> Well just because windows tells you something, doesn't mean > you have to trust it. I know that patches are probably not 100% > installed if you don't reboot, but a lot of times microsoft > likes you to reboot for no good reason. Simply because they > don't 'trust' most windows users to follow directions properly. > For example, if a patch updates something in IIS, it might be > enough to just restart the WWW Publishing service, but the > patch won't do that for you, and will instead ask you to reboot.
Well, actually, no - when a patch requires a reboot, it's almost always for a very specific reason. It's because files are locked by the OS, and can't be replaced until the system reboots. There's a nifty utility on sysinternals.com that will show you when files are marked for rewriting after a reboot. Microsoft doesn't "like" you to do anything - they've received enough complaints from sysadmins that they've gone to pretty decent lengths to avoid reboots after patches when they can. > If Apache needed to be updated, whether linux or windows, all > that would be needed is to restart the apache service. Unlike IIS, Apache is completely separate from the OS. IIS is integrated pretty tightly into the OS, especially in Windows Server 2003. > I know there are automated patching solutions, including the > one straight from microsoft which lets you automatically install > patches and reboot the pc at a certain time every night (if > patches are available). I'm just not to a point where I trust > microsoft enough not to mess up to enable that on my server. Good for you! Neither am I. However, again, I don't care for automatic installation of patches anyway, since I'd rather not install patches I don't need. Again, with proper initial configuration, you can often avoid installing Windows patches, because they patch things you've already disabled or removed. > I'm not an expert to the point where I know exactly which services > are needed and which ones are not. Perhaps it's because I never > found a good reference for that. Perhaps, but you claimed to be an experienced Windows sysadmin. Knowing what services do, and which you need and don't need, is part of being a competent Windows sysadmin. > But windows, by design, does not encourage good security practices. I think you're right, there, but it's not that difficult to adopt good security practices for Windows if you care to. > You have to study security in some fashion to even know that > the way services are installed on windows by default is not > secure. You have to know that you need to create a user account > for a program and then have that program's service set up to > run under that account instead of local system. On linux, > this is part of the core OS. There is no such thing as local > system, and every program runs as some user. And most people > know that you shouldn't run services as root, and instead > create user accounts for it. So even if you're just poking > around for the first time, it's more likely that you will set > up a program more securely on linux then you would on windows. All of this is common knowledge to any competent sysadmin. If you're just poking around for the first time, you probably shouldn't be configuring servers for an untrusted network. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225224 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
