Re: Securing a Windows 2003 server
From: Leythos (void_at_nowhere.com)
Date: 05/17/04
- Next message: djc: "Re: certificate for non-iis server question"
- Previous message: S. Pidgorny
: "Re: Forest Trust between Production & DMZ" - In reply to: chris_at_nospam.com: "Re: Securing a Windows 2003 server"
- Next in thread: Alun Jones [MS MVP - Security]: "Re: Securing a Windows 2003 server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 17 May 2004 11:02:58 GMT
In article <t09ga012hov0fc1up5svttu9n7t7lp41lo@4ax.com>,
chris@nospam.com says...
> On Sun, 16 May 2004 14:02:23 GMT, jcochran.nospam@naplesgov.com (Jeff
> Cochran) wrote:
>
> >On Sun, 16 May 2004 09:59:51 +0000 (UTC), david20@alpha2.mdx.ac.uk
> >wrote:
> >
> >>In article <#1rjsAtOEHA.3044@TK2MSFTNGP10.phx.gbl>, <Karl> writes:
> >>>In regards to the fact the windows takes forever for a patch to get
> >>>released, you are forgetting the trials and tests they have to perform to
> >>>make sure it works. Just cause it fixes the issue doesn't mean that it
> >>>won't break somehtng else. They have to perform tests internally as well as
> >>>with other software companies to determine if they will hav an issue. And
> >>>don't forget the 1 million lines of code that they have to work with :)
> >>>
> >>You are joking aren't you. The number of inadequately tested microsoft patches
> >>released is legendary - they either don't fix the problem or break something
> >>else. One of the main holdups for businesses is that they need to fully test
> >>all the patches on their systems before pushing them out having been bit in
> >>the past by patches which broke other applications. Microsoft's philosophy is
> >>the customer tests the products and the customer tests the patches.
> >>
> >>OK maybe I'm exagerating a bit but putting all the delays down to testing isn't
> >>really credible.
> >
> >Well, actually, it is. There are actually very few Microsoft patches
> >released that cause issues in the field, and many of those are
> >attributable to oddball combinations of software, outdated hardware
> >drivers and third-party products.
>
> Bwahahahaha. You're joking right? Of all the systems I managed,
> Microsoft has the worst track record for compatibility problems,
> especially conflicts with their own software. A good example was the
> recent patch to a previous patch because it caused intermittent
> problems with http posts.
I have web servers across the country and not one of them was impacted
by the updates - we have 2000 and 2003 servers. I can honestly say that
in the last two years, not one patch I've applied from MS on the 2000 or
2003 platform has caused any problems for any of our servers.
In the old NT days I would have agreed with you, but since NT 4 SP 6a,
it's been very simple and easy and without problem.
> I thoroughly test all the MS patches before deploying and I frequently
> come up with issues. The support articles for the patches usually
> have at least one error (eg give wrong install switches). I normally
> don't bother testing the linux patches because I've yet to have an
> issue.
I don't test the patches on our development server networks, I've yet to
find a problem. If they run on the development networks I push them out
to production. Not a problem detected so far.
> >Keep in mind that thousands of systems that crash on a patch is a
> >miniscule percentage of the Microsoft operating systems in use. And
> >it really does take a long time to test these patches on as many
> >combinations as possible, plus m ake sure they integrate with code
> >that hasn't even been released yet so mor patches don't need to be
> >done to undo previous patches.
>
> Averaging across the total number of patches, systems and problems
> I've had - I'd say I'm running 0.5% of the installs having a problem.
> The problems range from minor, such as refusing to do a silent install
> properly to blue screening the machine on reboot.
The only boot failures I've had are due to RAID controller card driver
problems during install. All scripted installs working fine on our
systems.
> >Most Microsoft patches are out before the exploit is tracked in the
> >wild, yet still many admins and most home users get compromised
> >because they haven't installed the patch. Even with all the
> >automation available for updating the systems.
>
> That's because the exploit is usually created using the documentation
> provided with the patch.
I disagree with both of you - most exploits are out before the patch is
available. Most people don't patch their machines, even now that there
is an automated windows update. It's to bad that people don't take the
time to at least check/question the availability of updates like they do
the level of gas in their cars.
I've run 2003 servers for quite a while, exposed WWW/FTP servers, and
have not had any problems with them.
-- -- spamfree999@rrohio.com (Remove 999 to reply to me)
- Next message: djc: "Re: certificate for non-iis server question"
- Previous message: S. Pidgorny
: "Re: Forest Trust between Production & DMZ" - In reply to: chris_at_nospam.com: "Re: Securing a Windows 2003 server"
- Next in thread: Alun Jones [MS MVP - Security]: "Re: Securing a Windows 2003 server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
