On Tue, 11 Jan 2005 20:16:27 -0500, Andrew English <andrew@xxxxxxxxxxxxxxxxxxxxxx> wrote: > http://www.MSExchange.org/ > > Here the problem with your analogy. We have a mis-understanding here; it was no analogy; I provided a way to buy some time for small and large companies without extensive patch testing environments by following simple best practices. I promote patching. I also promote security through obscurity, best practice compliance, default deny (only "allow" what is essential to your business continuity) networks, and removing unessential services and applications. My goal is to be as pro-active as possible, and by simply patching windows vulnerabilities, you will never be ahead of the game. > Microsoft releases security updates for a reason. There has been many > cases were production servers has fallen to attacks which resulted in > Microsoft being blamed for unjustly because the server admins failed to > apply the posted security patches from Microsoft. Patches only protect against known vulnerabilities; you cannot rely on them to protect your systems. You must implement other layers of protection. If you read the workarounds provided within the security bulletins, you will notice a trend with often repeated workarounds one bulletin after another. In this case, I don't have to worry about patching my systems the second the updates are released because: 1) You cannot view websites with Internet Explorer on my servers. No web browsing is permitted. Servers are not web surfing machines. 2) My firewall does not allow communication from untrusted networks (a.k.a the Internet) to the Microsoft friendly ports (including all the ones listed in MS05-003) or any other unessential ports (Windows services are only being provided to LAN clients) on my servers. 3) You cannot read/view email on my servers. There is no email client software my servers. 4) My clients are forced to read email in plain text. HTML is for the web IMO. If you want pretty formatting, create a word document. 5) ActiveX is disabled for untrusted sites for our users. Most of the heavy web browsers are using Firefox anyway. 6) Our inexpensive firewall has a list of blocked websites and scans all traffic for malware. 7) All unessential services are disabled on all workstations and servers. 8) IPSec is setup on all workstations to filter all unessential IP traffic. The list goes on, but the fact remains that my systems were protected from these recently disclosed vulnerabilities for over a year now -- without the patches. I am not going to wait for Microsoft. There are soooo many known vulnerabilities with MS software that it would be ludicrous for me to wait for them to release the patches. Not to mention all the undisclosed vulnerabilities out there. [...] > I agree you should test the patches on non-production servers first, > however I don't agree that you should never apply them at all. Who said you should never apply patches? Anyway, my viewpoint should be much clearer now. Back on topic. ...D