This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
2. - Windows 7 tips and tricks: Read more in this section
- Hype vs. reality: Windows 7 improvements
- Strategies for automating Windows 7 deployment
- Replicating SteadyState in Windows 7
- Five registry keys for Windows 7
- How users can troubleshoot Windows 7 on their own
- Using third-party patching tools to secure Windows 7
- Consider these third-party Windows desktop management tools
- Ten Windows 7 features you'll miss in Windows 8
Explore other sections in this guide:
Patching may be a mundane task, but the reality is we’ve yet to master it. Although we’re in an era of automatic software updates, you still need centralized visibility and control to keep everything in check.
In any network security assessment I do, I inevitably come across workstations running Windows Server Update Services and Windows Update that aren’t properly patched. Whether this is a Microsoft flaw or an internal misstep is unclear, but it’s a dilemma across every industry. A big part of the problem is that organizations rely on Microsoft to do all the work. After all, the flaws are in Microsoft’s software, so subsequent patches are its responsibility, right?
As with anti-malware, logging and monitoring, and network intrusion prevention systems (IPS), just because Microsoft offers a patching option doesn’t mean it’s a good fit for your business.
There are many third-party alternatives for keeping Windows 7-based systems up to snuff, including:
These vendors have lots of bells and whistles for enterprise patching, like patching third-party software, that Microsoft doesn’t. Based on new research on patching offline/dormant virtual machines, we can expect even more advances in desktop patching, especially from third-party vendors.
Another mistake that enterprises make is they assume that Microsoft's commitment to releasing security updates and the enhanced security features in Windows 7 will keep them safe. This isn’t necessarily the case.
Windows endpoints often serve as the path of least resistance in the enterprise. Although I've found Windows 7 to be secure, that goes for that operating system as well. You have to keep Windows 7 and any running third-party software well patched. This is especially important because tools such as Rapid7’s Metasploit and its easier-to-use commercial counterpart Metasploit Express can be used maliciously. They both serve a legitimate purpose, but they can easily be used against enterprises. One rogue user or piece of malware combined with a single unpatched Windows 7 system is all it takes to harm the enterprise network.
It’s important to take a close look at Microsoft’s products and see how they’re working. Maybe they are, maybe they aren’t. Your internal security assessments and audits should paint the most accurate picture. Odds are there are some weaknesses. It’s up to you to make some changes to get this beast under control once and for all.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, and professional speaker at Atlanta-based Principle Logic LLC. He can be reached at www.principlelogic.com, and you can follow him on Twitter at @kevinbeaver.