Secure A Clean Installation Of Windows 7/8.1/10

Some Windows vulnerabilities can be exploited without user interaction as soon as the computer is placed online. Therefore, after performing a clean installation of Windows, it is necessary to resolve the known examples of these vulnerabilities before placing the computer online, including before running Windows Update or Microsoft Update.

1.1.  Windows Vulnerabilities

Windows vulnerabilities are flaws in the Windows operating system code that render Windows susceptible to exploitation. The successful exploitation of a Windows vulnerability results in compromise. Toward securing Windows, it is instructive to divide Windows vulnerabilities into two groups: 1.) those that require user interaction to be exploited, and 2.) those that do not require user interaction to be exploited.

For the Windows vulnerabilities that require user interaction to be exploited, compromise requires user interaction on the computer besides placing the vulnerable computer online (i.e., connecting the computer to a network, be it an Intranet and/or the Internet). User interactions that can result in compromise, known as triggers, include attaching external/removable drives or network devices, visiting Web sites, accessing/receiving/opening emails, opening email attachments, creating/accessing/opening/installing/joining/connecting to network resources including but not limited to servers/domains/devices/shares/files/etc. In other words, for the Windows vulnerabilities that require user interaction to be exploited, in the absence of the appropriate user interaction required to trigger exploitation, compromise cannot occur simply by placing the vulnerable computer online.

For the Windows vulnerabilities that do not require user interaction to be exploited, compromise does not require any user interaction on the computer besides placing the vulnerable computer online. In other words, for the Windows vulnerabilities that do not require user interaction to be exploited, there is no trigger and compromise can occur simply by placing the vulnerable computer online.

After installing Windows, a common practice is to place the computer online and run Windows Update or Microsoft Update (Windows/Microsoft Update) to install the latest Windows Service Pack (Windows 7), Update (Windows 8.1), Security Monthly Quality Rollup (Windows 7/8.1), Cumulative Update (Windows 10), Security Updates (Windows 7/8.1/10), and non-security updates and fixes Windows (7/8.1/10). Although the intension (to secure Windows) is good, this practice is bad. Why? Because, for the Windows vulnerabilities that do not require user interaction to be exploited, compromise can occur simply by placing the vulnerable computer online, and this includes during the time that Windows/Microsoft Update is running.

Worms are the class of threat that automatically run themselves on, and automatically copy themselves from, computer to computer over a network without user interaction. To accomplishes this, worms exploit vulnerabilities that, themselves, do not require user interaction to be exploited and that allow remote code execution (RCE). First, the worm exploits the vulnerability, then it runs itself on the now compromised computer, including possibly delivering a destructive payload, and then it attempts to propagate itself to other vulnerable computers on the network, again without user interaction.

Worms are extremely dangerous because they can automatically infect a tremendous number of vulnerable networked computers seemingly simultaneously without any user interaction besides placing the vulnerable computers online. Infamous worms that exploit Windows vulnerabilities include W32.Blaster.Worm (symantec.com) (Discovered 11 Aug 2003 and resolved by MS03-026 (technet.microsoft.com) published 16 Jul 2003), W32.Welchia.Worm (a.k.a., Nachi) (symantec.com) (Discovered 18 Aug 2003 and resolved by MS03-007 (technet.microsoft.com) published 17 Mar 2003 and MS03-026 (technet.microsoft.com) published 16 Jul 2003), W32.Sasser.Worm (symantec.com) (Discovered 30 Apr 2004 and resolved by MS04-011 (technet.microsoft.com) published 13 Apr 2004), W32.Downadup (a.k.a., Conficker) (symantec.com) (Discovered 21 Aug 2008 and resolved by MS08-067 (technet.microsoft.com) published 23 Oct 2008), and Ransom.Wannacry (symantec.com) (Discovered 12 May 2017 and resolved by MS17-010 (technet.microsoft.com) published 14 Mar 2017). Moreover, Blaster, Welchia, Sasser, and Downadup remain so prevalent that even today - years after they have been discovered - vulnerable Windows computers are still being compromised by these worms as soon as they are placed online, including during the time that Windows/Microsoft Update is running.

Fortunately, most of the Windows vulnerabilities that do not require user interaction to be exploited are not wormable (i.e., do not allow RCE and, therefore, are not suitable for worms). Instead, the impact of most Windows vulnerabilities that do not require user interaction to be exploited is to allow either denial of service, elevation of privilege (EOP), information disclosure, security feature bypass, or spoofing.

In some environments, the exploitability (i.e., the likelihood that a vulnerability will be exploited) of a Windows vulnerability that does not require user interaction to be exploited is low. However, in some environments, the exploitability of a Windows vulnerability that does not require user interaction to be exploited is high. Rather than trying to take environment, exploitability, impact, and other factors into account, and unnecessarily driving oneself mad in the process, a simpler and safer policy has been adopted: to secure a clean installation of Windows per this web page, it is necessary to resolve all known examples of Windows vulnerabilities that do not require user interaction to be exploited before, not after, placing the computer online.

1.2.  Windows 7/8.1 Servicing Model Ending September 2016: Individual Security Updates

On the second Tuesday of each month (a.k.a., Patch Tuesday) through March 2017, Microsoft released a Microsoft Security Bulletin Summary consisting of one or more Microsoft Security Bulletins. A Microsoft Security Bulletin describes a single vulnerability, or group of related vulnerabilities, typically in a Microsoft product. Through September 2016, Microsoft Security Bulletins describing Windows vulnerabilities provided links to one or more Security Updates for Windows. A Security Update for Windows (a.k.a., a patch) is a single file. Upon installation, the Security Update(s) for a Microsoft Security Bulletin resolve (a.k.a, patch) the vulnerability(s) described in the Microsoft Security Bulletin.

Security Updates for Windows can be installed in an automated, batch-like fashion via Windows/Microsoft Update. Security Updates for Windows can also be downloaded via the links in the Microsoft Security Bulletins and installed manually. To secure a clean installation of Windows 7/8.1 per this web page, it is necessary to install some Security Updates for Windows 7/8.1 before placing the computer online. This requires downloading and copying the Security Updates for Windows 7/8.1 to removable media before performing the clean installation of Windows 7/8.1.

1.3.  Windows 7 SP1 And Windows 7 SP1 Convenience Rollup

Window 7 Service Pack 1 (Windows 7 SP1) is a single file that contains Updates for Windows 7, Security Updates for Windows 7, and new Windows 7 features.

Window 7 Service Pack 1 Convenience Rollup v4 May 2016 KB3125574 (Windows 7 SP1 Convenience Rollup) is a single file that contains Updates for Windows 7 and Security Updates for Windows 7.

Windows 7 SP1 Convenience Rollup requires Windows SP1. This means Window 7 SP1 must be installed before installing Windows 7 SP1 Convenience Rollup.

1.3.1.  Security Updates For Windows 7 From February 2011 Through April 2016 Not Included In Windows 7 SP1 Convenience Rollup

Microsoft has not provided a list of the Security Updates for Windows 7 included/not included in Windows 7 SP1 Convenience Rollup. Moreover, upon installing Windows 7 SP1 Convenience Rollup, Windows Update | View update history lists Update for Windows (KB3125574), which is the Windows 7 SP1 Convenience Rollup itself, not the individual Security Updates for Windows 7 included in Windows 7 SP1 Convenience Rollup.

As a result, it is easier to determine the Security Updates for Windows 7 SP1 not included in, rather than included in, Windows 7 SP1 Convenience Rollup. This can be accomplished by; 1.) installing Windows 7 Includes SP1, 2.) installing Servicing Stack Update, 3.) installing Windows 7 SP1 Convenience Rollup, 4.) connecting to Windows Update and installing Microsoft Update, 5.) running Microsoft Update to list the available Security Updates for Windows 7, and 6.) identifying the Security Updates for Windows 7 that were released from February 2011 through April 2016. The following is the Security Updates for Windows 7 from February 2011 through April 2016 not included in Windows 7 SP1 Convenience Rollup:

1.3.2.  Security Updates For Windows 7 Included In Windows 7 SP1 And Windows 7 SP1 Convenience Rollup

The release date of Windows 7 SP1 and Windows 7 SP1 Convenience Rollup does not indicate the cutoff date for the inclusion of Security Updates for Windows 7 in Windows 7 SP1 and Windows 7 SP1 Convenience Rollup.

Windows 7 SP1 was released to manufacturing (RTM) on February 9, 2011. Based on release date, one might assume that Windows 7 SP1 includes the Security Updates for Windows 7 through the Microsoft Security Bulletin Summary for February 2011, which was released on February 8, 2011 and includes through MS11-014. This assumption is wrong: Windows 7 SP1 includes the Security Update for Windows 7 for MS11-011, but does not include the Security Updates for Windows 7 for MS11-003, MS11-004, MS11-007, MS11-009, MS11-012, and MS11-013. Instead, Windows 7 SP1 only includes the Security Updates for Windows 7 through the Microsoft Security Bulletin Summary for January 2011, which was released on January 11, 2011 and includes through MS11-002.

Windows 7 SP1 Convenience Rollup was released on May 17, 2016. Based on release date, one might assume that Windows 7 SP1 Convenience Rollup includes the Security Updates for Windows 7 through the Microsoft Security Bulletin Summary for May 2016, which was released on May 10, 2016 and includes through MS16-067. This assumption is wrong: Windows 7 SP1 Convenience Rollup only includes most, not all (above), of the Security Updates for Windows 7 through the Microsoft Security Bulletin Summary for April 2016, which was released on April 12, 2016 and includes through MS16-050.

1.4.  Windows 8.1 Update

Windows 8.1 Update April 2014 KB2919355 (Windows 8.1 Update) is an update to Windows 8.1 that contains Updates for Windows 8.1, Security Updates for Windows 8.1, and new Windows 8.1 features.

1.4.1.  Security Updates For Windows 8.1 Included In Windows 8.1 Update

The release date of Windows 8.1 Update indicates the cutoff date for the inclusion of Security Updates for Windows 8.1 in Windows 8.1 Update.

1.5.  Windows 7/8.1 Servicing Model Starting October 2016: Bundled Updates And Update Rollups Including Security Fixes

Starting with the Microsoft Security Bulletin Summary For October 2016 (technet.microsoft.com), Microsoft replaced Security Updates for Windows 7/8.1 with bundled updates and update rollups including security fixes for Windows 7/8.1, of which there are three types:

The Windows 7/8.1 servicing model starting October 2016: bundled updates and update rollups including security fixes by diagram (Source: More On Windows 7 And Windows 8.1 Servicing Changes (blogs.technet.microsoft.com)):

In the Windows 7/8.1 servicing model starting October 2016: 1.) a Security Monthly Quality Rollup (Monthly Rollup) for Windows 7/8/1 is a single file that contains new security fixes, and all previous security and non-security fixes for Windows 7/8.1 back through October 2016; and 2.) a Preview Of Monthly Quality Rollup (Preview Rollup) for Windows 7/8.1 is a single file that contains new non-security fixes, and all previous security and non-security fixes for Windows 7/8.1 back through October 2016. In other words, in the Windows 7/8.1 servicing model starting October 2016, Security Monthly Quality Rollups for Windows 7/8.1 and Preview Of Monthly Quality Rollups for Windows 7/8.1 are cumulative back through October 2016. This means that to obtain the security fixes for Windows 7/8.1 from October 2016 through the present, it is only necessary to install the latest Security Monthly Quality Rollup for Windows 7/8.1 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 7/8.1.

Compared to the previous Windows 7/8.1 servicing model of individual Security Updates, the new Windows 7/8/1 servicing model of Security Monthly Quality Rollups for Windows 7/8.1 and Preview Of Monthly Quality Rollups for Windows 7/8.1 are more similar to the Windows 10 servicing model of Cumulative Updates for Windows 10 in that the Security Monthly Quality Rollups for Windows 7/8.1 and Preview Of Monthly Quality Rollups for Windows 7/8.1 are cumulative in nature; however, unlike the Cumulative Updates for Windows 10, which are cumulative back through the initial release of the version of Windows 10, the Security Monthly Quality Rollups for Windows 7/8.1 and Preview Of Monthly Quality Rollups for Windows 7/8.1 are cumulative only back through October 2016.

1.6.  Windows 10 Servicing Model: Cumulative Updates

Microsoft intends to release a new version of Windows 10 (a.k.a., feature update) twice a year around March and September. On the second Tuesday of each month, Microsoft releases a Cumulative Update for Windows 10 (a.k.a., quality update) for the supported versions of Windows 10. Microsoft intends to support each version of Windows 10 Home and Pro with Cumulative Updates for at least 18 months:

In the Windows 10 servicing model, a Cumulative Update for Windows 10 is a single file that contains new security and non-security fixes, and all previous security and non-security fixes (if there are any), for a version of Windows 10. In other words, in the Windows 10 servicing model, Cumulative Updates for Windows 10 are cumulative back through the initial release of the version of Windows 10. This means that to obtain the security (and non-security) fixes for Windows 10 from the initial release of the version of Windows 10 through the present, it is only necessary to install the latest Cumulative Update for Windows 10 for the version of Windows 10.

1.7.  Servicing Stack Updates

Servicing is the process of installing a Windows Service Pack, Update, Security Monthly Quality Rollup, Cumulative Update, Security Update, non-security update, fix, component, role, etc. Depending on what is being installed, servicing is performed manually by the user and/or automatically by Windows/Microsoft Update. The Servicing Stack is the component of Windows that performs servicing. Like other Windows components, the Servicing Stack is periodically updated. A Servicing Stack Update improves the speed and reliability of servicing.

1.8.  Identifying The Security Update Holes In Securing A Clean Installation Of Windows 7/8.1/10

To secure a clean installation of Windows per this web page, it is necessary to resolve the known examples of Windows vulnerabilities that do not require user interaction to be exploited before placing the computer online. Therefore, to secure a clean installation of Windows 7, upon installing the Windows 7 operating system, Windows 7 SP1, Windows 7 SP1 Convenience Rollup, and the latest Security Monthly Quality Rollup for Windows 7 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 7, it is necessary to identify any security update holes into which Security Updates for Windows 7 have not been installed. And to secure a clean installation of Windows 8.1, upon installing the Windows 8.1 operating system, Windows 8.1 Update, and the latest Security Monthly Quality Rollup for Windows 8.1 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 8.1, it is necessary to identify any security update holes into which Security Updates for Windows 8.1 have not been installed. And to secure a clean installation of Windows 10, upon installing the Windows 10 operating system and the latest Cumulative Update for Windows 10, it is necessary to identify any security update holes into which Security Updates for Windows 10 have not been installed.

1.8.1.  The Security Update Holes In Securing A Clean Installation Of Windows 7

Windows 7 SP1 resolves all Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) through January 2011, which is through MS11-002. Windows 7 SP1 Convenience Rollup resolves most, not all (above), Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) from February 2011 through April 2016, which is from MS11-003 through MS16-050. The latest Security Monthly Quality Rollup for Windows 7 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 7 resolves all Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) from October 2016, which is from MS16-118, through the present. Therefore, after installing Windows 7 SP1 and the latest Security Monthly Quality Rollup for Windows 7 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 7, there exists a security update hole: 1.) from February 2011 through April 2016, which if from MS11-003 through MS16-050, into which some Security Updates for Windows 7 have not been installed; and 2.) from May 2016 through April 2016, which if from MS16-051 through MS16-050, into which no Security Updates for Windows 7 have been installed.

1.8.2.  The Security Update Hole In Securing A Clean Installation Of Windows 8.1

Windows 8.1 Update resolves all Windows 8.1 vulnerabilities (that do or do not require user interaction to be exploited) through April 08, 2014, which is through MS14-019. The latest Security Monthly Quality Rollup for Windows 8.1 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 8.1 resolves all Windows 8.1 vulnerabilities (that do or do not require user interaction to be exploited) from October 2016, which is from MS16-118, through the present. Therefore, after installing Windows 8.1 Update and the latest Security Monthly Quality Rollup for Windows 8.1 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 8.1, there exists a security update hole from May 2014 through September 2016, which if from MS14-020 through MS16-117, into which no Security Updates for Windows 8.1 have been installed.

1.8.3.  No Security Update Hole In Securing A Clean Installation Of Windows 10

The latest Cumulative Update for a supported version of Windows 10 resolves all Windows 10 vulnerabilities (that do or do not require user interaction to be exploited) from the initial release of the version of Windows 10 through the present. Therefore, after installing the latest Cumulative Update for a supported version of Windows 10, there does not exist a security update hole into which no Security Updates for Windows 10 have been installed.

1.9.  Compiling The List Of Security Updates For Windows 7/8.1 That Resolve Vulnerabilities That Do Not Require User Interaction To Be Exploited

After identifying the security update holes in securing a clean installation of Windows 7/8.1, the next steps are to list the Microsoft Security Bulletins for Windows 7 SP1 and Windows 8.1 (Windows 7 SP1/8.1), read the Microsoft Security Bulletins for Windows 7 SP1/8.1 that fall into the date range/Microsoft Security Bulletin number range of the security update holes in securing a clean installation of Windows 7 (above) and Windows 8.1 (above), determine if a Security Update for Windows 7/8.1 resolves a vulnerability that requires, or does not require, user interaction to be exploited, and to make the list of Security Updates for Windows 7/8.1 that resolve vulnerabilities that do not require user interaction to be exploited:

1.9.1.  Listing And Reading The Microsoft Security Bulletins For Windows 7 SP1/8.1

To list the Microsoft Security Bulletins for Windows 7 SP1/8.1:

1. Visit the Microsoft Security Updates (technet.microsoft.com) web page.
2. In the Filter bulletins by product or component dropdown, if you intend to install:
   • Windows 7 32-bit (edition does not matter), select Windows 7 for 32-bit Systems Service Pack 1.
   • Windows 7 64-bit (edition does not matter), select Windows 7 for x64-based Systems Service Pack 1.
   • Windows 8.1 32-bit (edition does not matter), select Windows 8.1 for 32-bit systems.
   • Windows 8.1 64-bit (edition does not matter), select Windows 8.1 for x64-based systems.
3. The Microsoft Security Bulletins for Windows 7 SP1/8.1 (36/64-bit) are listed.

It is not necessary to read the entire list of Microsoft Security Bulletins for Windows 7 SP1/8.1. Instead, it is only necessary to read the Microsoft Security Bulletins for Windows 7 SP1/8.1 that fall into the date range/Microsoft Security Bulletin number range of the security update holes in securing a clean installation of Windows 7 (above) and Windows 8.1 (above).

1.9.2.  Determining That A Security Update For Windows Resolves A Vulnerability That Requires User Interaction To Be Exploited

The language in Microsoft Security Bulletins makes it easy to determine if a vulnerability does not require user interaction to be exploited. If language similar to the following appears in a Microsoft Security Bulletin, the Security Update for Windows resolves a vulnerability that requires user interaction to be exploited.

• "This vulnerability requires that a user be logged on and visiting a Web site for any malicious action to occur." - Microsoft Security Bulletin MS10-035.
• "An attacker could exploit the vulnerability by constructing a specially crafted Web page." - Microsoft Security Bulletin MS10-053.
• "This vulnerability requires that a user open a specially crafted media file or receive specially crafted streaming content from a Web site or any application that delivers Web content." - Microsoft Security Bulletin MS10-062.
• "An attacker could host a malicious Web site that hosts specially crafted media content that is designed to exploit this vulnerability through an internet browser and then convince a user to view the Web site and open the specially crafted media content." - Microsoft Security Bulletin MS10-062.
• "In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site." - Microsoft Security Bulletin MS10-053.
• "An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site, or by opening an attachment sent through e-mail." - Microsoft Security Bulletin MS10-053.
• "In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially crafted e-mail message to the user and convincing the user to preview or open the e-mail." - Microsoft Security Bulletin MS10-064.
• "The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message." - Microsoft Security Bulletin MS10-042.
• "If a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario." - Microsoft Security Bulletin MS10-053.
• "The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message." - Microsoft Security Bulletin MS10-052.
• "In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially crafted e-mail message containing an attachment to the user and by convincing the user to open the attachment. When the user attempts to open the attachment, an attacker specified malicious executable file could be run." - Microsoft Security Bulletin MS10-045.
• "An attacker could exploit this vulnerability by setting up a malicious e-mail server and convincing the client to connect to this machine." - Microsoft Security Bulletin MS10-030.
• "An attacker could host a specially crafted server that is designed to exploit this vulnerability and then convince a user to initiate a connection with it." - Adapted from Microsoft Security Bulletins MS10-020.
• "This vulnerability requires that a user view a specially crafted file with an affected application." - Adapted from Microsoft Security Bulletin MS10-043.
• "This vulnerability requires a user to open a specially crafted file for any malicious action to occur." - Adapted from Microsoft Security Bulletin MS10-033.
• "Exploitation of this vulnerability requires that a user, Windows feature, or application run or install a specially crafted file." - Adapted from Microsoft Security Bulletin MS10-019.
• "An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users." - Microsoft Security Bulletin MS10-059.
• "An attacker must have valid logon credentials and be able to log on locally or remotely to exploit this vulnerability." - Microsoft Security Bulletin MS10-069.
• "To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system." - Microsoft Security Bulletin MS10-059.
• "By default, printers are not shared on any of the currently supported Windows operating systems. Systems are only vulnerable to remote attack when sharing a printer and the remote attacker can access the printer share." - Microsoft Security Bulletin MS10-061.

1.9.3.  Determining That A Security Update For Windows Resolves A Vulnerability That Does Not Require User Interaction To Be Exploited

The language in Microsoft Security Bulletins makes it difficult to determine if a vulnerability does not require user interaction to be exploited. If language similar to the following appears in a Microsoft Security Bulletin, the Security Update for Windows likely resolves a vulnerability that requires user interaction to be exploited.

• "Any Windows system connected to a network or the Internet would be at risk." - Microsoft Security Bulletin MS08-037.
• "On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit." - Microsoft Security Bulletin MS08-067.
• "On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, any anonymous user with access to the target network could deliver a specially crafted network packet to the affected system in order to exploit this vulnerability." - Microsoft Security Bulletin MS08-067.
• "An anonymous attacker could exploit the vulnerability by sending specially crafted TCP/IP packets to a computer that has a service listening over the network." - Microsoft Security Bulletin MS09-048.
• "Only attackers on the local subnet would be able to exploit this vulnerability without interaction." - Microsoft Security Bulletin MS09-063.
• "A remote unauthenticated attacker could exploit this vulnerability by creating a program to send a sequence of specially crafted packets to a target system." - Microsoft Security Bulletin MS14-031.
• "To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server." - Microsoft Security Bulletin MS17-010.

Final determination if a vulnerability does not require user interaction to be exploited often requires clicking the vulnerability's Common Vulnerabilities And Exposures (CVE) (cve.mitre.org) link, National Vulnerability Database (NVD) (nvd.nist.gov) link, and examining, for example, the Attack Vector (AV), Privileges Required (PR)/Authentication (AU), and User Interaction (UI) analysis data.

If it is still unclear if a vulnerability does not require user interaction to be exploited, to secure a clean installation of Windows per this web page, it is necessary to play it safe and to include the Security Update for Windows in the list of Security Updates for Windows 7/8.1 that resolve vulnerabilities that do not require user interaction to be exploited.

1.9.4.  Policy On Security Update For Windows Supersedence And On Adding All Of The Security Updates In A Microsoft Security Bulletin To The List

Sometimes a Microsoft Security Bulletin consists of one Security Update for Windows. Sometimes a Microsoft Security Bulletin consists of multiple Security Updates for Windows. Sometimes a new Security Update for Windows replaces an old Security Update for Windows. And sometimes when a Microsoft Security Bulletin consists of multiple Security Updates for Windows, only some of the Security Updates for Windows resolve Windows vulnerabilities that do not require user interaction to be exploited.

When a new Security Update for Windows replaces an old Security Update for Windows, it is said that the new Security Update for Windows supersedes (i.e., takes the place of/replaces) the old Security Update for Windows. Security Update for Windows supersedence information is presented in the Updates Replaced column of the Affected Software section of the Microsoft Security Bulletin.

When an old Security Update for Windows is superseded by a new Security Update for Windows, it is not necessary to install both the old superseded and the new superseding Security Updates for Windows. Instead, it is only necessary to install the new superseding Security Update for Windows. If the old superseded Security Update for Windows is already installed, it is not necessary to uninstall it. Instead, leave the old superseded Security Update for Windows installed and simply install the new superseding Security Update for Windows. When finished, both the old superseded and the new superseding Security Updates for Windows are listed as being installed. In other words, there is nothing wrong with installing both the old superseded and the new superseding Security Updates for Windows except that it is extra work.

Over time, the supersedence of Security Updates for Windows has become increasingly confounding. Moreover, there have been a couple of instances where the stated supersedence of Security Updates for Windows is questionable and/or appears to be incorrect. Rather than trying to decipher the correct supersedence of Security Updates for Windows, and unnecessarily driving oneself mad in the process, a simpler and safer policy has been adopted: ignore supersedence and list all of the Microsoft Security Bulletins that include Security Updates for Windows that resolve Windows vulnerabilities that do not require user interaction to be exploited.

Lastly, when a Microsoft Security Bulletin consists of multiple Security Updates for Windows, and some of the Security Updates for Windows resolve Windows vulnerabilities that do not require user interaction to be exploited, and some of the Security Updates for Windows resolve Windows vulnerabilities that require user interaction to be exploited; rather than omitting the Security Updates for Windows that resolve Windows vulnerabilities that require user interaction to be exploited, and possibly having someone wonder if a mistake was made, a simpler and less confusing policy has been adopted: list all of the Security Updates for Windows included in a Microsoft Security Bulletin, including those that resolve Windows vulnerabilities that require user interaction to be exploited.

1.10.  Overview: How To Secure A Clean Installation Of Windows 7/8.1/10

Toward securing Windows, it is instructive to divide Windows vulnerabilities into two groups: 1.) those that require user interaction to be exploited, and 2.) those that do not require user interaction to be exploited. The Windows vulnerabilities that do not require user interaction to be exploited must be resolved offline (i.e., before placing the computer online). For the Windows vulnerabilities that require user interaction to be exploited, provided the user has not interacted with the computer in any way that could result in compromise, they can be resolved by placing the computer online and running Windows/Microsoft Update. The following are overviews of how to secure a clean installation of Windows 7/8.1/10 per this web page.

1.10.1.  Overview: How To Secure A Clean Installation Of Windows 7

1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
   1. Perform a default installation of Windows 7 onto a new or fully erased hard drive. The new or fully erased hard drive ensures the installation of Windows 7 is free from compromise (i.e., clean). The default installation of Windows 7 ensures a single, common baseline of started/stopped services from which the list of Security Updates for Windows 7 to install offline can be built. In other words, the default installation of Windows 7 ensures that no unexpected services are started/stopped as might influence the list of Security Updates for Windows 7 to install offline.
   2. Install Windows 7 SP1. This resolves all Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) through January 2011, which is through MS11-002.
   3. Install the latest Servicing Stack Update for Windows 7.
   4. Install Windows 7 SP1 Convenience Rollup. This resolves most, not all (above), Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) from February 2011 through April 2016, which is from MS11-003 through MS16-050.
   5. Install the Security Updates for Windows 7 from February 2011 through April 2016, which is from MS11-003 through MS16-050, not included in Windows 7 SP1 Convenience Rollup that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited. Combined with the above, this resolves all Windows 7 vulnerabilities that do not require user interaction to be exploited through April 2016, which is through MS16-050.
   6. Install the Security Updates for Windows 7 from May 2016 through September 2016, which is from MS16-051 through MS16-117, that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited. Combined with the above, this resolves all Windows 7 vulnerabilities that do not require user interaction to be exploited through September 2016, which is through MS16-117.
   7. Install the latest Security Monthly Quality Rollup for Windows 7. This resolves all Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) from October 2016, which is from MS16-118, through the present. And, combined with the above, this resolves all Windows 7 vulnerabilities that do not require user interaction to be exploited through the present.
2. Do the following online, and before interacting with the computer in any way that could result in compromise:
   • Run Windows/Microsoft Update and install any Security Updates for Windows 7. Combined with the above, this resolves all Windows 7 vulnerabilities that require user interaction to be exploited through the present.

1.10.2.  Overview: How To Secure A Clean Installation Of Windows 8.1

1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
   1. Perform a default installation of Windows 8.1 onto a new or fully erased hard drive. The new or fully erased hard drive ensures the installation of Windows 8.1 is free from compromise (i.e., clean). The default installation of Windows 8.1 ensures a single, common baseline of started/stopped services from which the list of Security Updates for Windows 8.1 to install offline can be built. In other words, the default installation of Windows 8.1 ensures that no unexpected services are started/stopped as might influence the list of Security Updates for Windows 8.1 to install offline.
   2. Install Windows 8.1 Update. This resolves all Windows 8.1 vulnerabilities (that do or do not require user interaction to be exploited) through April 2014, which is through MS14-019.
   3. Install the latest Servicing Stack Update for Windows 8.1.
   4. Install the Security Updates for Windows 8.1 from May 2014 through September 2016, which is from MS14-020 through MS16-117, that resolve Windows 8.1 vulnerabilities that do not require user interaction to be exploited. Combined with the above, this resolves all Windows 8.1 vulnerabilities that do not require user interaction to be exploited through September 2016, which is through MS16-117.
   5. Install the latest Security Monthly Quality Rollup for Windows 8.1. This resolves all Windows 8.1 vulnerabilities (that do or do not require user interaction to be exploited) from October 2016, which is from MS16-118, through the present. And, combined with the above, this resolves all Windows 8.1 vulnerabilities that do not require user interaction to be exploited through the present.
2. Do the following online, and before interacting with the computer in any way that could result in compromise:
   • Run Windows/Microsoft Update and install any Security Updates for Windows 8.1. Combined with the above, this resolves all Windows 8.1 vulnerabilities that require user interaction to be exploited through the present.

1.10.3.  Overview: How To Secure A Clean Installation Of Windows 10

1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
   1. Perform a default installation of Windows 10 onto a new or fully erased hard drive. The new or fully erased hard drive ensures the installation of Windows 10 is free from compromise (i.e., clean).
   2. Install the latest Servicing Stack Update for the version of Windows 10.
   3. Install the latest Cumulative Update for the version of Windows 10. This resolves all Windows 10 vulnerabilities (that do or do not require user interaction to be exploited) through the present.

1.11.  Abbreviations

• Gen = general availability.
• RTM = release to manufacturing.
• SP = Service Pack.

To secure a clean installation of Windows per this web page, it is necessary to resolve the known examples of Windows vulnerabilities that do not require user interaction to be exploited before placing the computer online. This requires downloading and copying one or more files to removable media before performing the clean installation of Windows 7/8.1/10. Because files on CDs/DVDs are far more difficult manipulate by malicious software/users than files on external hard disk drives and flash memory drives, CDs/DVDs are the removable media of choice.

2.1.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 7

Using a computer that is not compromised, download and copy the following files to CD/DVD before performing the clean installation of Windows 7:

1. Windows 7 SP1:
   • If the Windows product DVD is Windows 7 Initial Release:
     • Windows 7 SP1:
       • 32-bit: The windows6.1-KB976932-X86.exe file: Windows 7 And Windows Server 2008 R2 Service Pack 1 (KB976932) (microsoft.com).
       • 64-bit: The windows6.1-KB976932-X64.exe file: Windows 7 And Windows Server 2008 R2 Service Pack 1 (KB976932) (microsoft.com).
   • If the Windows product DVD is Windows 7 With SP1:
     • The Windows product DVD includes Windows 7 SP1. Skip this step and go to the next step.
2. Latest Servicing Stack Update for Windows 7:
   • Servicing Stack Update For Windows 7 SP1 And Server 2008 R2 SP1: September 10, 2019 (support.microsoft.com):
     • 32-bit: 2019-09 Servicing Stack Update For Windows 7 For x86-Based Systems (KB4516655) (catalog.update.microsoft.com).
     • 64-bit: 2019-09 Servicing Stack Update For Windows 7 For x64-Based Systems (KB4516655) (catalog.update.microsoft.com).
3. Windows 7 SP1 Convenience Rollup:
   • Convenience Rollup Update For Windows 7 SP1 And Windows Server 2008 R2 SP1 (support.microsoft.com):
     • 32-bit: Update For Windows 7 (KB3125574) (catalog.update.microsoft.com).
     • 64-bit: Update For Windows 7 For x64-Based Systems (KB3125574) (catalog.update.microsoft.com).
4. Security Updates for Windows 7 from February 2011 through April 2016, which is from MS11-003 through MS16-050, not included in Windows 7 SP1 Convenience Rollup that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited.
   • None. All of the Security Updates for Windows 7 from February 2011 through April 2016, which is from MS11-003 through MS16-050, not included in Windows 7 SP1 Convenience Rollup require user interaction to be exploited.
5. Security Updates for Windows 7 from May 2016 through September 2016, which is from MS16-051 through MS16-117, that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited:
   1. Microsoft Security Bulletin MS16-072 - Important: Security Update For Group Policy (3163622) (technet.microsoft.com):
      • 32-bit: Security Update For Windows 7 (KB3159398) (microsoft.com).
      • 64-bit: Security Update For Windows 7 For x64-Based Systems (KB3159398) (microsoft.com).
   2. Microsoft Security Bulletin MS16-077 - Important: Security Update For WPAD (3165191) (technet.microsoft.com):
      i

      The MS16-077 vulnerability that does not require user interaction to be exploited is CVE-2016-3236, not CVE-2016-3213. Therefore, it is not necessary to also install the MS16-063 Security Update For Windows 7 (KB3160005) per the MS16-077 Update FAQ.
      • 32-bit: Security Update For Windows 7 (KB3161949) (microsoft.com).
      • 64-bit: Security Update For Windows 7 For x64-Based Systems (KB3161949) (microsoft.com).
6. Latest Security Monthly Quality Rollup for Windows 7:
   1. Security Monthly Quality Rollup for Windows 7 prerequisite:
      • SHA-2 Code Signing Support Update For Windows Server 2008 R2, Windows 7, And Windows Server 2008: September 23, 2019 (support.microsoft.com):
        • 32-bit: 2019-09 Security Update For Windows 7 For x86-Based Systems (KB4474419) (catalog.update.microsoft.com).
        • 64-bit: 2019-09 Security Update For Windows 7 For x64-Based Systems (KB4474419) (catalog.update.microsoft.com).
   2. Latest Security Monthly Quality Rollup for Windows 7:
      • September 10, 2019 - KB4516065 (Monthly Rollup) (support.microsoft.com):
        • 32-bit: 2019-09 Security Monthly Quality Rollup For Windows 7 For x86-Based Systems (KB4516065) (catalog.update.microsoft.com).
        • 64-bit: 2019-09 Security Monthly Quality Rollup For Windows 7 For x64-Based Systems (KB4516065) (catalog.update.microsoft.com).
7. If not located on a disc included with your computer and not installed by Windows 7, the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).

2.2.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 8.1

Using a computer that is not compromised, download and copy the following files to CD/DVD before performing the clean installation of Windows 8.1:

1. Windows 8.1 Update:
   • If the Windows product DVD is Windows 8.1 Initial Release:
     1. Windows 8.1 Update prerequisite:
        • March 2014 Servicing Stack Update For Windows 8.1 And Windows Server 2012 R2 (support.microsoft.com):
          • 32-bit: Update For Windows 8.1 (KB2919442) (microsoft.com).
          • 64-bit: Update For Windows 8.1 For x64-Based Systems (KB2919442) (microsoft.com).
     2. Windows 8.1 Update:
        • Windows RT 8.1, Windows 8.1, And Windows Server 2012 R2 Update: April 2014 (support.microsoft.com):
          • 32-bit: All seven files: Windows 8.1 Update (KB2919355) (microsoft.com).
          • 64-bit: All seven files: Windows 8.1 Update For x64-Based Systems (KB2919355) (microsoft.com).
   • If the Windows product DVD is Windows 8.1 With Update:
     i

     There are two Windows 8.1 product DVDs known as Windows 8.1 With Update: one that includes Update Rollup November 2014 KB3000850, and one that does not include Update Rollup November 2014 KB3000850. Both, however, include Windows 8.1 Update April 2014 KB2919355, which is what the With Update in Windows 8.1 With Update means. Toward securing a clean installation of Windows 8.1 per this web page, Windows 8.1 With Update refers to the Windows 8.1 With Update product DVD that includes Update Rollup November 2014 KB3000850 and/or the Windows 8.1 With Update product DVD that does not include Update Rollup November 2014 KB3000850. For additional information on Windows 8.1 Update April 2014 KB2919355 and Windows 8.1 Update Rollup November 2014 KB3000850, see Windows 8.1 Update (above).
     • The Windows product DVD includes Windows 8.1 Update. Skip this step and go to the next step.
2. Latest Servicing Stack Update for Windows 8.1:
   • Servicing Stack Update For Windows 8.1, RT 8.1, And Server 2012 R2: September 10, 2019 (support.microsoft.com):
     • 32-bit: 2019-09 Servicing Stack Update For Windows 8.1 For x86-Based Systems (KB4512938) (microsoft.com).
     • 64-bit: 2019-09 Servicing Stack Update For Windows 8.1 For x64-Based Systems (KB4512938) (microsoft.com).
3. Security Updates for Windows 8.1 from May 2014 through September 2016, which is from MS14-020 through MS16-117, that resolve Windows 8.1 vulnerabilities that do not require user interaction to be exploited:
   1. Microsoft Security Bulletin MS14-031 - Important: Vulnerability In TCP Protocol Could Allow Denial of Service (2962478) (technet.microsoft.com):
      • 32-bit: Security Update For Windows 8.1 (KB2957189) (microsoft.com).
      • 64-bit: Security Update For Windows 8.1 For x64-Based Systems (KB2957189) (microsoft.com).
   2. Microsoft Security Bulletin MS14-066 - Critical: Vulnerability In Schannel Could Allow Remote Code Execution (2992611) (technet.microsoft.com):
      • 32-bit: Security Update For Windows 8.1 (KB2992611) (microsoft.com).
      • 64-bit: Security Update For Windows 8.1 For x64-Based Systems (KB2992611) (microsoft.com).
   3. Microsoft Security Bulletin MS15-005 - Important: Vulnerability In Network Location Awareness Service Could Allow Security Feature Bypass (3022777) (technet.microsoft.com):
      • 32-bit: Security Update For Windows 8.1 (KB3022777) (microsoft.com).
      • 64-bit: Security Update For Windows 8.1 For x64-Based Systems (KB3022777) (microsoft.com).
   4. Microsoft Security Bulletin MS16-072 - Important: Security Update For Group Policy (3163622) (technet.microsoft.com):
      • 32-bit: Security Update For Windows 8.1 (KB3159398) (microsoft.com).
      • 64-bit: Security Update For Windows 8.1 For x64-Based Systems (KB3159398) (microsoft.com).
   5. Microsoft Security Bulletin MS16-077 - Important: Security Update For WPAD (3165191) (technet.microsoft.com):
      i

      The MS16-077 vulnerability that does not require user interaction to be exploited is CVE-2016-3236, not CVE-2016-3213. Therefore, it is not necessary to also install the MS16-063 Security Update For Windows 8.1 (KB3160005) per the MS16-077 Update FAQ.
      • 32-bit: Security Update For Windows 8.1 (KB3161949) (microsoft.com).
      • 64-bit: Security Update For Windows 8.1 For x64-Based Systems (KB3161949) (microsoft.com).
4. Latest Security Monthly Quality Rollup for Windows 8.1:
   • September 10, 2019 - KB4516067 (Monthly Rollup) (support.microsoft.com):
     • 32-bit: 2019-09 Security Monthly Quality Rollup For Windows 8.1 For x86-Based Systems (KB4516067) (catalog.update.microsoft.com).
     • 64-bit: 2019-09 Security Monthly Quality Rollup For Windows 8.1 For x64-Based Systems (KB4516067) (catalog.update.microsoft.com).
5. If not located on a disc included with your computer and not installed by Windows 8.1, the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).

2.3.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 10

Using a computer that is not compromised, download and copy the following files to CD/DVD before performing the clean installation of Windows 10:

1. Latest Servicing Stack Update for Windows 10:
   • If the Windows product DVD is Windows 10 Version 1507, 1511, 1607, 1703, or 1709:
     • Windows 10 Version 1507, 1511, 1607, 1703, and 1709 are out of support (above). Do not install an out of support version of Windows 10. Instead, run the media creation tool (microsoft.com) to create a Windows product DVD containing the latest version of Windows 10.
       i

       The Windows product DVD created by the media creation tool automatically contains the latest version of Windows 10.
   • If the Windows product DVD is Windows 10 Version 1803:
     • Servicing Stack Update For Windows 10 Version 1803: September 10, 2019 (support.microsoft.com):
       • 32-bit: 2019-09 Servicing Stack Update For Windows 10 Version 1803 For x86-Based Systems (KB4512576) (catalog.update.microsoft.com).
       • 64-bit: 2019-09 Servicing Stack Update For Windows 10 Version 1803 For x64-Based Systems (KB4512576) (catalog.update.microsoft.com).
   • If the Windows product DVD is Windows 10 Version 1809:
     i

     There are two official releases of Windows 10 Version 1809; 1.) Build 10.0.17763.1 released 02 Oct 2018, and 2.) Build 10.0.17763.107 released 13 Nov 2018. With respect to the latest Servicing Stack Update for Windows 10 Version 1809, it does not matter if the Windows product DVD is Windows 10 Version 1809 Build 10.0.17763.1 released 02 Oct 2018 or Build 10.0.17763.107 released 13 Nov 2018.
     • Servicing Stack Update For Windows 10 Version 1809: September 10, 2019 (support.microsoft.com):
       • 32-bit: 2019-09 Servicing Stack Update For Windows 10 Version 1809 For x86-Based Systems (KB4512577) (catalog.update.microsoft.com).
       • 64-bit: 2019-09 Servicing Stack Update For Windows 10 Version 1809 For x64-Based Systems (KB4512577) (catalog.update.microsoft.com).
   • If the Windows product DVD is Windows 10 Version 1903:
     • Servicing Stack Update For Windows 10 Version 1903: September 10, 2019 (support.microsoft.com):
       • 32-bit: 2019-09 Servicing Stack Update For Windows 10 Version 1903 For x86-Based Systems (KB4515383) (catalog.update.microsoft.com).
       • 64-bit: 2019-09 Servicing Stack Update For Windows 10 Version 1903 For x64-Based Systems (KB4515383) (catalog.update.microsoft.com).
2. Latest Cumulative Update for Windows 10:
   • If the Windows product DVD is Windows 10 Version 1507, 1511, 1607, 1703, or 1709:
     • Windows 10 Version 1507, 1511, 1607, 1703, and 1709 are out of support (above). Do not install an out of support version of Windows 10. Instead, run the media creation tool (microsoft.com) to create a Windows product DVD containing the latest version of Windows 10.
       i

       The Windows product DVD created by the media creation tool automatically contains the latest version of Windows 10.
   • If the Windows product DVD is Windows 10 Version 1803:
     • September 10, 2019 - KB4516058 (OS Build 17134.1006) (support.microsoft.com):
       • 32-bit: 2019-09 Cumulative Update For Windows 10 Version 1803 For x86-Based Systems (KB4516058) (catalog.update.microsoft.com).
       • 64-bit: 2019-09 Cumulative Update For Windows 10 Version 1803 For x64-Based Systems (KB4516058) (catalog.update.microsoft.com).
   • If the Windows product DVD is Windows 10 Version 1809:
     i

     There are two official releases of Windows 10 Version 1809; 1.) Build 10.0.17763.1 released 02 Oct 2018, and 2.) Build 10.0.17763.107 released 13 Nov 2018. With respect to the latest Cumulative Update for Windows 10 Version 1809, it does not matter if the Windows product DVD is Windows 10 Version 1809 Build 10.0.17763.1 released 02 Oct 2018 or Build 10.0.17763.107 released 13 Nov 2018.
     • September 10, 2019 - KB4512578 (OS Build 17763.737) (support.microsoft.com):
       • 32-bit: 2019-09 Cumulative Update For Windows 10 Version 1809 For x86-Based Systems (KB4512578) (catalog.update.microsoft.com).
       • 64-bit: 2019-09 Cumulative Update For Windows 10 Version 1809 For x64-Based Systems (KB4512578) (catalog.update.microsoft.com).
   • If the Windows product DVD is Windows 10 Version 1903:
     • September 10, 2019 - KB4515384 (OS Build 18362.356) (support.microsoft.com):
       • 32-bit: 2019-09 Cumulative Update For Windows 10 Version 1903 For x86-Based Systems (KB4515384) (catalog.update.microsoft.com).
       • 64-bit: 2019-09 Cumulative Update For Windows 10 Version 1903 For x64-Based Systems (KB4515384) (catalog.update.microsoft.com).
3. If not located on a disc included with your computer and not installed by Windows 10, the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).

3.1.  Secure A Clean Installation Of Windows 7

1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
   1. Perform a default installation of Windows 7 onto a new or fully erased hard drive:
      1. Boot the computer from the Windows 7 product DVD and proceed with the installation.
      2. Eventually the Install Windows: Which type of installation do you want? dialog appears. Click Custom (advanced).
      3. The Install Windows: Where do you want to install Windows? dialog appears. Either accept the default and click Next, or click Drive options (advanced) | New, create one or more drives, select a drive for the installation of Windows 7, and click Next.
      4. Otherwise, select the default/typical/recommended option throughout the installation.
   2. From CD/DVD, install Windows 7 SP1:
      • If Windows 7 Initial Release was installed:
        • Install the Windows 7 SP1 KB976932 file.
      • If Windows 7 With SP1 was installed:
        • The installation of Windows 7 includes Windows 7 SP1. Skip this step and go to the next step.
   3. From CD/DVD, install the latest Servicing Stack Update for Windows 7:
      • Install the 2019-09 Servicing Stack Update For Windows 7 KB4516655 file.
   4. From CD/DVD, install Windows 7 SP1 Convenience Rollup:
      • Install the Update For Windows 7 KB3125574 file.
   5. From CD/DVD, install the Security Updates for Windows 7 from February 2011 through April 2016, which is from MS11-003 through MS16-050, not included in Windows 7 SP1 Convenience Rollup that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited:
      • None. All of the Security Updates for Windows 7 from February 2011 through April 2016, which is from MS11-003 through MS16-050, not included in Windows 7 SP1 Convenience Rollup require user interaction to be exploited.
   6. From CD/DVD, install the Security Updates for Windows 7 from May 2016 through September 2016, which is from MS16-051 through MS16-117, that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited:
      i

      It is not necessary to restart the computer after installing each Security Update for Windows. Therefore, if prompted to restart the computer after installing a Security Update for Windows, do not restart the computer until after installing the last Security Update for Windows.
      1. Install the MS16-072 (KB3163622) Security Update For Windows 7 KB3159398 file.
      2. Install the MS16-077 (KB3165191) Security Update For Windows 7 KB3161949 file.
   7. From CD/DVD, install the latest Security Monthly Quality Rollup for Windows 7:
      1. Install the Security Monthly Quality Rollup for Windows 7 prerequisite:
         • Install the 2019-09 Security Update For Windows 7 KB4474419 file.
      2. Install the latest Security Monthly Quality Rollup for Windows 7:
         • Install the 2019-09 Security Monthly Quality Rollup For Windows 7 KB4516065 file.
   8. If not installed by Windows 7, from CD/DVD install the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).
2. Do the following online, and before interacting with the computer in any way that could result in compromise:
   • Run Windows/Microsoft Update and install:
     • The Security Updates and any security fixes for Windows 7.
     • Any non-security updates and fixes for Windows 7. If a Preview Of Monthly Quality Rollup for Windows 7 is listed, and if it resolves an issue affecting your computer, install it. Otherwise, it is recommended that you do not install Preview Of Monthly Quality Rollups for Windows 7. Instead, it is recommended that you only install Security Monthly Quality Rollups for Windows 7.
3. You have secured the clean installation of Windows 7. If you use imaging software to back up your system, this is an excellent time to use it. Otherwise, proceed to use the computer as normal.

3.2.  Secure A Clean Installation Of Windows 8.1

1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
   1. Perform a default installation of Windows 8.1 onto a new or fully erased hard drive:
      1. Boot the computer from the Windows 8.1 product DVD and proceed with the installation.
      2. Eventually the Windows Setup: Which type of installation do you want? dialog appears. Click Custom: Install Windows only (advanced).
      3. The Windows Setup: Where do you want to install Windows? dialog appears. Either accept the default and click Next, or click New, create one or more drives, select a drive for the installation of Windows 8.1, and click Next.
      4. Otherwise, select the default/typical/recommended option throughout the installation.
   2. From CD/DVD, install the files to bring the installation of Windows 8.1 to Windows 8.1 Update:
      • If Windows 8.1 Initial Release was installed:
        1. Install the Windows 8.1 Update prerequisite:
           • Install the Update For Windows 8.1 KB2919442 file.
        2. Install the Windows 8.1 Update:
           • Install the seven Windows 8.1 Update KB2919355 files in the following order:
             i

             • The clearcompressionflag.exe file simply runs and does not indicate "completed." Therefore, after double clicking clearcompressionflag.exe, wait 30 seconds, and then install the next file.
             • If prompted to restart the computer, restart the computer.
             1. The clearcompressionflag.exe file.
             2. The KB2919355 file.
             3. The KB2932046 file.
             4. The KB2959977 file.
             5. The KB2937592 file.
             6. The KB2938439 file.
             7. The KB2934018 file.
      • If Windows 8.1 With Update was installed:
        i

        There are two Windows 8.1 product DVDs known as Windows 8.1 With Update: one that includes Update Rollup November 2014 KB3000850, and one that does not include Update Rollup November 2014 KB3000850. Both, however, include Windows 8.1 Update April 2014 KB2919355, which is what the With Update in Windows 8.1 With Update means. Toward securing a clean installation of Windows 8.1 per this web page, Windows 8.1 With Update refers to the Windows 8.1 With Update product DVD that includes Update Rollup November 2014 KB3000850 and/or the Windows 8.1 With Update product DVD that does not include Update Rollup November 2014 KB3000850. For additional information on Windows 8.1 Update April 2014 KB2919355 and Windows 8.1 Update Rollup November 2014 KB3000850, see Windows 8.1 Update (above).
        • The installation of Windows 8.1 includes Windows 8.1 Update. Skip this step and go to the next step.
   3. From CD/DVD, install the latest Servicing Stack Update for Windows 8.1:
      • Install the 2019-09 Servicing Stack Update For Windows 8.1 KB4512938 file.
   4. From CD/DVD, install the Security Updates for Windows 8.1 from May 2014 through September 2016, which is from MS14-020 through MS16-117, that resolve Windows 8.1 vulnerabilities that do not require user interaction to be exploited.
      i

      It is not necessary to restart the computer after installing each Security Update for Windows. Therefore, if prompted to restart the computer after installing a Security Update for Windows, do not restart the computer until after installing the last Security Update for Windows.
      1. Install the MS14-031 (KB2962478) Security Update For Windows 8.1 KB2957189 file.
      2. Install the MS14-066 (KB2992611) Security Update For Windows 8.1 KB2992611 file.
      3. Install the MS15-005 (KB3022777) Security Update For Windows 8.1 KB3022777 file.
      4. Install the MS16-072 (KB3163622) Security Update For Windows 8.1 KB3159398 file.
      5. Install the MS16-077 (KB3165191) Security Update For Windows 8.1 KB3161949 file.
   5. From CD/DVD, install the latest Security Monthly Quality Rollup for Windows 8.1:
      • Install the 2019-09 Security Monthly Quality Rollup For Windows 8.1 KB4516067 file.
   6. If not installed by Windows 8.1, from CD/DVD install the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).
2. Do the following online, and before interacting with the computer in any way that could result in compromise:
   • Run Windows/Microsoft Update and install:
     • The Security Updates and any security fixes for Windows 8.1.
     • Any non-security updates and fixes for Windows 8.1. If a Preview Of Monthly Quality Rollup for Windows 8.1 is listed, and if it resolves an issue affecting your computer, install it. Otherwise, it is recommended that you do not install Preview Of Monthly Quality Rollups for Windows 8.1. Instead, it is recommended that you only install Security Monthly Quality Rollups for Windows 8.1.
3. You have secured the clean installation of Windows 8.1. If you use imaging software to back up your system, this is an excellent time to use it. Otherwise, proceed to use the computer as normal.

3.3.  Secure A Clean Installation Of Windows 10

1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
   1. Perform a default installation of Windows 10 onto a new or fully erased hard drive:
      1. Boot the computer from the Windows 10 product DVD and proceed with the installation.
      2. Eventually the Windows Setup: Which type of installation do you want? dialog appears. Click Custom: Install Windows only (advanced).
      3. The Windows Setup: Where do you want to install Windows? dialog appears. Either accept the default and click Next, or click New, create one or more drives, select a drive for the installation of Windows 10, and click Next.
      4. Otherwise, select the default/typical/recommended option throughout the installation.
   2. From CD/DVD, install the latest Servicing Stack Update for Windows 10:
      • If Windows 10 Version 1803 was installed:
        • Install the 2019-09 Servicing Stack Update For Windows 10 Version 1803 KB4512576 file.
      • If Windows 10 Version 1809 was installed:
        • Install the 2019-09 Servicing Stack Update For Windows 10 Version 1809 KB4512577 file.
      • If Windows 10 Version 1903 was installed:
        • Install the 2019-09 Servicing Stack Update For Windows 10 Version 1903 KB4515383 file.
   3. From CD/DVD, install the latest Cumulative Update for Windows 10:
      • If Windows 10 Version 1803 was installed:
        • Install the 2019-09 Cumulative Update For Windows 10 Version 1803 KB4516058 file.
      • If Windows 10 Version 1809 was installed:
        • Install the 2019-09 Cumulative Update For Windows 10 Version 1809 KB4512578 file.
      • If Windows 10 Version 1903 was installed:
        • Install the 2019-09 Cumulative Update For Windows 10 Version 1903 KB4515384 file.
   4. If not installed by Windows 10, from CD/DVD install the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).
2. Do the following online, and before interacting with the computer in any way that could result in compromise:
   • Run Windows/Microsoft Update and install:
     • Any Security Updates and any security fixes for Windows 10.
     • Any non-security updates and fixes for Windows 10.
3. You have secured the clean installation of Windows 10. If you use imaging software to back up your system, this is an excellent time to use it. Otherwise, proceed to use the computer as normal.

• Description Of The Standard Terminology That Is Used To Describe Microsoft Software Updates (824684) (support.microsoft.com)
• Update Management Process (technet.microsoft.com)
• Microsoft Security Bulletin Data (microsoft.com)
• Common Vulnerabilities And Exposures (CVE) (cve.mitre.org)
• National Vulnerability Database (NVD) (nvd.nist.gov)
• W32.Blaster.Worm (symantec.com)
• Virus Alert About The Blaster Worm And Its Variants (support.microsoft.com)
• W32.Welchia.Worm (a.k.a., Nachi) (symantec.com)
• Virus Alert About The Nachi Worm (support.microsoft.com)
• W32.Sasser.Worm (symantec.com)
• Win32/Sasser (microsoft.com)
• W32.Downadup (a.k.a., Conficker) (symantec.com)
• Win32/Conficker (microsoft.com)
• Ransom.Wannacry (symantec.com)
• Ransom: Win32/WannaCrypt (microsoft.com)
• Documentation For Windows 7 And Windows Server 2008 R2 Service Pack 1 (KB976932) (microsoft.com)
• Download Windows 7 SP1 And Server 2008 R2 SP1 Convenience Roll-up Now Available At A Download Location Near You! (KB3125574) (blogs.technet.microsoft.com)
• Convenience Rollup Update For Windows 7 SP1 And Windows Server 2008 R2 SP1 (support.microsoft.com)
• Files Included In Windows 7 SP1 Convenience Rollup (.csv) (download.microsoft.com)
• Windows 7 Servicing Stack Updates: Managing Change And Appreciating Cumulative Updates (techcommunity.microsoft.com)
• Windows 7 Refreshed Media Creation (blogs.technet.microsoft.com)
• Simplifying Updates For Windows 7 And 8.1 (blogs.technet.microsoft.com)
• Further Simplifying Servicing Models For Windows 7 And Windows 8.1 (blogs.technet.microsoft.com)
• More On Windows 7 And Windows 8.1 Servicing Changes (blogs.technet.microsoft.com)
• Furthering Our Commitment To Security Updates (blogs.technet.microsoft.com)
• Install The Windows 8.1 Update (KB 2919355) (windows.microsoft.com)
• Windows RT 8.1, Windows 8.1, And Windows Server 2012 R2 Update: April 2014 (support.microsoft.com)
• Updated Version Of Windows 10 October 2018 Update Released To Windows Insiders (blogs.windows.com)
• Resuming The Rollout Of The Windows 10 October 2018 Update (blogs.windows.com)
• Windows 10 Release Information (technet.microsoft.com)
• Quick Guide To Windows As A Service (docs.microsoft.com)
• Overview Of Windows As A Service (docs.microsoft.com)
• Windows 10 Update History (support.microsoft.com)
• Servicing Stack Updates (docs.microsoft.com)
• ADV990001 | Latest Servicing Stack Updates (portal.msrc.microsoft.com)
• 2019 SHA-2 Code Signing Support Requirement For Windows And WSUS (support.microsoft.com)
• Windows Lifecycle Fact Sheet (support.microsoft.com)
• Windows Update: FAQ (support.microsoft.com)
• Servicing Windows: Part One (blogs.technet.microsoft.com)
• Security Bulletin Summaries (technet.microsoft.com)
• Security Bulletins (technet.microsoft.com)
• Microsoft Security Updates (technet.microsoft.com)
• Security Update Guide (portal.msrc.microsoft.com)
• Microsoft Update Catalog (catalog.update.microsoft.com)