RE: Windows Update
- From: "Edward Sullivan" <esullivan@xxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 20 Dec 2002 14:45:54 -0600
Straight from the source - Russ's response on the Windows Update thread. To be
fair, I would suggest CC'ing him on any responses.
To sum up, Russ recommends the same practices my organization follows:
"given today's choices from Microsoft, I would continue to argue
that using their tools is the least favorable or reliable mechanism for
managing your security patches. 3rd party products do a far better job
than anything Microsoft provides, and most are more reliable."
Ed Sullivan
Director of Information Services
esullivan@xxxxxxx < mailto:esullivan@xxxxxxx>
KMA Direct Communications
Confidential and Proprietary
-----Original Message-----
From: Russ [mailto:Russ.Cooper@xxxxxxxx]
Sent: Friday, December 20, 2002 1:27 PM
To: Edward Sullivan
Subject: RE: Your thoughts on WU?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Feel free to pass along to lists I'm not present on (such as the ISA
List).
While my comments about Windows Update were made back in April, little
has changed since then. WU has not been "improved" in any noticeable
way. Everything I faulted in WU at that time is still present,
unchanged, and not improved. I'd sure like to know why Paul Robichaux
says its been "improved".
Software Update Services is also no answer. Firstly, you're stuck with
one SUS server per IIS machine. What if you want to make updates
available to two or more distinct groups. You may not want to make an
update available to one that you want to make available to another. SUS
doesn't let you do that, its an all or nothing approach. There are other
issues with SUS, like when you modify a package and then download new
packages your old modifications get reset. Basically, all SUS lets you
do is save bandwidth and control access to Microsoft's WU. SUS should've
given us greater control over which patches were made available
(granular to the extent we need it to be), and most importantly, the
ability to verify whether or not our systems have applied the patches.
MBSA, while an improvement over HFNetchk, doesn't interact with WU. WU
patches are named differently than they're defined in MBSA, so
correlating the information from the two is difficult.
So in the end I'd argue that things still have not changed. Of course I
agree that they are changing, but as WU and AutoUpdates showed, these
future changes may not be applicable to the majority of deployed
systems. My understanding of the coming changes is that they rely upon
some features in the OS which are not yet deployed, things which may be
in .Net and other future MS OS'. This was demonstrated when
WU/AutoUpdates wouldn't work with NT 4.0, which at the time WU was
deployed, represented the largest segment of the OS market.
I'm very unaware of "heavy" spending on "fixing this and other security
management problems", I'm sure I'm not alone in wondering what Mr.
Robichaux knows about that represents this to him. I'm aware of product
groups being established to sell more security products from Microsoft,
so we may be able to purchase things which fix our security management
problems from Microsoft in the future...but I'd argue we shouldn't have
to spend to manage problems associated with bugs which cause security
problems.
However, given today's choices from Microsoft, I would continue to argue
that using their tools is the least favorable or reliable mechanism for
managing your security patches. 3rd party products do a far better job
than anything Microsoft provides, and most are more reliable. If you're
going to spend time and bandwidth, do so effectively even if that means
having to spend some money on a product to do that...at least until
Microsoft provide a better mechanism for free.
Finally, I'd just like to comment about me being "contrary". I made my
reputation by being accused of being Microsoft's biggest fan, so its
funny to see me now accused of being against them. Over the years I've
expended a great deal of effort towards getting a better patch
management regiment out of Microsoft. When they didn't do it themselves,
I built something which would help people. When they did build WU, I
provided feedback and suggestions as to how it could be made better
(long before calling it a dog). But when they failed to improve it,
failed to pay enough attention to its importance, and failed to make it
available for internal use, I finally had to speak out against it. So I
don't think its reasonable to simply say I'm contrary.
I think I demonstrated a fervent desire to see MS improve this area by
my second article which articulated numerous problems and some
suggestions as to how to fix them. MS may be doing some of that, and
they may be doing other things I'm completely unaware of. Either way I
know they are doing something, and that's good. I also know, however,
they're not doing it fast enough and do not give it as high a priority
as they should, IMO.
Ergo, today we are no better off than we were in April, and I stand by
my observations.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPgNu/8+Ua7J6A+woEQJTiQCgpZDwuNX+fc7udjUFiqXGMIB0zhMAoLWA
iL+eOJFIP1bnmscimrrtQ875
=fbgS
-----END PGP SIGNATURE-----
-----Original Message-----
From: Edward Sullivan
Sent: Friday, December 20, 2002 11:09 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Windows Update
http://www.ISAserver.org
UpdateEXPERT v5.1 is my tool of choice for managing updates. I have learned
from experience that the slow, steady road is the path to reduced downtime and
headaches when it comes to Microsoft products. From a security perspective,
MSFT misses the boat ALOT of the time, and I do not trust them to manage
hotfixes for my servers (Windows Update). However, if that is the path you
choose, then that is your valid preference.
Even if UpdateEXPERT was not available to me, I would STILL take the manual
approach over WU - that's me. It is critical in my environment to take the
tried, true, and tested approach to minimize downtime.
I have emailed Russ to see what his current thoughts on WU are, we'll see what
he responds with...
Ed Sullivan
Director of Information Services
esullivan@xxxxxxx < mailto:esullivan@xxxxxxx>
KMA Direct Communications
Confidential and Proprietary
-----Original Message-----
From: Paul E. Robichaux [mailto:paul@xxxxxxxxxxxxx]
Sent: Friday, December 20, 2002 10:45 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Windows Update
http://www.ISAserver.org
This article is from April of this year, which means it totally misses the
improvements in WU, the release of the Software Update Service, and the new
version (1.1) of MBSA-- which does in fact check Exchange and WMP. Russ gets
a lot of play out of being contrarian, and most of his arguments were true at
the time. Things have changed, though, and they'll be changing again. MS is
spending heavily on fixing this and other security management problems, and
if you choose not to use the tools they make available, you're only hurting
your own security (or spending a lot of needless time doing stuff manually).
> -----Original Message-----
> From: Edward Sullivan [mailto:esullivan@xxxxxxx]
> Sent: Friday, December 20, 2002 11:18 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Windows Update
>
>
> http://www.ISAserver.org
>
>
> This article addresses more of the concerns. Windows Update
> is intended for use for consumer products, and not for
> production data center environments. To quote an industry expert:
>
> http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0053.html
>
> "So in the end, I have to agree with Susan Bradley's basic
> premise, don't use Windows Update. I vehemently disagree with
> her that we should treat it as v1.0, its been around long
> enough and MS have had ample opportunities to fix it, it
> should be robust, accurate, and incredibly reliable given how
> important it is. I also wouldn't agree that it can be used on
> systems other than servers, its as unreliable on workstations
> as it is on anything else."
>
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
>
> -----Original Message-----
> From: Rupert Wood [mailto:me@xxxxxxxxx]
> Sent: Friday, December 20, 2002 10:05 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Windows Update
>
>
> http://www.ISAserver.org
>
>
> Edward Sullivan wrote:
>
> > There are big problems using Windows Update on production
> > servers. I would recommend that you instead download the
> > appropriate hotfixes and service packs individually, and apply them.
> >
> > Reference this thread for more info on why Windows Update on
> > servers is bad news.
> >
> > http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0054.html
>
> I only have time to skim that, but I read it as
>
> "Windows Update isn't good enough - MS should provide us
> with something better."
>
> and his only criticism was that you have to manually check
> that the patches it applies cover all the security bulletins.
> There were no follow-ups to it.
>
> Is that it, or have I missed something? He didn't convice me
> of any reason not to use WU or MS's other free tools - you
> just have to be aware of their limits.
>
> Rup.
>
>
> List Sponsored by Aspelle
> Aspelle's Microsoft-centric, Aspelle Everywhere, leverages
> ISA server and the Internet to quickly and cost-effectively
> manage and deliver secure, client-less access to all
> corporate applications (Web, Unix, Windows and legacy
> systems), for all users. More info at http://www.aspelle.com/info
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Windows 2000/NT > Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: esullivan@xxxxxxx To unsubscribe send a blank email
> to $subst('Email.Unsub')
>
> List Sponsored by Aspelle
> Aspelle's Microsoft-centric, Aspelle Everywhere, leverages
> ISA server and the Internet to quickly and cost-effectively
> manage and deliver secure, client-less access to all
> corporate applications (Web, Unix, Windows and legacy
> systems), for all users. More info at http://www.aspelle.com/info
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Windows 2000/NT > Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: paul@xxxxxxxxxxxxx To unsubscribe send a blank email
> to $subst('Email.Unsub')
>
Other related posts:
