7

I am planning to do a clean Windows 7 OS installation.

Is it possible (and/or recommendable) to download all the Windows 7 Security Updates from Microsoft in advance and patch my fresh Windows 7 installation before I connect it to a network? If so, how?

Are the temporary risks of being online through my private broadband connection and reading data from http://windowsupdate.microsoft.com so small that I can safely use this strategy?

Simen S
  • 173
  • 1
  • 1
  • 4
  • 1
    Windows 7 has windows update standalone app which connects and downloads updates from windowsupdate.microsoft.com without you having to type it... windows updates are not the greatest protection tho and it makes little difference whether you have them or not. You can install a firewall & antivirus prior to going on the net... – Sigtran Mar 23 '11 at 14:20
  • @Sigtran To be fair, no single mechanism is sufficient. Installing your updates (particularly security patches) are, however a *very* important piece of your strategy. As are *properly configured* firewalls, updated and running anti-virus, etc, etc. – Scott Pack Mar 23 '11 at 14:28
  • @packs true, however I found myself downloading over 30 security patches with windows 7 the last time Ive installed it (I did install SP1 prior to online patching)... Update obviously helps with the time you spend on the net, but imo the risks are negligible, provided everything else is up to date (AV, FW) – Sigtran Mar 23 '11 at 14:48
  • 3
    @Sigtran - the stats actually imply that patching is significantly more important than your AV. A large percentage of successful exploits are down to well known exploits finding a home in an unpatched box. It makes a HUGE difference! – Rory Alsop Mar 23 '11 at 15:14
  • @Rory yes, it makes a huge difference - for regular web usage. But in this case he's talking about just updating windows - IMMO "passive" attacks would be mostly irrelevant (or nearly so, relatively speaking), whereas "active" attacks would be much more in his face - and those would be stopped more by a FW than patching (though I agree there are some cases where that is relevant too, if the FW is onbox and it is connected directly to the Internet). – AviD Mar 23 '11 at 19:17
  • @AviD - definitely didn't mean to not use AV and firewall - at home I have on platform AV and FW plus hardware firewalls on the inside and outside of my DMZ's. FW is key, patching I would rate 2nd and AV 3rd, but all necessary. – Rory Alsop Mar 23 '11 at 19:24
  • @Rory ah, but you're still talking about general usage scenarios. What about the specific use case - connected to the Internet, but no outgoing connections except to Windows Update? – AviD Mar 23 '11 at 19:27
  • @AviD - absolutely. that specific case is why I voted @packs up :-) My comments in here were more in response to the discussion in this comment thread. – Rory Alsop Mar 23 '11 at 19:41
  • @Rory Alsop I wasnt clear - windows updates ON THEIR OWN (for the purpose of going online and updating further) are useless, as there plenty of network worms. For the case of going online just to update a FW should be sufficient enough - it should not allow "well known exploits find a home in an unpatched box" – Sigtran Mar 24 '11 at 16:28

1 Answers1

8

The easy answer is yes, it is possible. In fact, we have several servers that for various reasons are only patched in this manner. This does produce a bit of an annoyance on the admins, however once you get into the swing of things it is not so difficult to do on a small scale.

Your situation sounds wonderfully easy, though. I would recommend installing Service Pack 1, then connecting to the network to pull down any additional updates. Since SP1 rolled-up a large number of patches this should

  1. Speed things up significantly
  2. Take care of any of the older vulnerabilities that may be frequently looked for

You can find the official instructions for installing the update here. That page contains the link for the actual download page as well as instructions on how to determine which file to use for your system.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
  • +1 So in consideration of Sigtran's comment above, the recommended procedure would be to: 1. Install the OS (SP 1) 2. Install AV and activate FW (is the software based FW strictly necessary when I have a FW embedded in my home network? 3. Connect to network 4. Execute win 7 embedded security update mechanism. 5. Download and install latest patch of AV engine and signature files – Simen S Mar 23 '11 at 14:31
  • +1 to the steps. Firewall is not necessary, if you have a stateful firewall on your router. – Sigtran Mar 23 '11 at 14:44
  • 1
    The firewall has been on by default since XP SP2 anyway. – Scott Pack Mar 23 '11 at 14:49
  • The broadband provider ships all the broadband routers preconfigured to disallow all externally initiated traffic. You have to explicitly reconfigure the router if you e.g. want to run a web server or ftp server at home (which I'm not currently doing). The way I understand it, this means I'm really only susceptible to Trojans. If the only software I have on my hardware is a clean install of Windows 7 there shouldn't be too much risk of accidentally invoking a Trojan as I am patching my system. :-) – Simen S Mar 23 '11 at 14:54
  • @SimenS Sounds like this is turning into a more holistic configuration question. There are some others like it on the site, but might not be entirely relevant. I would encourage you to either update your question, or create a whole new one, with the additional concerns. – Scott Pack Mar 23 '11 at 14:56
  • I am therfore concluding that standard security update patching strategy is OK for my type of system, and that the offline patching strategy is best suited for secure servers that aren't linked to the internet and for the *tin foil hat* crowd. – Simen S Mar 23 '11 at 14:57
  • @packs I'm happy now. I got all the info i need. – Simen S Mar 23 '11 at 15:00
  • @packs I really tried looking for a previous "secure approach to install new OS" question without finding one. – Simen S Mar 23 '11 at 15:03
  • @Scott, This only applies to SP1. Is there a more general solution that can apply to further updates as well? – Synetech May 03 '11 at 20:26