[stuffoverflow]

I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.

I installed Windows 10 2016 ltsc on a VM at the end of last year out of curiosity to test that. Disabled wupdate and defender before letting it access the internet so that it was basically 8 years behind on any updates. I tried browsing all kinds of sketchy sites with Firefox and chrome, clicking ads etc. but wasn't able to get the system infected.

I would guess that keeping your browser updated is more important.

[keepamovin]

Correct! The browser is now the key vector because it's the most promiscuous and lascivious-for-code-and-data software on most devices.

Browser-zero days are why I factored out a way to distribute "web RPA agent creation" on any device, with no download - into its own product layer for browser-isolation. It's a legitimate defense layer but main barriers to adoption are operating friction, even tho it makes the task of hackers who want to compromise your network with browser 0-days much harder.

Because of that the RBI aspect is not as popular as ways its being used where you need a really locked down browser, with policies for preventing upload/download, even copy and paste, etc - for DLP (data loss prevention), for regulated enterprises.

Even so I think the potential applications of this tech layer are just starting.

[amne]

Just the other day I went to a website to flash a new firmware on a zigbee dongle. Straight from a chrome tab. wild!

Then it hit me: the only thing keeping a rogue website from sweeping your entire life is a browser's permissions popup.

[keepamovin]

Crazy right? On the whole I think it’s great and wonderful that the web platform has grown into the gorgeous monster that it is. I mean what better than a unified technology to serve us all the worlds information from any device in a basically sandboxed environment. I’m even all for the beautiful way The platform has developed rapidly added capabilities on how the language JavaScript HTMLNCSS has evolved. I think all that is wonderful. And I really enjoyed the ride.

But all of that growth and integration comes with these vulnerabilities, and so the cyber and DLP control aspect of web browsers is a very important one.

If this resonates with you, i invite you to check out my company’s project BrowserBox on GitHub

[mr_toad]

> I have yet to see concrete evidence that disabling Windows update and windows defender would elevate risk of having the system compromised in any meaningful way.

It’s much less likely than it was 20 years ago. A lot of attack vectors have already been fixed. But hypothetically a bug in the network stack could still leave an internet connected machine vulnerable.

[tmcdos]

Do not connect it directly - use a dedicated router device.

[kenjackson]

You benefit from the fact that most machines are patched. If a lot more people used 2016 builds and didn’t patch you’d see a lot more exploits.

[tmcdos]

I use stock Win7 SP1 with just a couple updates (recently TLS and SHA-512, but only 27 hotfixes in total) and the only way to break something is if I deliberately run unverified executables that were manually downloaded from untrusted sources. And since I don't do this - my machine is still running the same installation that I did on December 24th 2014.

[pajko]

https://www.shodan.io/search/facet?query=windows&facet=vuln....

[e12e]

> browsing all kinds of sketchy sites with Firefox and chrome

How did you install those - downloaded via another system? Because with that old system, you are missing ssl certificates (Firefox and Chrome bring their own).

[smileybarry]

Maybe, but with good old Windows PKI you’re bound to still have a working chain of trust with Mozilla/Google.

…either that or the machine cheated and updated root CAs in the background (which isn’t Windows Update-controlled anymore).

[Yizahi]

How do you know your system weren't infected in that experiment?