Last month, i.e. on October 22nd 2009, a test was conducted at Sophos Labs on Microsoft’s new operating system – Windows 7. The test was carried out to check if Windows 7 really matched its claims about the OS being more secured for virus, spyware and malware. Sophos claimed that the User Account Control (UAC) feature of Windows 7 bypassed 8 viruses out of the 10 that were tested. Further, it claimed that Windows 7 UAC’s default configuration is not effective at protecting a PC from modern malwares. You still need to run an anti-virus on Windows 7.

I was just waiting for something to happen from Microsoft end and after a long wait, yes it did happen. In a blog posting recently, Paul Cooke, Director of Windows Enterprise Client Security at Microsoft stated that the Sophos claim was deceptive and bogus. Further he adds that, “This test shows that most people don’t knowingly have and run known malware on their system. Malware typically makes it onto a system through other avenues like the browser or email program. So while I absolutely agree that anti-virus software is essential to protecting your PC, there are other defenses as well.” “I do agree that you still need to run anti-virus software on Windows 7,” Cooke noted, “but it is equally important to keep all of your software up-to-date through automatic updates, such as through Windows Update service.”

Now to the main point – I absolutely agree with what Paul Cooke has to say in terms of securing your PC. Being in the IT industry since 20 years now and moreover having given consultancy in Infrastructure Security to number of organizations, I’ve only seen that 40% to 50% of the problems faced by an organization are due to un-patched system, pirated software and out-of-date anti-virus signatures. In fact, when we install Windows Vista or Windows 7 on a PC, the operating system keeps on alerting via its Windows Security system if Automatic Updates are not configured or if the PC is missing an anti-virus solution. If that is the case, the question is – when and where did Microsoft claim that the new version of their Operating System Windows 7 does not require an anti-virus? If you know the answer to this, I would like to hear back from you.

Patching the Windows Operating System in an organization with multiple desktops and many flavors of operating systems is a mammoth task. It is vital for any Systems Administrator to ensure all systems are properly patched and updated to safe guard against virus, worms, and Trojans. The biggest challenge in running Windows Update on individual machines is the inconvenience of visiting each desktop and approving the updates manually. Moreover, the amount of bandwidth used at each desktop to download the updates is huge not to forget the lack of centralized reporting.

So why do we need a centralized patch management policy? Well, the answer is simple – the systems are prone to risks and threats when exposed to the Internet or medias like USB pen drives, wireless networks and devices, etc. We all, at some point, might have experienced or read about the havoc caused by Blaster or the Sasser worms. Today software vendors have stepped up the releases of emergency and critical updates in a formalized manner to encounter these threats. Microsoft’s Patch Tuesday is a good example that highlights that. To learn more about this program, click here.

WSUS from Microsoft is a boon to Network and System Administrators in this scenario. WSUS (Windows Server Update Services) is basically designed to run on a company’s network and automate the process of patching. This free product from Microsoft does a fair job of streamlining the overall patch management process of an organization with centralized reporting. For a Network or System Administrator it is just a simple task of installing the WSUS server on a system and then configures all Desktops to use the WSUS server for software updates. This can be easily achieved by creating a group policy and linking the policy to the correct OU using Group Policy Editor. The Desktops would automatically announce their current status to the WSUS server with details like which patches are needed to be installed, which patches have failed to install, which patches have been successfully installed, etc.

In a nutshell, WSUS seems to be a good product especially when there is no price tag attached to it and starting with WSUS 3.0 the reports have also improved over its predecessor.