You can make any Operating system secure.

You can make any human being more security aware (truly.. a nice 2×4 upside the head works wonders)

But maintenance.. well…that’s another matter.

In the partner newsgroup was a poster who has installed SP2, hit the networking/VPN issues, uninstalled it, and because she wasn’t on R2, the removal of MMC 3.0 caused issues with the ISA console and just kept hitting one issue after another.  And at the end of the post she wrote “Sorry to be sarcastic but this gets old!”.

On another listserve I’m on, updates that were needing to be installed kept being installed over and over and over again..and one poster responded to the original poster the following…

> Microsoft is obviously fed up with your namby pamby ways and is
> determined to teach you a lesson. I have already had mine in that
> automatic updates keeps telling me about two “important security fixes” in
> particular. Of course, when I attempt to install them, they do not
> install, so I am in an endless loop with these irrittatingly silly daily
> notices. I finally turned it off. Now, of course, Symantec feels duty
> bound to remind me on a daily basis that I am “vulnerable” because
> Microsoft’s automatic updates are turned off. It’s a bloody conspiracy.
> Linux is looking better all the time. Regards,

Now the windows update gurus theorize it’s this: but the person needs practically a Masters or Doctorate degree if they want to truly understand what’s going on with the file at windowsupdate.log.  In fact try it out, I dare ya.   Click start, run, windowsupdate.log (all one word) and let that open in notepad.  Can you tell what that file is telling you?  Some folks can.  Most can’t.

So you know what?  Counting number of vulnerabilities and secure operating system stats don’t mean didly squat if people are still, even today, having a hard time getting their machines patched.

Sorry Ruth, I’m going to quote you here:

Sure we can improve and we are striving to do that every day. Keep criticizing us, keep giving us feedback, keep talking about what could be better. Let’s have constructive discussions that deal with facts and let’s make it easier and better to do business going forward.

No, you have to improve in this particular area.  We’re getting burnt out on dealing with these issues and needing to be rocket scientists to keep Windows update working, getting our boxes to reboot consistently, ensuring Terminal services is working and is bullet proof for remote management and Office patches from not flatlining our networks in the process.  KB927891 works but not always 100%.  Work on that.  Not on counting vulnerabilities.  Because we will have them.  Vista had them in the ANI bug.  We WILL need to patch.  So ensure that when we do, patches are tested for Gail, that the mechanism to debug what is failing is easy for John so he doesn’t have to have me look at his log file to help him, and ensure folks like my fellow SBS MVP Dave … who every time he has a server that won’t reboot properly after patching, tries to get it debugged, in general work on improving that side of the security issue.  Vista is still having issues getting it’s patches and offering up cryptic messages to posters.

Kudos on the numbers.  But don’t forget to ensure that when we need to patch… and we will..that that part works.

(just remember.. there will be a special patch tomorrow)

3 Thoughts on “"Sorry to be sarcastic but this gets old!"

  1. Chris Knight on April 3, 2007 at 8:51 am said:

    Amen! Thanks for writing that! Well balanced, with the point bit aimed at the right spot! 🙂
    I can generally make sense of most of the cryptic error logs that MS pump out to disk, but only if I’ve got the associated MSDN SDK pages open that detail the error messages as well as a good dose of patience and a tight rein on my supply of profanities. I had at one point created a nice macro system in Excel that enabled me to load in a log file and perform global search and replace for the common error mesages which made life simpler.
    I think that the prescriptive guidance approach that MS is taking with products such as Operations Manager and the various BPA utilities (Exchange, ISA, SharePoint, etc) is a step in the right direction. This does need to be pushed down to the Product Managers to ensure that this prescriptive guidance forms part of the design process of the product and also needs to be part of the education process for partners, rather than an afterthought and something a bored coder whips up in a spare hour or ten.
    I think the first and third point of the April Fools day entry for the Exchange blog should be the type of goals that MS aspires to, rather than be points of jest for April Fools.

  2. Lars Nelson on April 3, 2007 at 4:14 pm said:

    Please see my post under the SP2 SBS blog. Same concept and I didn’t even start discussing how many MS Update Clients out there fail.

    At least on the customers where I have WSUS installed I can see the ones that are failing and yes, go through a WORKAROUND to get it back.

    On a SBS2000 install here recently, 9 out of 10 clients who had AU enabled were not working. And the only way to determine this was to run MS Update and check to see the update status.

    Many of these clients wouldn’t even load Microsoft Update. Some would spike the CPU to 100% (svchost) — now there is a patch out that addresses this kb927891.

    Along with other MU oddities (MU won’t work, but I can uninstall it and run WU and OU and these work)

    Don’t get me going again!!! MS just needs to start making product that works darn it. Perhaps stop the new product gravy train for a minute and figure out how to make what you already have sucure and maintainable for crying out loud.


  3. Hi Susan,
    I totally agree that we (Microsoft) have to keep working on not only getting patches out there, but making sure they work and can be applied in an efficient manner. My posting from the Can IT Managers blog that you quote ( isn’t to downplay the importance of this or to trivialize the frustration of IT admins who have to apply patches and troubleshoot when things go wrong. It’s just to point out that we are makind progress on producing software that secure by design and when vulnerabilities are found, releasing patches as quickly as possible. Compared to other OS’s we’re not doing badly, although it seems that there are many people that would like nothing better than to convince the public otherwise.

    But the bottom line is that there is much work to be done going forward.


Post Navigation