How do you patch yours? (was: Monitor Services on Windows machines)
From: Avleen Vig (work@silverwraith.com)
Date: 02/26/03
- Previous message: Shackleford, Dave: "RE: Utility to determine who deteled files"
- Next in thread: Avleen Vig: "Re: How do you patch yours? (was: Monitor Services on Windows machines)"
- Maybe reply: Avleen Vig: "Re: How do you patch yours? (was: Monitor Services on Windows machines)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Feb 2003 10:44:13 -0800 From: Avleen Vig <work@silverwraith.com> To: J Norfleet <jnorfleet@picusnet.com>
On Wed, Feb 26, 2003 at 06:26:58AM -0500, J Norfleet wrote:
> > Ok, I accept that there are some situation where an automatic restart
> > may be an option. I still feel it's a bad idea. I mean, isn't it better
> > to find out *why* a produciton system just went offline, before blindly
> > bringing it back?
> > This partly assumes you have some form of redundancy.
>
> When a service is stopped, company production stops.. And so does the flow of
> money, can't have that at MS :)
I conceed as long as you agree that it depends on the service :-)
You can have SMTP, DNS, POP, WWW, infact almost anything taht can sit
in a DNS round robin or behind an SLB and have the service go down and
production *not* go down.
> This is not always possible. The best an admin can do, as far as other
> employees are concerned, is to keep them informed.
> Admins are not programmers, where over flows an code injections are game to
> disgruntal employees, who btw, already have access.
Yes, agreed.
> > If you're a server admin you are the first person responsible for the
> > security on the server, and that means you shouldn't be doing anything
> > that you know could lead to a compromise!
>
> With new vulnerabilities coming out every day, *know is a strong word.
If you start your security with the premise that "everything can be a
vulnerability", and then trim your systems to their minimum required to
ensure usability and functionality, you remove the vast majority of
vulnerabilities.
Take this as an example:
Windows 2000 gave us the 'indexing service'. a) this hurt performance,
and b) in the majority of situations it was completely unnecessary.
How many people here install a Windows servers an leave the indexing
service turned on?
Now, how long after the release of Windows 2000 was the vulnerability in
the indexing service discovered? 9 months?
About enough time for a problem to be found in an obsure new service,
and enough time for admins to learn about the new service and turn it
off if they don't need it.
How many turned it off before and after the vulnerability, how many just
patched it blindly without caring, and how many didn't do anything?
I think you'll find the majority either turned it off AFTER the
vulnerbility release, or patched it blindly and left it on.
The ultimate problem being it should have been turned off *BEFORE* the
vulnerability was found because it wasn't *needed*.
That's just one example which I think can be applied consistantly
across the board with Windows. If more admins would think this way,
there wouldn't be as big of a problem with people moaning (incorrectly)
about Windows insecurity.
-- Avleen Vig "Say no to cheese-eating surrender-monkeys" Systems Admin "Fast, Good, Cheap. Pick any two." www.silverwraith.com "Move BSD. For great justice!"
- Next message: Levinson, Karl: "RE: [despammed] Utility to determine who deteled files"
- Previous message: Shackleford, Dave: "RE: Utility to determine who deteled files"
- Next in thread: Avleen Vig: "Re: How do you patch yours? (was: Monitor Services on Windows machines)"
- Maybe reply: Avleen Vig: "Re: How do you patch yours? (was: Monitor Services on Windows machines)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
