Roger Mills said:
Not unless it's *never* been connected to the internet - in which case
activation is pretty difficult.
Replace "difficult" with "easy." Several systems at my POE are on isolated
networks with no access to the Internet; all that's needed to activate them
is to put in the product key, then in the activation dialog select the link
that reads something like "show me other ways to activate" to get the phone
number to call. None of the users have reported having problems with
activating by telephone.
Ignoring demo/evaluation distributions (which are time limited) and OEM
Windows environments from major manufacturers like Dell or HP (which are
activated by a magic data block in BIOS), retail systems activated via the
Internet or by telephone have no expiration date and will remain activated
unless there is a major hardware change (or a lot of minor ones).
The exception to this involves volume-license distributions that are
activated by either KMS or smartcard; both require re-activation at least
every 180 days.
you can forget all the security updates if
it's not vulnerable to on-line attack.
That's a bit too absolute a statement unless you can guarantee the system to
be clean, and never, never make any changes to the software...but even then,
what about vulnerabilities in the Windows system that haven't yet been
found? Could they be exploited via video you're passing through the
computer? Vulnerabilities have been found in codecs.
I'll agree that the Internet is the most common mechanism by which
infections occur, but infected storage media are hardly unknown. Think
Stuxnet (reportedly introduced into the Iranian nuclear facility by a USB
key) as the poster child for this.
USB keys as an infection vector are so common that penetration testers will
frequently "salt" the parking lot of their clients with USB keys containing
"infections" that report back to a monitor when they are plugged into a
machine on the client's network.
Installing software? Even if it's obtained directly from a big-name
manufacturer there's no guarantee that it's free of malware. Now that
researchers know what to look for, Stuxnet turns out to have been "in the
wild" for a significant amount of time before it was discovered.
It boils down to your risk evaluation. I'll agree that a machine that never
connects to any network interface represents a far, far lower lower risk
than one that is on the Internet, but it's not zero. You're probably safe
without patching - but you could still be hit.
Joe
