a chicken and egg scenario when trying to download patches for a vulnerable new system, if you're unlucky as Loren Heiny explains you'll be infected before you can even download and install the updates. A similar question was asked on an internal Microsoft forum a while back and so here's how to bring a new system online and patch it without being exposed:

1. Disconnect machine from network
2. Install the new system (if not installed)
3. Enable firewall and do not allow inbound exceptions
4. Connect machine to network
5. Download and install required service packs and updates
6. Download and install antivirus software
7. Join machine to domain (if applicable)

Comments

• Anonymous
  June 14, 2004
  "
  3. Enable firewall and do not allow inbound exceptions
  4. Connect machine to network
  "
  
  It's worth clarifying that pre-XPSP2 does not provide boot-time firewall protection, which is why users should not connect to the network until they have logged into a windows session and confirmed the firewall service is running.