Windows Security Strategy: introduces how to completely fix System Vulnerabilities

Comments: If WINDOWS is not set. vulnerabilities are often prone to violence. very insecure the virus groups on the Internet are becoming increasingly rampant, causing more and more harm to users. Everyone must know how to protect their computers from infringement and protect their privacy from theft. I remember a user asking me some time ago, complaining that I had installed the thunder software after I installed the patch. At this time, I am tired of reminding you that the system has not installed many patches, after research, many software on the market, such as Master Lu, Kingsoft, and kakaka, will give you an annoying reminder that the system has not been patched. For ordinary users, they are all dizzy. What should they do to listen to the software? Recall that Microsoft's vulnerability repair started from Windows 98 and went to Windows XP and subsequent operating systems, which became a default security setting, moreover, Microsoft also targets desktop and server MBSA, SUS, WSUS, and other software.
I. What is a Windows system vulnerability?
System Vulnerabilities refer to the defects in the logic design or programming of your Windows operating system. Such defects or errors can be exploited by attackers or computer hackers, attackers can implant Trojans and viruses to attack or control the entire computer, Steal important information and information from your computer, and damage your system. Windows system vulnerabilities are closely related to time.

From the day when a Windows system was released, with the in-depth use of users, vulnerabilities in the system will be constantly exposed, and these vulnerabilities discovered earlier will also be continuously exposed by system vendors: patches released by Microsoft may be corrected in the new version of the system.
While the system in the new version fixes vulnerabilities in the old version, it also introduces some new vulnerabilities and errors. For example, the previous popular mouse> vulnerability is caused by the defect in processing Mouse icons in Windows, and the trojan author creates malformed Icon files to overflow, A Trojan can execute malicious code without the user's knowledge.
2. Is there more patching, the better?
The more patches, the better? Ordinary users will think that the more patches they patch, the better. They put all the patches in one breath and think that their computers are less likely to be attacked by vulnerabilities. Otherwise, let's analyze them in detail, in the past, when there were no third-party patching software, we used Windows Update to fix the system, so there were very few problems because Microsoft had already sorted the patch order, and you should have a question, why is there order? This is because the previous important patch paves the way for the next patch. If it is reversed, it will not be able to be patched. If it is heavy, the system will fail to be shut down, the system will not be able to boot, or even crash, and you need to reinstall it! Like wearing clothes, you should wear underwear, coat, and patch first. This is not the case for a lot of third-party patching software (some individuals do batch Install patches). To save time, download several patches together, which of the following must be downloaded first, just like when you get your coat, you need to wear it first, and then put your underwear out. Your computer system is not "Superman". How can you wear it without any problems?

Now, the new system has UAC (User Account Control), and the third-party software permission cannot be higher than Windows Update. Even if it is fixed one by one, a patch cannot be fixed or cannot be completely repaired due to permission issues! The patch has two times: the release time and the last update time. If you install the patch Based on the release time, the patch is obviously the latest.
Urgent patches need to be repaired immediately. Functional updates are used to update system or software functions. For example, some updates of Office, such as Windows System Security Update Program, Outlook update Patch, can be suspended.
3. Why should I restart the computer after installing the patch?
During the patch installation process, files cannot be modified because the system is running. Therefore, you must update the patch before logging on to the system. In general, the Office patch can be installed directly. The vulnerability patch usually takes effect after being installed and restarted.
Some processes and files cannot be replaced during system running, so you need to restart the system.
Iv. Introduction to common vulnerability repair tools in Windows
1. Windows Update
It is an automatic update tool provided by Microsoft. It usually provides upgrades for vulnerabilities, drivers, and software. Windows Update is a component used to upgrade the system. It is used to Update our system. It can expand system functions, enable the system to support more software and hardware, and solve various compatibility problems, make the system safer and more stable. Windows updates are released every week or every month. However, if there are serious security threats (such as viruses that affect computers on Windows operating systems), Microsoft will immediately release the corresponding update program.


Security Update supports the following installation Switches

. Sus and Wsus
From the above Windows Update content, you can understand that the Windows Update automatic Update program can help users detect and install patches, but it is not conducive to the Administrator's centralized management of patches. At the same time, it also has a major defect. In the LAN with more than 50 machines, if the administrator assigns all clients to access Windows Update at the same time using group policies, to check for updates, the proxy server in this lan may be overwhelmed at this time. SUS can easily implement functions that cannot be implemented by these Windows updates. SUS is easy to use. It can automatically manage patches for administrators, but cannot provide service support for earlier versions such as Windows 9X.

Wsus is more powerful than sus. It must be connected to the Internet before it can be updated. It obtains updated data from Microsoft's official Update Server. Then, download the related update package based on the user's settings to distribute the patch. At the same time, make the settings on the internal machines. You can use the Policy Editor to direct the client updates to the server IP address. The update package downloaded by WSUS is different from the update package downloaded by software such as . It is also suitable for medium-sized enterprises to deploy patches. For security considerations, we recommend that you install the patch on a virtual machine before it can be used.
  Note:
1. Wsus requires that your LAN have an Enterprise Domain environment (AD ).
2. If you deploy a firewall on the edge of your network, open ports 80, 443, 445, and 8530 in time to avoid blocking.
3. if you deploy in a large enterprise network, it may not be updated for half a day. If you do not have any problems with the deployment and configuration, please wait patiently. Sometimes it may take the next day after one night.
3. MBSA
MBSA (download) can check the operating system and SQL Server updates. MBSA can also scan insecure configurations on the computer. When you check the Windows service package and patch, it includes Windows components (such as Internet Information Service (IIS) and COM +), you can also MBSA (currently there is no Chinese Version) tool to check whether your machine is secure. In a multi-domain environment (two independent Active Directory domains) where the firewall or router separates the two networks ), TCP port 139 and port 445, as well as UDP port 137 and port 138 must be open for MBSA to connect and verify the remote network host to be scanned.



4. Third-party tools, such as guard, Kingsoft guard, Master Lu, Kabbah, and rising
 
 
6. Zoho ManageEngine Security Manager Plus
Security Manager Plus is a network Security scanner that proactively Reports Network Vulnerabilities to help fix vulnerabilities and ensure compatibility. With the vulnerability scanning, open port detection, Patch Management, and vulnerability reporting functions, Security Manager Plus is a software that can fully protect your network from Security threats and malicious attacks.


Red indicates a warning with high risk:

A detailed report is generated. The vulnerability repair tools described above make it easy for common users to fix windows system vulnerabilities and ensure stable system operation.

(Suggestion: do not fix vulnerabilities in the Pirated Windows system, which may cause system faults, even blue screens or fail to be started)
 
 



5. GFI LANguard
GFI firewall ARD Network Security guard checks your Network in various ways that hackers may use. By analyzing your system and programs running on your network, it helps you identify possible security vulnerabilities, so that you can before a hacker discovers, to take effective actions to make up. You can check the entire network, each IP address, and provide relevant information (whether to install less files, which port is open, and so on) to generate HTML reports.