Re: 3 new crucal updates today for Server 2003

  • From: Danny <nocmonkey@xxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 11 Jan 2005 21:25:35 -0500

On Tue, 11 Jan 2005 20:16:27 -0500, Andrew English
<andrew@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> Here the problem with your analogy.

We have a mis-understanding here; it was no analogy; I provided a way
to buy some time for small and large companies without extensive patch
testing environments by following simple best practices.

I promote patching. I also promote security through obscurity, best
practice compliance, default deny (only "allow" what is essential to
your business continuity) networks, and removing unessential services
and applications. My goal is to be as pro-active as possible, and by
simply patching windows vulnerabilities, you will never be ahead of
the game.
> Microsoft releases security updates for a reason. There has been many
> cases were production servers has fallen to attacks which resulted in
> Microsoft being blamed for unjustly because the server admins failed to
> apply the posted security patches from Microsoft.

Patches only protect against known vulnerabilities; you cannot rely on
them to protect your systems. You must implement other layers of

If you read the workarounds provided within the security bulletins,
you will notice a trend with often repeated workarounds one bulletin
after another.

In this case, I don't have to worry about patching my systems the
second the updates are released because:

1) You cannot view websites with Internet Explorer on my servers. No
web browsing is permitted. Servers are not web surfing machines.

2) My firewall does not allow communication from untrusted networks
(a.k.a the Internet) to the Microsoft friendly ports (including all
the ones listed in MS05-003) or any other unessential ports (Windows
services are only being provided to LAN clients) on my servers.

3) You cannot read/view email on my servers. There is no email client
software my servers.

4) My clients are forced to read email in plain text. HTML is for the
web IMO. If you want pretty formatting, create a word document.

5) ActiveX is disabled for untrusted sites for our users. Most of the
heavy web browsers are using Firefox anyway.

6) Our inexpensive firewall has a list of blocked websites and scans
all traffic for malware.

7) All unessential services are disabled on all workstations and servers.

8) IPSec is setup on all workstations to filter all unessential IP traffic.

The list goes on, but the fact remains that my systems were protected
from these recently disclosed vulnerabilities for over a year now --
without the patches. I am not going to wait for Microsoft. There are
soooo many known vulnerabilities with MS software that it would be
ludicrous for me to wait for them to release the patches. Not to
mention all the undisclosed vulnerabilities out there.


> I agree you should test the patches on non-production servers first,
> however I don't agree that you should never apply them at all.

Who said you should never apply patches? 

Anyway, my viewpoint should be much clearer now. Back on topic.


Other related posts: