Straight from the source - Russ's response on the Windows Update thread. To be fair, I would suggest CC'ing him on any responses. To sum up, Russ recommends the same practices my organization follows: "given today's choices from Microsoft, I would continue to argue that using their tools is the least favorable or reliable mechanism for managing your security patches. 3rd party products do a far better job than anything Microsoft provides, and most are more reliable." Ed Sullivan Director of Information Services esullivan@xxxxxxx < mailto:esullivan@xxxxxxx> KMA Direct Communications Confidential and Proprietary -----Original Message----- From: Russ [mailto:Russ.Cooper@xxxxxxxx] Sent: Friday, December 20, 2002 1:27 PM To: Edward Sullivan Subject: RE: Your thoughts on WU? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Feel free to pass along to lists I'm not present on (such as the ISA List). While my comments about Windows Update were made back in April, little has changed since then. WU has not been "improved" in any noticeable way. Everything I faulted in WU at that time is still present, unchanged, and not improved. I'd sure like to know why Paul Robichaux says its been "improved". Software Update Services is also no answer. Firstly, you're stuck with one SUS server per IIS machine. What if you want to make updates available to two or more distinct groups. You may not want to make an update available to one that you want to make available to another. SUS doesn't let you do that, its an all or nothing approach. There are other issues with SUS, like when you modify a package and then download new packages your old modifications get reset. Basically, all SUS lets you do is save bandwidth and control access to Microsoft's WU. SUS should've given us greater control over which patches were made available (granular to the extent we need it to be), and most importantly, the ability to verify whether or not our systems have applied the patches. MBSA, while an improvement over HFNetchk, doesn't interact with WU. WU patches are named differently than they're defined in MBSA, so correlating the information from the two is difficult. So in the end I'd argue that things still have not changed. Of course I agree that they are changing, but as WU and AutoUpdates showed, these future changes may not be applicable to the majority of deployed systems. My understanding of the coming changes is that they rely upon some features in the OS which are not yet deployed, things which may be in .Net and other future MS OS'. This was demonstrated when WU/AutoUpdates wouldn't work with NT 4.0, which at the time WU was deployed, represented the largest segment of the OS market. I'm very unaware of "heavy" spending on "fixing this and other security management problems", I'm sure I'm not alone in wondering what Mr. Robichaux knows about that represents this to him. I'm aware of product groups being established to sell more security products from Microsoft, so we may be able to purchase things which fix our security management problems from Microsoft in the future...but I'd argue we shouldn't have to spend to manage problems associated with bugs which cause security problems. However, given today's choices from Microsoft, I would continue to argue that using their tools is the least favorable or reliable mechanism for managing your security patches. 3rd party products do a far better job than anything Microsoft provides, and most are more reliable. If you're going to spend time and bandwidth, do so effectively even if that means having to spend some money on a product to do that...at least until Microsoft provide a better mechanism for free. Finally, I'd just like to comment about me being "contrary". I made my reputation by being accused of being Microsoft's biggest fan, so its funny to see me now accused of being against them. Over the years I've expended a great deal of effort towards getting a better patch management regiment out of Microsoft. When they didn't do it themselves, I built something which would help people. When they did build WU, I provided feedback and suggestions as to how it could be made better (long before calling it a dog). But when they failed to improve it, failed to pay enough attention to its importance, and failed to make it available for internal use, I finally had to speak out against it. So I don't think its reasonable to simply say I'm contrary. I think I demonstrated a fervent desire to see MS improve this area by my second article which articulated numerous problems and some suggestions as to how to fix them. MS may be doing some of that, and they may be doing other things I'm completely unaware of. Either way I know they are doing something, and that's good. I also know, however, they're not doing it fast enough and do not give it as high a priority as they should, IMO. Ergo, today we are no better off than we were in April, and I stand by my observations. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPgNu/8+Ua7J6A+woEQJTiQCgpZDwuNX+fc7udjUFiqXGMIB0zhMAoLWA iL+eOJFIP1bnmscimrrtQ875 =fbgS -----END PGP SIGNATURE----- -----Original Message----- From: Edward Sullivan Sent: Friday, December 20, 2002 11:09 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Windows Update http://www.ISAserver.org UpdateEXPERT v5.1 is my tool of choice for managing updates. I have learned from experience that the slow, steady road is the path to reduced downtime and headaches when it comes to Microsoft products. From a security perspective, MSFT misses the boat ALOT of the time, and I do not trust them to manage hotfixes for my servers (Windows Update). However, if that is the path you choose, then that is your valid preference. Even if UpdateEXPERT was not available to me, I would STILL take the manual approach over WU - that's me. It is critical in my environment to take the tried, true, and tested approach to minimize downtime. I have emailed Russ to see what his current thoughts on WU are, we'll see what he responds with... Ed Sullivan Director of Information Services esullivan@xxxxxxx < mailto:esullivan@xxxxxxx> KMA Direct Communications Confidential and Proprietary -----Original Message----- From: Paul E. Robichaux [mailto:paul@xxxxxxxxxxxxx] Sent: Friday, December 20, 2002 10:45 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Windows Update http://www.ISAserver.org This article is from April of this year, which means it totally misses the improvements in WU, the release of the Software Update Service, and the new version (1.1) of MBSA-- which does in fact check Exchange and WMP. Russ gets a lot of play out of being contrarian, and most of his arguments were true at the time. Things have changed, though, and they'll be changing again. MS is spending heavily on fixing this and other security management problems, and if you choose not to use the tools they make available, you're only hurting your own security (or spending a lot of needless time doing stuff manually). > -----Original Message----- > From: Edward Sullivan [mailto:esullivan@xxxxxxx] > Sent: Friday, December 20, 2002 11:18 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Windows Update > > > http://www.ISAserver.org > > > This article addresses more of the concerns. Windows Update > is intended for use for consumer products, and not for > production data center environments. To quote an industry expert: > > http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0053.html > > "So in the end, I have to agree with Susan Bradley's basic > premise, don't use Windows Update. I vehemently disagree with > her that we should treat it as v1.0, its been around long > enough and MS have had ample opportunities to fix it, it > should be robust, accurate, and incredibly reliable given how > important it is. I also wouldn't agree that it can be used on > systems other than servers, its as unreliable on workstations > as it is on anything else." > > Cheers, > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > -----Original Message----- > From: Rupert Wood [mailto:me@xxxxxxxxx] > Sent: Friday, December 20, 2002 10:05 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Windows Update > > > http://www.ISAserver.org > > > Edward Sullivan wrote: > > > There are big problems using Windows Update on production > > servers. I would recommend that you instead download the > > appropriate hotfixes and service packs individually, and apply them. > > > > Reference this thread for more info on why Windows Update on > > servers is bad news. > > > > http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0054.html > > I only have time to skim that, but I read it as > > "Windows Update isn't good enough - MS should provide us > with something better." > > and his only criticism was that you have to manually check > that the patches it applies cover all the security bulletins. > There were no follow-ups to it. > > Is that it, or have I missed something? He didn't convice me > of any reason not to use WU or MS's other free tools - you > just have to be aware of their limits. > > Rup. > > > List Sponsored by Aspelle > Aspelle's Microsoft-centric, Aspelle Everywhere, leverages > ISA server and the Internet to quickly and cost-effectively > manage and deliver secure, client-less access to all > corporate applications (Web, Unix, Windows and legacy > systems), for all users. More info at http://www.aspelle.com/info > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: > http://www.windowsecurity.com/ Windows 2000/NT > Fax Solutions: > http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: esullivan@xxxxxxx To unsubscribe send a blank email > to $subst('Email.Unsub') > > List Sponsored by Aspelle > Aspelle's Microsoft-centric, Aspelle Everywhere, leverages > ISA server and the Internet to quickly and cost-effectively > manage and deliver secure, client-less access to all > corporate applications (Web, Unix, Windows and legacy > systems), for all users. More info at http://www.aspelle.com/info > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: > http://www.windowsecurity.com/ Windows 2000/NT > Fax Solutions: > http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: paul@xxxxxxxxxxxxx To unsubscribe send a blank email > to $subst('Email.Unsub') >