Chat directly with me if you want. Go to my
Chat page to find a web messenger!
First of all, before I really start, I hope that you all had a great start in 2009. Mine was actually pretty mixed. The good side was, how my year really started and what I saw when I looked out the window at January 1st (yes, I was on vacation skiing and this was how the view was almost each and every morning):
But honestly, this is not the only reason, why I wrote this post. There is another one which is much, much more serious:
Unfortunately there are still plenty of customers playing Russian Roulette with their network. This term was actually used by one of our security engineers – who was kind of upset to say the least – who had to work December 31st and January 1st because of customers still not having rolled out MS08-067 – and not just one! We ran to our limits with regards to support capacity in EMEA.
Just to remind you: This is the Out of Band security update we released back on October 23rd and which then was pretty soon attacked by Conficker.A. But it seems that a lot of customer did not care back then – they were not attacked, so why bother? In the last days of 2008 Conficker.B broke out and even though it was not spread too widely, the customers who were hit (or still are hit) are hit very, very badly. Account Lockouts all over the place, admin passwords that were grabbed (often the Domain Admins) etc – and we had some really upset engineers as they had to work instead of having off because some customers were not up to their duty (and this is what it is for me!).
And this is not the end of the story:
Let me add a final comment: The story above is not a Microsoft-only story. The same processes and technologies around patch management have to be applied to each and every component of your environment. Back after the Blaster times, we start to tell the consumer to apply three things to their PC to protect it:
Guess what: If you would have applied 2 and 3 to your network, you would not have been hit by this problem.
The potential risk of Securitycritical Softwareupdate
on Mission Critical Systems is only a Question about how
carefully a Programmer has done its Job.
Honestly, Microsoft Developers are not intrested producing
robust Software, they are allways intrested to get the Job done,
verry quick, verry diry.
Use FreeBSD or Solaris if you want a solid and proven
Enterprise OS and you wil have seriously less Stress.
If you install Windows on your Hardware, then you playing Football with your Network Security!
Server 2008 is more secure. But i hate adding each feature i need afterwards like in stupid Tux. The Concept of MS and succcess was always 1) you install the software, 2) it runs and then you 3) modify to your need.
If people miss out Step 3) because they are too
- have no knowledge
- or some shitty manager want's to cut cost and personal
then well is it MS or the IT-managers?
If MS sells there products if they would need no step 3 (Which costs a lot of money and time) then that's just how it works. The customer wants to be fooled. If you tell them the truth he will buy somewhere else. That's just our stupid society.
Fact was always you run setup.exe and the system runs. You CAN modify it afterwards. That was the key point which made MS so big.
Use Windows Update Server 3.0 (Forget SMS/ENTEO/ALTIRIS/Wininstall for Patch managment). The only company who understands how to chain Hotfixes is MS. Windows Update Server is Free and perfect to 2000+ clients (So thats 80% of you). You need IQ to analyse and chain hotfixes otherwise you unpatch systems by patching them. (All you Logonscript patchers ;-)
Mca** did lousy work on Conficker
February Malware Hotfix from MS and Symant** free .EXE File where the only two products who could remove a Conficker variant end of Febraury 2009. Mcaf** 8.5/8.7 VSE could NOT remove the Virus NORE trace it coming to a client in realtime.
All you (I take a shower once a week) Linux Admins and black glasses MAC Designers:
Mac & Linux, take a look at Secunia at total Leaks per Year or per product and just silence please. If every destop OS would be TUX it would be just the same way.
Oh my Amiga was safe, yes there was a virus from SCA (Swiss cracking As. from Weber/ZH) for it. Oh we will use C64+Speedos in all offices. But every manager want's to use Poewerpoint so?