System Patches, keeping current (was: NT vs Unix on the Internet)

[Roger Marquis <marquis () roble com>]

On Fri, 8 May 1998, Russ Cooper (Russ.Cooper () rc on ca) wrote:
> The vast majority (say roughly 90%) of all "hacks" of NT that have been
> reported have come about as a result of lack of knowledge on the part of
> the installer/administrator.

This is also due to the security of NT's default configuration.
Certain Unix vendors such as SGI also have this problem.  Whether the
glass is half empty (admins not performing a secure installation and
applying patches) or half full (the OS not implementing security by
default) is perhaps a matter of perspective.

> 3. The number of people who "know" how to secure an NT box against
> "known" exploits are far fewer than their Unix brethren (that's why we
> get paid so much...;-])

This is at least partly due to the closed nature of the NT operating
system itself.  Not only are the administrative resources necessary to
secure an NT box hard to find but the tools and documentation simply
don't exist in many cases.  An example of one such critical tool, one
we rely on, is Sun's patchdiag.  This is a subscription service which
allows sysadmins to download the patch database for their Solaris
version.  The database is updated several times a week and lists the
current revision of all recommended and security patches.  The
patchdiag script flags any patch that's out of date or not installed on
a particular system.  With this information an admin can keep his or
her critical boxes patched with as little effort as running
'installpatch' a few times each month.

Roger Marquis
Roble Systems Consulting
http://www.roble.com/consulting