• United States



Contributing Writer

Time to check software and security settings for Windows network vulnerabilities

Oct 13, 20214 mins
Network SecurityWindows Security

October is Cybersecurity Awareness Month, and that's a good excuse to review what's running on your network to identify security risks.

network security / secure connections / integrated system of locks
Credit: Natali Mis / Getty Images

The US Cybersecurity and Infrastructure Security Agency (CISA) has designated October as Cybersecurity Awareness Month. In honor of this event, I urge you to take the month of October to become more aware of your computer and network assets.

Inventory and evaluate software for risks

One way to become more aware of your cybersecurity risks is to evaluate and inventory the software your firm uses. We tend to focus on Microsoft patching, but often we overlook actions we can take with third-party that can easily make our systems more secure. Review weaknesses in software and configurations. For this you typically need some sort of inventorying software that can analyze your network.

If your firm is in a traditional domain, you can use tools that rely on Active Directory to analyze what security weaknesses you have. If your firm has both cloud assets as well as traditional domain infrastructure and you have access to a Microsoft 365 E5 license, you can use tools such as Microsoft Defender Security Center to assess what software needs to be updated.

If your budget doesn’t allow for such licensing, alternatives such as SpiceWorks will allow you to inventory and analyze your network. For on-premises systems, you can use PowerShell to prepare an inventory report of the software on your network. It will review the installed software section on your computers and prepare a listing.

PowerShell has long been a means to inventory systems, but it depends on Active Directory access. As we move to disconnected networks, especially during the pandemic, ways to inventory systems that are not joined to the domain is a key need. Unconnected, unmanaged computers are often behind in updating and maintaining of software. A tool that gives you an overview of the security of all software can help keep your network secure.

I tend to forget lesser-known software such as 7-zip that has been installed, forgotten, and now no longer up to date. However, assign a realistic threat to any unpatched software situation. Are there active attacks using vulnerabilities in the software? The security recommendations dashboard in Microsoft Defender Security Center (exposed with an E5 license) suggests that the most pressing thing I should doing is updating 7-zip as it has the highest impact rating. Yet, when digging into the details it states that no exploit is available.  

Set attack surface reduction rules

Look for tools that recommend what security settings to deploy. Office software has long been an entry point for ransomware, and you should enable attack surface reduction (ASR) rules to better protect systems. Rather than patch 7-zip, I should deploy, test, and enforce ASR rules instead. Microsoft Defender for Endpoints console suggested I use these five ASR rules:

  • Block all Office applications from creating child processes
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block executable files from running unless they meet a prevalence, age or trusted criterion
  • Block untrusted and unsigned processes that run from a USB
  • Block persistence through WMI event subscription

Every firm should test and deploy the first ASR rule in this listing, “Block all Office applications from creating child processes.” Microsoft often gives the impression ASR rules require an Enterprise license. Anyone with a Windows 10 Professional license can take advantage of these settings. If you don’t have Windows 10 Enterprise, you merely lose out on some of the reporting features.

Microsoft Defender Security Center Security Center’s threat insights showcase the risk of the vulnerability. Even a fully patched Office brings risk to your network. Attackers have used Office many times to deliver ransomware.  For example, attacks that have used child processes in Office include Qakbot, which provided access to ransomware affiliates; CVE-2021-40444 MSHTML remote code execution; GravityRAT; CHIMBORAZO; ZLoader; IcedID; Sysrv botnet; and BISMUTH, which was used in mining for intelligence and coins, among others.

Attackers have also recently used Excel 4.0 macros. You would think that we would no longer have a need for Excel 4.0, but some firms still rely on older macro processes to perform basic business functions. Often combined with phishing lures, Excel macros are used to gain a foothold into a workstation and from there launching larger attacks into the network. Once in the network, attackers can use LSASS memory dumps to harvest credentials from a workstation to gain more rights into a network.

For those of us in security, every month is Cybersecurity Awareness Month. Take this month of October to reflect on your network, both on-premises devices and those that you don’t have direct connection to. Review your options to ensure that you can know, and therefore control, all your technology assets.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author