> Well just because windows tells you something, doesn't mean 
> you have to trust it. I know that patches are probably not 100% 
> installed if you don't reboot, but a lot of times microsoft 
> likes you to reboot for no good reason. Simply because they 
> don't 'trust' most windows users to follow directions properly.  
> For example, if a patch updates something in IIS, it might be
> enough to just restart the WWW Publishing service, but the 
> patch won't do that for you, and will instead ask you to reboot.  

Well, actually, no - when a patch requires a reboot, it's almost always for
a very specific reason. It's because files are locked by the OS, and can't
be replaced until the system reboots. There's a nifty utility on
sysinternals.com that will show you when files are marked for rewriting
after a reboot. Microsoft doesn't "like" you to do anything - they've
received enough complaints from sysadmins that they've gone to pretty decent
lengths to avoid reboots after patches when they can.

> If Apache needed to be updated, whether linux or windows, all 
> that would be needed is to restart the apache service.  

Unlike IIS, Apache is completely separate from the OS. IIS is integrated
pretty tightly into the OS, especially in Windows Server 2003.

> I know there are automated patching solutions, including the 
> one straight from microsoft which lets you automatically install 
> patches and reboot the pc at a certain time every night (if 
> patches are available). I'm just not to a point where I trust 
> microsoft enough not to mess up to enable that on my server.

Good for you! Neither am I. However, again, I don't care for automatic
installation of patches anyway, since I'd rather not install patches I don't
need. Again, with proper initial configuration, you can often avoid
installing Windows patches, because they patch things you've already
disabled or removed.

> I'm not an expert to the point where I know exactly which services
> are needed and which ones are not. Perhaps it's because I never 
> found a good reference for that.

Perhaps, but you claimed to be an experienced Windows sysadmin. Knowing what
services do, and which you need and don't need, is part of being a competent
Windows sysadmin.

> But windows, by design, does not encourage good security practices.

I think you're right, there, but it's not that difficult to adopt good
security practices for Windows if you care to.

> You have to study security in some fashion to even know that 
> the way services are installed on windows by default is not 
> secure. You have to know that you need to create a user account 
> for a program and then have that program's service set up to
> run under that account instead of local system. On linux, 
> this is part of the core OS. There is no such thing as local 
> system, and every program runs as some user. And most people 
> know that you shouldn't run services as root, and instead 
> create user accounts for it. So even if you're just poking
> around for the first time, it's more likely that you will set 
> up a program more securely on linux then you would on windows.

All of this is common knowledge to any competent sysadmin. If you're just
poking around for the first time, you probably shouldn't be configuring
servers for an untrusted network.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized 
instruction at our training centers in Washington DC, Atlanta, 
Chicago, Baltimore, Northern Virginia, or on-site at your location. 
Visit http://training.figleaf.com/ for more information!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225224
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Reply via email to