Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How would you secure windows 7 without windows updates patches?

15 Apr 2016   #1
groze

W7 32 bit, Linux Mint Xfce 18 64 bit
 
 
How would you secure windows 7 without windows updates patches?

How would you secure windows 7 without windows updates patches?

I notice a lot of people include me are not able to install the current updates. Some were able to install after waiting a very long time.

I just want some ideas on what protection software people can install on windows 7 to make it more secure, since people can't depend on Microsoft unless you upgrade to 10 or 8.x


My System SpecsSystem Spec
.
15 Apr 2016   #2
whs
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

Don't go on the internet with Windows. Do your internet work with a virtual Linux system - e.g. Zorin.

VMware Player - Install and Setup Zorin
My System SpecsSystem Spec
16 Apr 2016   #3
Alejandro85

Windows 7 Ultimate x64
 
 

A great misconception is that security comes from what software you install. That's completely false. Antiviruses exploit that and use fear to promote sales, but in fact deliver little real security, the same as most other similar tools.
Security is greatly influenced by your practices and discipline in following them. There are a number of widely known good practices to improve security (almost always ignored, and Windows disastrous defaults don't help at all). A few from memory:

- Always run without administrator access. Only elevate those processes that have a legitimate reason to have full control and that you really trust.
- Use separate user accounts for you daily activities and your administrative chores. UAC is a great help here. Additional accounts may help for further isolating troublesome programs (like browsers and torrent clients).
- Disable the known vulnerable services (WER, SSDP, UPNP, etc).
- Use a firewall with a fine grained access control. Windows includes one (of course disabled by default ), just configure it according to your particular usage. Don't allow anything strictly outside of what you know.
- While not always possible, only give permission to run to that software you know, and nothing else. AppLocker and Software Restriction policies are of great help here.
- It's far better to put your computer behind a NAT router for internet access. Having a Windows computer in the DMZ is a disaster waiting to happen, specially if its a clean install without any hardening.
- Software updates are certainly a somewhat important part of security, when those fix a vulnerability that affects you. If you can't patch, at least make sure to understand the risk and take other measures to mitigate it.
- Always have backups of your data and any software installers you use. In case of problems you can always reinstall everything then place your data where it was.
- Antiviruses and other similar things might help somewhat, but don't put too much faith into them. Some older viruses can be detected with them. But once you're infected, the only safe path is a clean install.
- Disable the known broken Windows functions, like administrative shares, show extensions for files, autorun and the like.

Sure I'm forgetting a lot of things, but that's a good place to start. Of course, nothing of those things and many others are mutually exclusive, you can do some steps and skip others if you understand the implications. In practice, most Windows updates, while mostly useful, rarely affect home users and those with a reasonable understanding of security (they're important in servers though). A good thing of avoiding updates is that you also avoid the Windows 10 adware that MS tries to sneak within updates
My System SpecsSystem Spec
.

16 Apr 2016   #4
groze

W7 32 bit, Linux Mint Xfce 18 64 bit
 
 

That is good advice Alejandro85.

Here is some of my opinions & comments though.

Quote:
A great misconception is that security comes from what software you install.
Actually it is a combo of software & configurations.

Quote:
It's far better to put your computer behind a NAT router for internet access. Having a Windows computer in the DMZ is a disaster waiting to happen, specially if its a clean install without any hardening.
Most cable companies have a combo router & modem and includes a firewall.

Quote:
Antiviruses and other similar things might help somewhat, but don't put too much faith into them. Some older viruses can be detected with them. But once you're infected, the only safe path is a clean install.
Or a good backup. A clean install may not even work in some cases.

Quote:
Use a firewall with a fine grained access control. Windows includes one (of course disabled by default ), just configure it according to your particular usage. Don't allow anything strictly outside of what you know.
My windows 7 sp1 firewall is enabled when I first did a clean install. Maybe some versions of Windows 7 don't enable the firewall.
My System SpecsSystem Spec
16 Apr 2016   #5
Alejandro85

Windows 7 Ultimate x64
 
 

A few more comments on yours, made me thinking and remembered some things I forgot

Quote   Quote: Originally Posted by groze View Post
Most cable companies have a combo router & modem and includes a firewall.
I still have to see a modem/router that includes a firewall. Almost none of them that are home-oriented for sure. NAT is a powerful protection indeed, but it's not a firewall at all. And even then, for those that do have a firewall, you need to configure them, just in the same way a software one. Typically it's left disabled.

Quote   Quote: Originally Posted by groze View Post
Or a good backup. A clean install may not even work in some cases.
Problem with backups is that you can't know for sure if the backup itself is also infected. Typically you notice the problem when an antivirus cries or when it creates severe problems, but you don't know when the infection was actually entered the system, for that reason I'm prudent in using some backups liberally and instead consider them "suspect" too if they're too recent.

In those cases that a clean install doesn't works is when the virus/attacker managed to infect the BIOS or some other firmware, so that the infection reappears from there after a reinstall. We're really screwed if that's the case, there is no other way but to replace the hardware altogether.


Quote   Quote: Originally Posted by groze View Post
My windows 7 sp1 firewall is enabled when I first did a clean install. Maybe some versions of Windows 7 don't enable the firewall.
Yes and no. Strictly speaking you're right, Windows firewall is enabled by default, as long as I know in every version since Vista at least, if not in XP too.
What I'm talking about is that its configuration makes it utterly useless. Outgoing connections are all allowed, and incoming are filtered, but the default rule set enables pretty much every Windows function to listen, effectively blocking nothing. To be more precise, it's enabled, but blocks nothing, with a useless net result.
My System SpecsSystem Spec
16 Apr 2016   #6
groze

W7 32 bit, Linux Mint Xfce 18 64 bit
 
 

Alejandro85

Remember, we are in different countries. I can't show you a pic of the modem/router combo because of its location. However, I can show you screenshots of my modem/router log-in showing the firewall settings. I haven't changed the settings or customize the settings, I think I might mess things up. I do have wifi disabled.


Attached Thumbnails
How would you secure windows 7 without windows updates patches?-firewall1.png   How would you secure windows 7 without windows updates patches?-firewall2.png  
My System SpecsSystem Spec
Reply

 How would you secure windows 7 without windows updates patches?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Windows 7 will be getting patches in Windows Update later today
Source: https://support.microsoft.com/en-us/kb/894199/
News
Windows 7 64 bit Home - Installer patches
Is it safe to remove some huge $installerpatche$ in the files $patchcache$ and how might I do it? Please Thanks Located on my machine at C:windows/installer Note: the 'patchcache' seem to be the hodling folder..double clicking om it show .msp amd .msi files..
General Discussion
Windows 7 Patches.
Hi Folks, Do Windows 7 service packs mean the same to the various flavours of the Win 7 OS? If let's say there is a Service pack 1, does it mean both the Ultimate and Enterprise would need it or will only certain flavours need certain service packs? Hope somone can advise. regards glisando.
Windows Updates & Activation
possible McAfee patches for windows 7?
On my windows 7 compatability advisor it said that McAfee is not supported with the that version, but I get McAfee for free from my university and I do not want to end up paying for a virus protection program or have to use trial versions or things of that nature. Does anybody know about patches...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:59.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App