RE: Re: Microsoft Security, baby steps ?

[Nick FitzGerald <nick () virus-l demon co uk>]

"Geo." <geoincidents () getinfo org> wrote:

> It doesn't address the issue. The requirement is that some MS customers need
> to patch without putting the machine on the internet. For whatever reasons.

Absolutely.

Much _worse_ though, is that _FAR TOO FEW_ MS customers actually seem 
to practice something like that.  In a corporate environment I woud 
expect to see that as a very widespread requirement (though maybe those 
who do it have most of the the small-ish pool of really clueful Windows 
techs who know what a slipstreamed install point is and so on, so 
_they_ do not see any major problems there...).

> Is that such an unreasonable request?

No, it's not, but it may be the case that MS thinks it has such 
requirements pretty well covered.  Perhaps MS should be doing a lot 
more/better work educating its (medium to large) customers how to do 
system design, testing and rollout?  Focussing on patch management (as 
it is somewhat at the moment) kinda assumes that there is a "system" 
worth patching, but if that has not been well-designed from the outset, 
in most cases you are better off re-doing the base OS implementation, 
rolling that out _then_ dealing with patching, which will be much 
better designed into a system spec'ed and implemented today than the 
existing one from several years back (assuming it was ever actually 
"designed" -- Ghost, et al. are cool, but they aren't much as system 
management tools _per se_).


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html