Security Basics mailing list archives

Re: Patching internet facing MS systems

From: evilwon () yahoo com
Date: 11 Mar 2008 14:42:01 -0000

Dan,

IMO, I would not allow the machines to join the domain to utilize SMS.  This would just give attackers another 
potential avenue into your corporate network.

If you choose to allow outbound connections to Microsoft, I would still make sure that you manually patch the machines. 
 I have had automatic updates bite me one too many times to allow it to automatically patch & reboot systems for me.  I 
state this with the assumption that these servers are in the DMZ for a reason and you want them to have as much uptime 
as possible.

While sneaker-net stinks, there are worse possible outcomes.  If you wanted to open up access to Micrsoft, what about 
working with the people who manage the firewalls and only open up outside access to Microsoft during scheduled periods 
when the patches will be applied?

Current thread:

Re: Patching internet facing MS systems, (continued)
- Re: Patching internet facing MS systems Josh Haft (Mar 11)
- Re: Patching internet facing MS systems Kurt Buff (Mar 11)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
  - Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
    - RE: Patching internet facing MS systems Dan Lynch (Mar 13)
    - RE: Patching internet facing MS systems Dan Denton (Mar 13)
    - Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
    - Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- RE: Patching internet facing MS systems Kevin Ortloff (Mar 27)
- RE: Patching internet facing MS systems Rob McShinsky (Mar 11)
- Re: Patching internet facing MS systems evilwon (Mar 11)
- Re: Patching internet facing MS systems nobledark (Mar 13)