Does a virtualised Windows machine without internet access need (security) updates?

I recently saw a Windows 7 machine (virtually running in a Xen environment) and used in a production network to perform certain automated tasks.

This system was missing over a 100+ Windows update including critical security updates. The explanation that I got from the system administrator was that this system is only accessibly in two cases:

  1. Over the Xen console when connected to the management virtual private network (VPN).
  2. When connected to the production VPN over Windows Remote Desktop (RDP), using two factor authentication (2FA, Vasco Tokens) authenticating against an active directory (AD).

All servers in the production network are behind a Barracuda NG Firewall.

In his opinion that should do the job and updates are not required because the firewall block all incoming and outgoing internet traffic to and from that machine.

It feel unnatural not to update even when the machine is "isolated". So, does a virtualised Windows machine without internet access need updates and what are the potential risks when this machine issn't updated?

Note: I allowed the firewall to let this machine connect to the Microsoft update servers in order to fetch a list of the missing updates. All internet connections to this machine are now blocked again.

Replay

You both have a point, so here are some questions to consider. My answers to those questions weigh on the side of patching.

When someone connects to it over either of those VPNs, what controls are there one what can be transferred? Any way of getting data onto a machine is a way of getting malicious code on there. This even includes typing (although I hope your admins are a bit more sophisticated than people tricked into typing "rm -rf /" on a unix box).

Layered security would suggest that the machines have some basic ability to look after themselves, but is opening up a connection of some sort to the outside world worse than no connection at all? What about vulnerabilities in the tools you do use to connect.

Don't forget that updates are not just security updates. You may well want updates that affect stability to get installed (but as with any production system you should be testing them first).

Category: windows Time: 2016-07-29 Views: 0

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 0.107 (s). 12 q(s)