You can make any Operating system secure.
You can make any human being more security aware (truly.. a nice 2×4 upside the head works wonders)
But maintenance.. well…that’s another matter.
In the partner newsgroup was a poster who has installed SP2, hit the networking/VPN issues, uninstalled it, and because she wasn’t on R2, the removal of MMC 3.0 caused issues with the ISA console and just kept hitting one issue after another. And at the end of the post she wrote “Sorry to be sarcastic but this gets old!”.
On another listserve I’m on, updates that were needing to be installed kept being installed over and over and over again..and one poster responded to the original poster the following…
> Microsoft is obviously fed up with your namby pamby ways and is
> determined to teach you a lesson. I have already had mine in that
> automatic updates keeps telling me about two “important security fixes” in
> particular. Of course, when I attempt to install them, they do not
> install, so I am in an endless loop with these irrittatingly silly daily
> notices. I finally turned it off. Now, of course, Symantec feels duty
> bound to remind me on a daily basis that I am “vulnerable” because
> Microsoft’s automatic updates are turned off. It’s a bloody conspiracy.
> Linux is looking better all the time. Regards,
Now the windows update gurus theorize it’s this: http://mowgreen.castlecops.com/archives/2007/01/fix_kb927978_and_kb925672_repe.html but the person needs practically a Masters or Doctorate degree if they want to truly understand what’s going on with the file at windowsupdate.log. In fact try it out, I dare ya. Click start, run, windowsupdate.log (all one word) and let that open in notepad. Can you tell what that file is telling you? Some folks can. Most can’t.
So you know what? Counting number of vulnerabilities and secure operating system stats don’t mean didly squat if people are still, even today, having a hard time getting their machines patched.
Sorry Ruth, I’m going to quote you here:
Sure we can improve and we are striving to do that every day. Keep criticizing us, keep giving us feedback, keep talking about what could be better. Let’s have constructive discussions that deal with facts and let’s make it easier and better to do business going forward.
No, you have to improve in this particular area. We’re getting burnt out on dealing with these issues and needing to be rocket scientists to keep Windows update working, getting our boxes to reboot consistently, ensuring Terminal services is working and is bullet proof for remote management and Office patches from not flatlining our networks in the process. KB927891 works but not always 100%. Work on that. Not on counting vulnerabilities. Because we will have them. Vista had them in the ANI bug. We WILL need to patch. So ensure that when we do, patches are tested for Gail, that the mechanism to debug what is failing is easy for John so he doesn’t have to have me look at his log file to help him, and ensure folks like my fellow SBS MVP Dave … who every time he has a server that won’t reboot properly after patching, tries to get it debugged, in general work on improving that side of the security issue. Vista is still having issues getting it’s patches and offering up cryptic messages to posters.
Kudos on the numbers. But don’t forget to ensure that when we need to patch… and we will..that that part works.
(just remember.. there will be a special patch tomorrow)