Re: Best practice for security implementation

[Jan Reilink <digiover () dsinet org>]

[CC's removed]

Jeff wrote:
> On Mon, Aug 04, 2003 at 11:44:43PM +0530, D N Vaidya wrote:

[...]
> > > Which tool is best for vulnerability accessment?

See <http://www.insecure.org/tools.html> for Fyodor's/Insecure.org's 
'Top 75 Security Tools'.

[...]
> I do not use Microsoft, so I cannot comment on their update policy, but
> basically anytime a vendor releases a patch you will need to evaluate it
> carefully based on what it "fixes" given your computing environment.

We use Windows2000 Advanced Server as a hostingplatform at $WORK and 
everytime a patch is released by Microsoft, we read the 
securitybulletin(s) to see where the patch is for.
If it's for something we have installed, we install the patch, but we 
will never install a patch for (e.g.) Office. Simply because it's not 
available on our servers.

All patches can be installed remotely, using TSC (Terminals Service Client).

> on my own network, I pretty much update immediately whenever Red Hat
> releases a patch-- I use 'up2date -u' and it all just works, and I've never
> had a problem with their patches.

My homesystems are all Debian installs and I read 
debian-security-announce to keep track of bugs and I install them using 
dselect and/or apt-get.

Regards, Jan

--
/"\  ASCII Ribbon Campaign
\ /  No HTML in mail or news!
 X
/ \             DSINet: http://www.dsinet.org


---------------------------------------------------------------------------
----------------------------------------------------------------------------