Well just because windows tells you something, doesn't mean you have to trust it. I know that patches are probably not 100% installed if you don't reboot, but a lot of times microsoft likes you to reboot for no good reason. Simply because they don't 'trust' most windows users to follow directions properly. For example, if a patch updates something in IIS, it might be enough to just restart the WWW Publishing service, but the patch won't do that for you, and will instead ask you to reboot. If Apache needed to be updated, whether linux or windows, all that would be needed is to restart the apache service.
I know there are automated patching solutions, including the one straight from microsoft which lets you automatically install patches and reboot the pc at a certain time every night (if patches are available). I'm just not to a point where I trust microsoft enough not to mess up to enable that on my server. I'm not an expert to the point where I know exactly which services are needed and which ones are not. Perhaps it's because I never found a good reference for that. I have used the NSA templates in the past to lock down the servers, but so far I've found them to be a bit problematic from a compatibility standpoint. And since server management is only a small part of my current job, I don't have time to troubleshoot the problems it will cause. I would appreciate a good reference though to what services can be disabled while not affecting the accessibility of a web server machine. I'm not saying that windows cannot be adequatelly secure. But windows, by design, does not encourage good security practices. You have to study security in some fashion to even know that the way services are installed on windows by default is not secure. You have to know that you need to create a user account for a program and then have that program's service set up to run under that account instead of local system. On linux, this is part of the core OS. There is no such thing as local system, and every program runs as some user. And most people know that you shouldn't run services as root, and instead create user accounts for it. So even if you're just poking around for the first time, it's more likely that you will set up a program more securely on linux then you would on windows. Russ -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Thursday, November 24, 2005 9:07 PM To: CF-Talk Subject: RE: CF Hosting > We do have an experienced windows sysadmin... Namely me... OK. Don't take this personally, but you're the same person who said you didn't know whether patches were applied, right? You don't know about automated patching solutions? You don't know what services can or can't be turned off on a production Windows web application server? > The point is that Linux doesn't require a reboot when it gets updates, > only windows does. This is due to the fact that windows updates patch > core windows components, things that shouldn't have problems in the > first place. Windows inherently has problems. Every complex system inherently has problems. Again, most Windows patches do not require reboots. Windows patches sometimes affect core OS components, as do Linux patches. Of course, what's a core OS component anyway? On Windows, IIS is considered a "core OS component" and of course if you're using it, you'll be concerned that it's adequately secure. But many, many Windows patches affect end-user applications like IE. Are you using IE from your server console to browse the internet? Again, proper system configuration beforehand can help you avoid most of these problems. Most available Windows patches are not needed in a properly configured production web application server environment. > Even a well configured Windows system can be taken down, due to the > fact that a lot of problems exist in the core windows components, > things that cannot be disabled. A well-configured system, running any mainstream OS, on an untrusted network, can be "taken down" if it does anything useful on that network. But any competent Windows system administrator can reduce the probability of being vulnerable to automated attacks to near zero. Although it's a little dated, you might find the O'Reilly book "Securing Windows NT/2000 Servers for the Internet" (http://www.oreilly.com/catalog/securwinserv/) useful. Again, I don't want you to take this as a personal attack, because it's not. But I'm a bit irked when people say over and over again that Windows servers can't be adequately secured, because they can. And it's just not that difficult to do, either. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225217 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
