Re: 3 new crucal updates today for Server 2003

  • From: "Steve Moffat" <steve@xxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 11 Jan 2005 22:34:44 -0400

I hope you've patched your Firefox installs....:)


-----Original Message-----
From: Danny [mailto:nocmonkey@xxxxxxxxx] 
Sent: Tuesday, January 11, 2005 10:26 PM
To: [ExchangeList]
Subject: [exchangelist] Re: 3 new crucal updates today for Server 2003

On Tue, 11 Jan 2005 20:16:27 -0500, Andrew English
<andrew@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> Here the problem with your analogy.

We have a mis-understanding here; it was no analogy; I provided a way to
buy some time for small and large companies without extensive patch
testing environments by following simple best practices.

I promote patching. I also promote security through obscurity, best
practice compliance, default deny (only "allow" what is essential to
your business continuity) networks, and removing unessential services
and applications. My goal is to be as pro-active as possible, and by
simply patching windows vulnerabilities, you will never be ahead of the
> Microsoft releases security updates for a reason. There has been many 
> cases were production servers has fallen to attacks which resulted in 
> Microsoft being blamed for unjustly because the server admins failed 
> to apply the posted security patches from Microsoft.

Patches only protect against known vulnerabilities; you cannot rely on
them to protect your systems. You must implement other layers of

If you read the workarounds provided within the security bulletins, you
will notice a trend with often repeated workarounds one bulletin after

In this case, I don't have to worry about patching my systems the second
the updates are released because:

1) You cannot view websites with Internet Explorer on my servers. No web
browsing is permitted. Servers are not web surfing machines.

2) My firewall does not allow communication from untrusted networks
(a.k.a the Internet) to the Microsoft friendly ports (including all the
ones listed in MS05-003) or any other unessential ports (Windows
services are only being provided to LAN clients) on my servers.

3) You cannot read/view email on my servers. There is no email client
software my servers.

4) My clients are forced to read email in plain text. HTML is for the
web IMO. If you want pretty formatting, create a word document.

5) ActiveX is disabled for untrusted sites for our users. Most of the
heavy web browsers are using Firefox anyway.

6) Our inexpensive firewall has a list of blocked websites and scans all
traffic for malware.

7) All unessential services are disabled on all workstations and

8) IPSec is setup on all workstations to filter all unessential IP

The list goes on, but the fact remains that my systems were protected
from these recently disclosed vulnerabilities for over a year now --
without the patches. I am not going to wait for Microsoft. There are
soooo many known vulnerabilities with MS software that it would be
ludicrous for me to wait for them to release the patches. Not to mention
all the undisclosed vulnerabilities out there.


> I agree you should test the patches on non-production servers first, 
> however I don't agree that you should never apply them at all.

Who said you should never apply patches? 

Anyway, my viewpoint should be much clearer now. Back on topic.


List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking: Leading
Network Software Directory:
No.1 ISA Server Resource Site: Windows Security
Resource Site: Network Security Library: Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
ExchangeMailingList@xxxxxxxxxx To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx

This E-Mail is confidential. It is not intended to be read, copied, disclosed 
or used by any person other than the recipient named above.

Unauthorised use, disclosure, or copying is strictly prohibited and may be 
unlawful. Optimum IT Solutions Ltd disclaims any liability for any action taken 
in connection of this E-Mail. The comments or statements expressed in this 
E-Mail are not necessarily those of Optimum IT Solutions Ltd or its 
subsidiaries or affiliates.


Other related posts: