DRAFT

Windows systems are only as secure as their weakest link. Often, this is unpatched security holes in the OS or installed applications. These can usually be quickly patched with security updates.

Antivirus software or firewalls can't prevent the exploitation of a security flaw, since they use a system's core function to gain elevated access or cause it to malfunction. An unpatched system with a good antivirus and behind a good firewall is like a house with a very good anti-intrusion system, but the windows have been left open. This is useless and offers no protection against attacks.

There are three kinds of updates that must be installed.

1. Windows Updates

Cybercriminals are constantly on the lookout for any system vulnerabilities in software, so it’s  essential you have your Windows updated regularly. You should install all application updates and OS updates offered to you, because updates ensure that your computer is continuously kept up to date with new innovations and security updates. This will also protect you against loss of data and information theft, among many other potential problems.

Wait for Windows to roll out the patches and updates to you. Don’t manually check Microsoft’s website for and install Windows OS updates, because you will install optional updates that are primarily for advanced users and testers. If you do manually check for updates, you may be offered Windows Updates that are not fully ready to be used.

The Windows operating system checks for updates once a day. 

But there is also a special month each month, on the second Tuesday of every month. It is called "Patch Tuesday". On Patch Tuesday Microsoft rolls out new patches, including cumulative updates (which are bundles of all the most recent fixes).

It is one of your most important responsibilities to regularly go on each computer of your entity to check that all available updates are installed and that Windows update is really up to date. This basic maintenance task should be part of your monthly routine. That would be good to use your computer inventory to confirm which computers have been checked and which remain.

You might be in a situation where you need to uninstall a patch that you think is causing problems. To manually uninstall a patch you can use the command: “wusa /uninstall /kb:patchnumber”.

If you do not enforce computer policies, users can change the way Windows update installs or do not install patches. To prevent users from changing settings you can define the Windows Update behavior using Group Policies (even if you are not using Active Directory). To do so, open Gpedit, browse to Computer Configuration, Administrative templates, Windows components, Windows Update, Manage End-user experience. The most important GPO is “Configure Automatic Updates”. Read the help to know how to configure the settings.

2. Software Updates

Windows Update cannot install updates for third party apps. 

Therefore it is important not only to install Windows updates but also Software updates.

This is important as installing software updates means patching security flaws and getting new features.

Patch My PC or Ninite are good automatic software updaters. They handle hundreds of popular applications. It will also do bulk installs and uninstalls.

Notice that some software, installed per-user and not for all-users may need manual check. This is the case for Zoom and Synology Drive. It’s good to manually check for Eset, Acrobat reader or Java updates. Notice that Microsoft Office uses a separate update program. Ensure automatic Office updates are enabled in any Office app, under File, Account, Update Options.

Running such a tool is important, and needs to be done on a monthly basis, when you check for Windows Updates. Again, use your computer inventory to keep track of what has been done, to avoid missing any computer.

3. Manufacturer Updates

It is important to ensure manufacturer updates are installed. The main manufacturers, Dell (Dell Command Update), HP (HP Support Assistant), Lenovo (Lenovo Vantage) all provide software to check that their latest updates, including security related, are installed.

These updates also include security patches that might be critical. Lack of manufacturer’s update installation puts your systems at risk.

Third-party software such as Miradore, can help you deploy Windows Update, Software updated and, to a certain extent, Manufacturer updates. The advantage of these systems is that they provide you with a centralized console, allow you to activate a testing environment for patches and to black list patches that cause issues. 

SIL Information Security Training for End Users:  Secure Your Devices