Re: Securing a Windows 2003 server

chris_at_nospam.com
Date: 05/17/04 

Date: Mon, 17 May 2004 02:39:39 GMT

On Sun, 16 May 2004 14:02:23 GMT, jcochran.nospam@naplesgov.com (Jeff
Cochran) wrote:

>On Sun, 16 May 2004 09:59:51 +0000 (UTC), david20@alpha2.mdx.ac.uk
>wrote:
>
>>In article <#1rjsAtOEHA.3044@TK2MSFTNGP10.phx.gbl>, <Karl> writes:
>>>In regards to the fact the windows takes forever for a patch to get
>>>released, you are forgetting the trials and tests they have to perform to
>>>make sure it works. Just cause it fixes the issue doesn't mean that it
>>>won't break somehtng else. They have to perform tests internally as well as
>>>with other software companies to determine if they will hav an issue. And
>>>don't forget the 1 million lines of code that they have to work with :)
>>>
>>You are joking aren't you. The number of inadequately tested microsoft patches
>>released is legendary - they either don't fix the problem or break something
>>else. One of the main holdups for businesses is that they need to fully test
>>all the patches on their systems before pushing them out having been bit in
>>the past by patches which broke other applications. Microsoft's philosophy is
>>the customer tests the products and the customer tests the patches.
>>
>>OK maybe I'm exagerating a bit but putting all the delays down to testing isn't
>>really credible.
>
>Well, actually, it is. There are actually very few Microsoft patches
>released that cause issues in the field, and many of those are
>attributable to oddball combinations of software, outdated hardware
>drivers and third-party products.

Bwahahahaha. You're joking right? Of all the systems I managed,
Microsoft has the worst track record for compatibility problems,
especially conflicts with their own software. A good example was the
recent patch to a previous patch because it caused intermittent
problems with http posts.

I thoroughly test all the MS patches before deploying and I frequently
come up with issues. The support articles for the patches usually
have at least one error (eg give wrong install switches). I normally
don't bother testing the linux patches because I've yet to have an
issue.

>Keep in mind that thousands of systems that crash on a patch is a
>miniscule percentage of the Microsoft operating systems in use. And
>it really does take a long time to test these patches on as many
>combinations as possible, plus m ake sure they integrate with code
>that hasn't even been released yet so mor patches don't need to be
>done to undo previous patches.

Averaging across the total number of patches, systems and problems
I've had - I'd say I'm running 0.5% of the installs having a problem.
The problems range from minor, such as refusing to do a silent install
properly to blue screening the machine on reboot.

>Most Microsoft patches are out before the exploit is tracked in the
>wild, yet still many admins and most home users get compromised
>because they haven't installed the patch. Even with all the
>automation available for updating the systems.

That's because the exploit is usually created using the documentation
provided with the patch.

>In comparison, many other OS patches take as long or longer. Just
>count the number of Linux distros for which patches are unavailable
>even after they appear for other distros. Sun is notorious for slowly
>patching their operating systems, and most OS/400 and SystemXXX
>patches from IBM never go to end users, they go to vendors who may or
>may not release them.

>There is no perfect method yet, and it's doubtful there ever can be
>for patching and updating systems. Just the fact that the millions of
>pirated Windows systems can't be patched leaves plenty of compromised
>systems out there to attack the rest of us.

Relevant Pages

  • Re: MS03-026 - are you patched? Windows Update isnt sure!
    ... registry checks to determine if a patch is installed on a given machine. ... Many patches install a registry key to indicate that they have been ...
    (NT-Bugtraq)
  • Re: This is Why Consoles are More Popular than PCs for Gaming
    ... Just remembering you needed that faithful floppy disk to install SATA ... > patch downloaded, well the patch took *forever* to install. ... You download patches every time? ... still have patches for games I have uninstalled on CD. ...
    (comp.sys.ibm.pc.games.action)
  • Re: Patching Solaris 9 systems to "current"
    ... Would it be best/safest to get a support case with Sun and ask for the last recommended patch cluster, and just install that? ... The main thing I'm looking for is "safety", by which I mean minimizing the possibility of trashing any of these systems, since all of the people who were involved with the original deployment are apparently long gone:(. ... I'd *strongly* suggest that you make a backup of the system disk on each machine before applying ANY patches! ...
    (comp.unix.solaris)
  • Re: Patching Solaris 9 systems to "current"
    ... Would it be best/safest to get a support case with Sun and ask for the last recommended patch cluster, and just install that? ... I'd *strongly* suggest that you make a backup of the system disk on each machine before applying ANY patches! ... Load all the patches onto your patch server and have the other machines grab them over the network. ...
    (comp.unix.solaris)
  • Re: Patching Solaris 9 systems to "current"
    ... Would it be best/safest to get a support case with Sun and ask for the last recommended patch cluster, and just install that? ... I'd *strongly* suggest that you make a backup of the system disk on each machine before applying ANY patches! ... Load all the patches onto your patch server and have the other machines grab them over the network. ...
    (comp.unix.solaris)