Re: Windows Server 2003

[Jimi Thompson <jimit () myrealbox com>]

The trick for Windows 2003 is that is there are already 5 updates.  4 
have to do with being able to run the code of the attackers choice 
and last one has to do with inadvertently releasing sensitive 
information.   I don't know if they are classified as "critical" by 
Microsoft, but I would certainly considering being able to execute 
arbitrary code as such.  I know that many of the "remote control" 
exploit patches are NOT classified as "critical" for Windows XP and 
2000.  I don't know about anyone else, but having someone seize 
control of my gear for their own nefarious purposes is pretty darn 
critical to me.   My point with this is that I would read the 
descriptions of the hot fixes carefully and determine if they are 
critical to YOU or not.   I don't think that you should depend on 
Microsoft's definition of "critical".

Automatic Update exists because people are ignorant. I work at a 
University in the business school.  We deal with PMBA's 
(professional) and EMBA's (executives who have to be sponsored by 
their employer), many of whom are studying to get an MIS degree.  I 
generally speak to the incoming classes in batches of about 200 
students.  Out of the 200 at each orientation, there are maybe 10 who 
know what Windows Update is.  Out of that 10, maybe 2 of them have 
actually run it within the last month.  The other 190 of them have 
never run Windows Update and have no idea that such a thing exists.

If, you as a skilled system administrator, want to turn Auto Update 
off, you can do so.  You have both the knowledge to do so as well as 
the experience to know what you are getting in to.   For the other 
99% of the population of Planet Earth, they need it because they 
don't have a clue about updates.  They aren't IT people.  I don't 
know much about what the rest of them do for a living, so I'm not 
slighting anyone merely pointing out an obvious and often overlooked 
fact.  I think that Microsoft is trying to make a difficult and 
complicated task as simple and transparent as possible for the 
average shmoe.

2 cents,

Jimi
At 9:16 PM +0700 9/11/03, Hendra Santosa wrote:
> For me, applying all of the patches automatically can sometimes make a new
> problem. Some machines with Windows XP and automatic updates turn the
> machines to be slower and fail on some applications. I have to uninstall the
> HotFixes, but it turns the machines to be unsecure again.
> That's why I only enforce to use critical patches only and turn off the
> automatic update on Windows 2003 server. Any problem on Windows 2003
> automatic update so far? If automatic update can create a problem, why
> should there still be? Or why the vendor doesn't just turn it off by
> default? :) (availability can't be separated from secure systems)
>
> regards,
>
> cyhss


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
- Precisely Define and Implement Network Security 
- Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------