| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Security Tools and Checklists for Managing Microsoft Security | |
|
||
| Time: 17:41 EST/22:41 GMT | News Source: ActiveWin.com | Posted By: Robert Stein | ||
|
Thanks Chad. "Computer security over the Internet is a worldwide concern fundamental to the way we live and do business. To help ensure this security, Microsoft is mobilizing its people and resources in the Microsoft Strategic Technology Protection Program, which integrates products, services, and support. " | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 161 Last | Next |
The time now is
9:33:11 AM
ET.
Any comment problems? E-mail us |
| #1 By 20 (24.243.41.64) at 1/25/2003 5:44:13 PM |
|
You should download the Microsoft Baseline Security Adviser and/or the HFNetChk utility and schedule it to run once a day.
I've written a VBScript which you can schedule which will take the output of the utility and email it to you so you can see if any new patches have been posted. I'll be posting the script here soon once I get it tweaked and the glitches removed. If anyone else has a similar script or utility, please post it ASAP. Thanks, daz (Chad) |
| #2 By 7390 (63.211.44.114) at 1/25/2003 5:47:27 PM |
| Inept IT dept doesn't routinely check for fixes apply them = blame MS for everything |
| #3 By 20 (24.243.41.64) at 1/25/2003 5:49:42 PM |
|
The patch for Code Red was out 3 MONTHS (!!) before Code Red first appeared.
What is MS supposed to do if people don't apply patches? Not make bugs in the first place? LOL. Perhaps you should work for MS if you're so perfect. |
| #4 By 12071 (203.217.3.203) at 1/25/2003 8:20:33 PM |
|
#3 Are people/businesses supposed to just blindly 'trust' Microsoft with their patches and apply them directly to their production environments? It is possible that the patch has a problem or indirectly causes a problem in another section of the original code.
On a home system you can apply patches the second they come out without too much worrying. In a small/medium sized company you'd want to do a minimum bit of testing first. In a large company you'll find that it actually takes quite a while for the patch to be thoroughly tested before they will be applied in production. This isn't their fault for not applying a patch straight away, they cannot take the risk of blindly applying a patch, these patches need to go through a proper test - the actual length of the test depends on the company obviously. |
| #5 By 2459 (24.170.151.14) at 1/25/2003 8:48:44 PM |
|
#4 Is 6 months not long enough to test? That's how long the patch for the SQL vulnnerability has been available.
With the integration and regression testing MS does, I'd be more willing to trust them than any other vendor. You either test the patch and take the risks involved in applying it, or you take the greater risk of having an unpatched system. If you don't want the patch, you shouldn't have a system open on the internet. This is an Admin problem, not an MS problem. This post was edited by n4cer on Saturday, January 25, 2003 at 21:03. |
| #6 By 20 (24.243.41.64) at 1/25/2003 9:29:19 PM |
|
I really don't know how much more MS can do. They provide gobs and gobs of tools. They even have a tool that will detect new patches, download them and install them for you automatically (of course you can configure which patches, and approved lists and things like that).
They have detection tools, analysis tools, prevention tools, easy-to-follow checklists. I mean, short of having an MS employee standing next to every Windows 2000 install, I really don't know how much more they can do for security. Writing fewer bugs and testing more doesn't seem to be possible. They test a ton and developers will never be perfect. |
| #7 By 20 (24.243.41.64) at 1/25/2003 9:33:34 PM |
|
BTW, as promised. Here's the VBScript I wrote to automate the mailing.
[EDIT: Damn, all my tabification is lost. If anyone wants the actual file as an email attachment, let me know and I'll email it to you.] This assumes: - You have a batch file that runs that calls the HFNetChk or MS Baseline Security Analyzer and creates a file called c:\hfc\lastrun.txt (use the /f switch to output to a file) - You have IIS installed with the SMTP services loaded (required for CDONTS) and you have it configured properly. - You have the Windows Scripting Host 5.5 or later installed (comes with IE 5.x and later) - You have the Scripting.FileSystemObject object available (scrrun.dll has not been disabled) Please note that I haven't written VBScript in a year or so, so forgive me if my VBScript syntax sucks :) ----------START HERE-------------- Option Explicit Const ForReading = 1 Const HighImportance = 2 Const FILE_PATH = "c:\hfc" Const FROM_ADDRESS = "Your Server<Your@Email.com>" Const TO_ADDRESS = "Email1@your.com; Email2@your.com" Dim FSO Dim cdoMail Set FSO = WScript.CreateObject("Scripting.FileSystemObject") ' First, ensure that the HFNetChk file exists before we waste any more time If FSO.FileExists(FILE_PATH & "\lastrun.txt") Then Dim file Dim fileContents Set file = FSO.OpenTextFile(FILE_PATH & "\lastrun.txt", ForReading) fileContents = file.ReadAll() file.Close Set file = Nothing Set cdoMail = WScript.CreateObject("CDONTS.NewMail") cdoMail.From = FROM_ADDRESS cdoMail.To = TO_ADDRESS cdoMail.Subject = "Last HFNetChk Security Scan Results" cdoMail.Importance = HighImportance cdoMail.Body = fileContents cdoMail.Send Set cdoMail = Nothing End If Set FSO = Nothing This post was edited by daz on Saturday, January 25, 2003 at 21:34. |
| #8 By 135 (208.50.206.187) at 1/25/2003 11:38:03 PM |
|
"I really don't know how much more MS can do."
Well in the case of SQL Server and MSDE they could do two things: #1. Make these patches easier to install... rather than telling us to do everything manually. #2. Start supplying MSDE with a GUI administrative interface. Ought to at least be able to change the password without going out to DOS, sheesh. |
| #9 By 20 (24.243.41.64) at 1/25/2003 11:57:44 PM |
|
Yeah. They could do that. There is a tiny bit room for improvement.
Step back and look at all the other patching mechanisms for a second. MS could show up at your door walk in, install the patch, configure and tweak your server to get 100% better performance, all for free. At the end, you guys would begin to complain about the cost of MS software. This post was edited by daz on Saturday, January 25, 2003 at 23:58. |
| #10 By 135 (208.50.206.187) at 1/26/2003 2:07:13 AM |
|
"MS could show up at your door walk in, install the patch, configure and tweak your server to get 100% better performance, all for free. At the end, you guys would begin to complain about the cost of MS software."
Or we could not use hyperbole in discussions. At the end, people might actually consider this an intelligent conversation. Think about it. |
| #11 By 12071 (203.217.0.139) at 1/26/2003 7:24:34 AM |
|
#6 Completely depends on the organisation at hand. However I would say that just about all of them should have been able to test the patch within the 6 months. So in this case, there isn't a lot to be said for those organisations that did not apply the patch.
But what about the next time something like this happens and let's say the patch has only been out a couple of weeks? That is definetely not enough time to test out the patch! The amount of integration and regression testing is nice to know but it in no way removes any potential risks from the patches they provide. i.e. It's great that they go to all the effort of testing that they do but no responsible company will simply apply a patch without testing it out properly on their own systems first. After all, if Microsoft thoroughly tested in the first place there may not have been a need for this patch! But yes you're right, you shouldn't have your SQL server open to the internet, at the absolute minimum you should have it behind a firewall so that only trusted servers can access it, so this is very much an admin issue. |
| #12 By 2459 (24.170.151.14) at 1/26/2003 5:57:41 PM |
|
After all, if Microsoft thoroughly tested in the first place there may not have been a need for this patch!
I have to disagree with this statement. MS isn't the only company to ship code with buffer overruns and other bugs. No amount of testing is going to find every bug in a large project such as SQL or Windows. Apple, and the OSS groups can't even claim to ship completely bug-free products. And, in the case of OSS, you don't even get integration/regression testing for patches. But, had this been a *n*x issue, the admin would have been blamed, end of story. But what about the next time something like this happens and let's say the patch has only been out a couple of weeks? That is definetely not enough time to test out the patch! True, but this is no different for any other piece of software. Plus, again, you have to weigh the risks based on the severity of the exploit the patch fixes. Most people can stay safe while taking the time needed to test the patch simply by using the most basic security measures of having a firewall with a minimal amount of open ports, and a virus scanner that is kept up to date. Most mission-critical systems really shouldn't be open to the internet in the first place. If there is a credible need for this, then there should be backup systems in place. Your data is only as secure as the box it's running on. Given the choice, I'd much rather risk a patch, than risk having my data/systems open to crackers or kiddies. What's worse, downtime from a patch, or downtime, bandwidth costs, possible data loss/theft, denial of service, and a larger number of affected systems due to an exploit? In this case, other actions besides patching could have helped, like closing the affected port. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 161 Last | Next |
The time now is
9:33:11 AM
ET.
Any comment problems? E-mail us |
