Re: Is complete home security possible?
From: Leythos (void_at_nowhere.lan)
Date: 02/08/05
- Next message: David Sanders: "Router/Firewall trusted or not"
- Previous message: Moe Trin: "Re: Is complete home security possible?"
- In reply to: Moe Trin: "Re: Is complete home security possible?"
- Next in thread: Moe Trin: "Re: Is complete home security possible?"
- Reply:(deleted message) Moe Trin: "Re: Is complete home security possible?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 08 Feb 2005 01:32:39 GMT
On Mon, 07 Feb 2005 17:51:12 -0600, Moe Trin wrote:
> In article <pan.2005.02.06.18.28.12.595058@nowhere.lan>, Leythos wrote:
>
>>On Sun, 06 Feb 2005 12:15:16 -0600, Moe Trin wrote:
>
>>> Oh, I forgot - windoze doesn't have that command. Wonder why?
>>
>>Come on now, that's not quite fare - I have servers that have run for
>>more than 3 years without a restart/reboot. My exchange server ran for
>>over a year before I installed new AV software on it and the AV product
>>required a reboot....
>
> We take our systems down annually for cleaning. The dust bunnies may not
> like getting evicted, but the systems run cooler without them.
>
> Thing is, you are also not installing the patches either, and that means
> you had to work quite hard de-activating all of the "features" in order
> to prevent problems. I'm sure you've seen the joke that says
I didn't have to work quite hard, but I did and do have enough experience
to properly configure a stable platform and system running Windows NT 4,
2000, and now 2003.
[snip joke]
> Many people recommend installing all applicable patches/updates as soon as
> they are made available (I happen to be one of this group), while other
> say to wait $PERIOD to see if the patch/update is safe, and still others
> don't install them because it often breaks other stuff.
>
> You recommend up-thread configuring 'Windows Updates' to install at 3AM
> every day, and "Arthur Hagen" responded to recommend Tuesday afternoon
> PST, due to Microsoft only releasing security patches on Tuesday
> mornings. WTF? Do the people who 'sign off' the patches only work
> Mondays?
I actually recommend that PEOPLE, meaning home users and small shops,
install updates when they come out - as most of those places don't have an
IT staff and don't have a clue about what they are installing anyway.
For our group, where we manage workstations and servers and our own
systems, I still do Windows XP Updates nightly, but the servers, since
they are managed and BEHIND a firwall, we test and then update as needed.
>>It's not about Windows, its about how well you know how to configure and
>>secure the machines.
>
> You'd think that the admins at Microsoft would know how to do that. Why
> then did the "Slammer" (aka Sapphire) worm go through the servers _AT_
> Microsoft last year like a dose of salts - the administrators at
> Microsoft didn't want to update because the patch that was available 5-6
> months earlier broke to many things. Hit groups.google.com if you don't
> believe that.
I've been all over the country and from what I've seen of development
shops I'm not surprised it hit MS or anyone else. There are still shops
that have their SQL servers attached directly to the Internet without any
firewall or other protection, same for other servers. I have not found any
valid business case to expose a server directly to the Internet, and I bet
I wont.
When Slammer hit, we had about 30 MS SQL Servers online, in addition to
30+ IIS 5 Web Servers and Exchange..... Nothing was compromised, but
that's because we isolate our services from the public and if a partner
needs access to the SQL ports then they have to VPN to them. If our
servers had been compromised it would have been localized as the firewall
would not have permitted the outbound attacks.
> I'm not saying that non-Microsoft O/S are perfect, nor am I suggesting
> that they might be for everyone. If you've been following the *nix news
> groups for any length of time, you may have noticed the lowering
> standard of users questions - especially since KDE and Gnome have become
> popular desktops in the various families of *nix. But even with the
> explosion of features (most of which I can somehow manage to live
> without), there isn't as much problems keeping the systems secure.
I'm not disagreeing with you, I'm typing this on a FC3 Box that I've been
using for almost a week now (not had to use my XP Box in my office except
for the Firewall management interface - my laptop is another story, use it
all day long)....
> Remember, the only anti-virus applications in *nix are meant to run on
> mail and Samba servers to protect the windoze clients.
I wish that MS did more to secure the OS, but, based on what I've seen, it
would break a LOT of apps and they are not ready to deal with that issue.
What we need to do is stop the marketing hype that allows vendors to
market NAT devices as Firewalls and just call them routers, owning up to
their mistake.
It would also be nice to see ISP's provide NAT at the Cable/DSL router as
the default mode of operation.
There are many ways to secure a Windows PC, but people have to want to
learn before it will make any difference - the ignorant will always
complain.
-- spam999free@rrohio.com remove 999 in order to email me
- Next message: David Sanders: "Router/Firewall trusted or not"
- Previous message: Moe Trin: "Re: Is complete home security possible?"
- In reply to: Moe Trin: "Re: Is complete home security possible?"
- Next in thread: Moe Trin: "Re: Is complete home security possible?"
- Reply:(deleted message) Moe Trin: "Re: Is complete home security possible?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
