Re: SQL Server patch - why doesn't Windows update help?

[Darren Reed <avalon () coombs anu edu au>]

> Windows Update does not cover SQL Server. You need to use the Microsoft
> Baseline Security Analyzer if you are looking for an automated method
> in this case. MBSA handles a few things that WU does not, for instance
> SQL Server, and Exchange. Admins sometimes become complacent, thinking
> that "I run Windows Update and so now I'm secure". WU helps, but is only
> a piece of the Windows patching pie. MBSA is useful, although I've found
> that it misreports a variety of items, so you still have to vigilant.

Well, I downloaded MBSA and from the start it did not make a good
impression.  I asked the installer not to put an icon on the desktop
and what does it do?  Put an icon on the desktop.

As for running it, did it help ?  No.

I got "Could not perform the security update scan." as a result for the
"Security Update Scan Results" for "Windows Security Updates",
"SQL Server Security Updates", "Windows Media Player Security Updates"
and "Exchange Server Security Updates".  IIS it realised wasn't installed
but why wasn't it intelligent enough to work out Exchange wasn't either ?

Having said that, it did do an SQL server scan but failed to say that
the patch was missing, only that a bunch of SQL server settings were
problematic.  Does this mean I have installed the patch but in stealth
mode where "Add/Remove Programs" doesn't show it?

It also didn't like the idea of me defining my own security zones and
using them (Custom) in preference to High, etc. mmm, Higher security.

Darren
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html