RE: Users slam Microsoft Security Analyser

From: Schwartz, Stanley (sschwartz@stlo.smhs.com)
Date: 04/15/02 

From: "Schwartz, Stanley" <sschwartz@stlo.smhs.com>
To: focus-ms@securityfocus.com
Date: Mon, 15 Apr 2002 14:39:04 -0500

</EndLurk>

Sorry. I'm disagreeing again.

Even if you patched your servers up the most current level, there WILL be
another "discovery" (which somehow made it by Microsoft's extensive
testing). ...which means you'll (once again) have to evaluate the hotfixs'
necessity for being introduced into your environment, then find, download,
and test it. All of which take time that most of us don't have in the first
place.

Thanks again,
Stan :)

<BeginLurk>

-----Original Message-----
From: Randy Williams [mailto:randyw@techsource.com]
Sent: Monday, April 15, 2002 12:49 PM
To: focus-ms@securityfocus.com
Subject: Re: Users slam Microsoft Security Analyser

Greetings all,

I'd like to agree with Peter on this one. Although I qualify as a
'uneducated' SysAdmin due to a lack of formalized training. When I arrived
at my current duties, the state of the network (both UNIX and MS) was a
wreck and security/patch levels were completely out of line.

I'm sure that we all have run into that a lot in past times as well. Our NT
4.0 network now performs well, and supports our company nicely. As a matter
of fact, it is so unsophisticated that it isn't plagued by some of the newer
Win2k-type security concerns. This is a nice place to be. Although I am not
happy about the workload that accompanies NT4.0, nor am I happy about its
lack of functionality (from a network point of view), it does do the job.

Have I had to patch it more often than our Solaris 8 network?? Absolutely.
Is the NT4.0 network less capable and less secure?? Absolutely, but it DOES
do the job as long as its correctly maintained.

As much as I detest M$ for their approaches, with enough diligence their
systems can be made secure enough. I've heard it said: "You don't need the
biggest dog on the block, you just need one bigger than the one next door."

Some military experiences I've had have shown that there is no way to keep
someone out that is determined to get it. I am not protecting against those
people, just everyone else.

Thank you for your patience,

RandyW

Randy Williams
Systems Support Analyst
Tech Source Inc.
407.262.7100
----- Original Message -----
From: "Peter" <list@easynix.com>
To: "Wim Remes" <wim.remes@skynet.be>; <Thor@HammerofGod.com>;
<focus-ms@securityfocus.com>
Sent: Monday, April 15, 2002 11:38 AM
Subject: Re: Users slam Microsoft Security Analyser

> Security doesn't start with the OS, it starts with the System Admin.
> Most hackers are succesful because of lazy Sys Admins, un-educated Sys
> Admins or no Sys Admins at all. Many hackers using security holes
> which are 6 month and older. The OS actually doesn't matter, this is
> by any OS. I have seen Servers in companys with NO password for the
> Admin account. This things are sad but the reallity.......
> Just my $0.02
> Best Regards
> Peter
>
>
>
> > When JM writes "...The company's security focus mailing list..."
> > which company does he mean ?
> >
> > I've personally downloaded MBSA for testing and it does quite a nice
> job. I
> > am not a fan of
> > the "X-mas on the desktop"-XP-style interface, but hey, who am I?
> Maybe I'm
> > that 0.001% of
> > the MS customerbase that doesn't fall for intiutive menu's and easy
> access
> > to the functionality ???
> > One half of me can understand that this tool is good. It does a
> > good
> job
> > and may be handy for
> > (a) admins that don't have the knowledge required to handle _any_
> network
> > (b) quick assessing
> > of vulns after a fresh install.
> >
> > In short I like the tool and it is a good step towards a
> security-minded
> > Microsoft (which is currently
> > on holiday somewhere between Utopia and Israel). For all the peeps
> quoted
> > in the article of JM,
> > I have one remark : "security is NOT craving for tools that will do
> the work
> > for you, it is neither
> > bashing on the peeps that try to make your life easier but in the
> > end
> don't.
> > Security is a state-of-mind,
> > an attitude that brings with it a certain responsibility to be aware
> of
> > security 24/7. Following all
> > the possible channels, learning all you can to be that one step
> > ahead
> of the
> > bad guys. Security is suffering,
> > Security is a hell of a job (and I like it ;-) ). Patching &
> > hotfixing
> any
> > system, be it *nix, Win or something else
> > will never seize, whichever GUI or command-line tools there will be
> > released.
> >
> > Bashing is easy (look at Sharon, or Arafat for whatever it matters).
> > Working together for a better and safer world is difficult but in
> > the long run, the latter option is more
> rewarding
> > than the 30-second bashing rush...
> >
> > C ya ...
> >
> > Wim
> >
> > ----- Original Message -----
> > From: <Thor@HammerofGod.com>
> > To: <focus-ms@securityfocus.com>
> > Sent: Friday, April 12, 2002 7:39 PM
> > Subject: Users slam Microsoft Security Analyser
> >
> >
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > >
> > > James Middleton of vnunet.com (UK) has taken the SF posts from HC
> and
> > > Damien and turned it into an article:
> > >
> > > Users slam Microsoft Security Analyser
> > > http://www.vnunet.com/News/1130844
> > >
> > > (I guess in the UK they spell it with an "s" instead of a "z")
> > >
> > > James' email was not on the article, but since I know he is
> > > reading
> these
> > > posts, I would like to make some comments:
> > >
> > >
> > > First, shouldn't the main title be changed from "Users slam
> Microsoft
> > > Security Analyser" to "Three Users slam Microsoft Security
> Analyser?"
> > >
> > > I am amazed that someone could take the comments of 2 or 3 people
> and turn
> > > it into an article. Obviously, James did not do his homework... I
> > > would have hoped that he would have downloaded and tested the tool
> > before
> > > giving credence to someone who thinks it is "just a GUI version of
> the
> > > software giant's HfNetChk."
> > >
> > > It does FAR more than just check for missing patches, and he would
> know
> > > that if he looked at it. And before you people go on record with
> > > a publication, you too should do your homework before your words
> > > are
> quoted
> > > to live forever in error.
> > >
> > > I was going to comment on different excerpts from the article, but
> > > I
> would
> > > end up quoting the whole thing... Jeeze.
> > >
> > > AD
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: PGP 7.1
> > >
> > > iQA/AwUBPLcb3IhsmyD15h5gEQI0HACfQ/yttOQpG+/5i5Bzft/XQUaxLK8AnjBk
> > > n1OZPTh5mKwEyV3dAXJ3XGPR
> > > =L33g
> > > -----END PGP SIGNATURE-----
> > >
> >
>
>

Quantcast