Last patch – thank you SBS 2000

On November 19, 2004, in Rants, by

 Getting ready to fire up the Shavlik Hfnethck pro to patch my network [yes even though my brand new baby..um..my new SBS 2003 server is coming in next weekend I don’t want to slip from my designated patch schedule] and it’s the last time I’ll be patching this server.  It got me to thinking of how far “I’ve“ come in my own journey over the last three years.


Since this will be the last time I patch this server [it’s going to be reincarnated as a 2k3 member server], can I wax a little poetic about how far we’ve come since I put that box into production in July of 2001. 


This box was put into production right before a time when worms were still pretty much those red crawly things.  We thought pretty much that our little boxes could stay under the radar of the big guys and their issues.  We weren’t hacked, we weren’t targeted.  We sat here on the sidelines while our big brothers had issues.  Our biggest issues back then were pretty much viruses or the fact that the boss couldn’t get his AOL email through the ISA firewall.  I still would like to know why so many of my male geek friends who got ILOVEYOU from another guy opened the dang things up.  Ya have to wonder on that one.


July 19, 2001 changed all our notions of security in SBSland.  I still remember Jeff Middleton reviewing the security bulletin that came out in May or June [I forget now] and said this one was going to be bad.  So we screamed and yelled and jumped up and down in the newsgroup as best as we could and still the Code Red worm came and we were “Road Kill“ out here.  Remember too that was in the day and age that if you were a smart admin you waited until the Service pack and then you waited some more after that.  I still remember Mal Osborne posting into the newsgroup saying “what rock did you out from under“ when the 33,647th person posted in the newsgroup that there IIS service wasn’t running and there was some weird message about “Hacked by Chinese“ up there instead.  Remember too, back in those days too Microsoft patches came out at any old time and day of the week.  Tuesday at 4:30 a.m., sure release a patch, someone is up somewhere wanting to download it first. 


Look how far we have come in three years.  SBS 2000 and Windows 2000 was “kitchen sink and all on by default“  We ran everything including Terminal Server in applicaton mode on that box.  Look at SBS 2003.  Heck we have folks beating up on it because Terminal server in app mode was taken off.  Remember what I harp on all the time… we cannot, could not then, cannot now, lock down Terminal services on a domain controller.  Go grab [please do] the Security Resource kit and the 6 steps for securing TS on a server cannot be done on a domain controller.  Go knock yourself out if you think you can.


We now have a regular patch schedule.  Now those in my space can argue that they want patches any ol day or night, but let’s be reasonable, the fact that I can count on second Tuesday as Patch day helps even little me.  I’ve only been away from the fleet two times on Second Tuesday.


We now are starting to see the movement of two patch engines.  Update.exe and .MSI.  Gawd, do you know you are a geek when you get excited that the last IE patch was built on the update.exe platform.


We see less and less of uninstallable patches.  Exchange 2003 sp1 was a one way trip.  It used to be that a lot of the security patches were that way too.  The other day I talled which ones of the 2004 patches were not uninstallable [trust me, just don’t ask why I did this, I had a good reason]


04-033 Excel
04-027 WordPerfect
04-017 Crystal reports
is a “it depends on the product”
Visual Studio yes uninstallable
Outlook with BCM NO
Not sure about CRM
04-010 MSN
04-009 Outlook
04-005 Virtual PC for MAC
04-003 MDAC


It would be better if all the patches were uninstallable, but to me it tells me that it’s the applications that still need to move a bit more in compliance with the goals for patching.  Heck even CRM just released a “patch schema“ KB.  The bottom line patching is getting better and is going to get even more better.


Today it warmed my heart that Jake in the newsgroup  asked if the “Reported vulnerability in Microsoft ASP.Net affected Sharepoint services?  Sure ’nuff, Jake as well as potentially to our remote web workplace.  But it isn’t a Code Red/Nimda kind of event to blow through our Remote Web Workplaces, but it is a recommended patch for our boxes.  In fact it’s listed on the place that we should also visit once a month to ensure we have the latest and greatest.  The fact that we have in three short years gone from where all we are worrying about is how to setup AOL through ISA to being concerned about security issues is a big deal in my book.  And I’m sure some of you will say that “oh, if you were running “fill in the blank OS“ you wouldn’t have to worry about patches, to that I say, dream on dudes.  Go over to the Secunia.com web site and pick ANYTHING that runs code and it probably has a known vulnerability and probably a couple more that are unknown.


W2KNews had a great paragraph today on the “holy wars of OS’s“ and I hope they don’t mind if I copy a section of their email here:


The controversy about Operating Systems was very well put in perspective by subscriber Mike Boutelle and I could not agree more. He said: “Regarding the holy wars, I think that the debates back and forth show that it is people and processes that make the difference, not the raw technology. You can install a good OS badly or a bad OS well. The security of the system will always come back to the people and the processes behind. Maybe a few CIO’s should consider that before that outsource their operation.”


The sooner we “get over“ that US versus THEM isn’t about Windows versus the Penguin, but rather the good guys trying to just do their JOB and the bad guys trying to stop us, the better off we are.  Steve Friedl today on a listserve I’m on gave a heads up of some potential stuff happening on the web. 


So what can WE do to help in the fight?  For one, we can do our part in putting pressure on vendors to code more securely, to support patches faster, to not require local administrator  rights on our workstations to run applications.  I also heard that some vendors are still not supporting XP sp2.  A major vendor in the accounting space just announced a new product upgrade for Tax Season and it includes installing .NET and MSDE on each workstation for full optimisation.  So what did I do?  Sent an email and asked if the vendor would either send out patches for MSDE [since it’s not patchable by Windows Update at this time] or support third party patch tools like Shavlik.


For the SBS 2000 network, one of the reasons I got Shavlik [and still recommend it] is how blonde it is to set up.  I’ll be honest with you.  I’m on the WUS beta and I’ve got the server synchronized, but I’ve yet to get the clients “talking” with that server.  I’ll probably revisit it this weekend. In the meantime, while the WUS is still in beta we do have a download page that helps us keep our boxes all patched [and contrary to newsgroupser, patches come out once a month on a predictable schedule [remember Second Tuesday of the month].


So how should you patch? 



  • Well for one.. test the patch first.  I can hear you say now… “Easy to say, Susan when you have a server at home that you use for that purpose.”  Okay, you guys got me there, but in SBSland we also “test the patches” by letting others in our community test them.  For all of you in our communities that test patches and report back your experiences, a big thank you.  Report back your experience and just like with the ISA patch [which I’m putting on tonight] if things don’t go right, CALL Product Support.  Any issue is a free call.  The quality of patches is EXTREMELY important to Microsoft and this feedback loop is critical to making patches be painfree.
  • If you don’t have a spare box, you can also VMWare or VServer or VPC a copy.
  • Ensure you have a good backup, just in case.  But honestly, over the long haul, I’ve had less problems with security updates than service packs.

So patches can come down via Windows update for the Windows patches, but for everything else visit here for the other patches needed. And yes, as you can see the ASP.net mitigation patch is included there.


So what else can you do?  Check out security guidance here for a start.  It’s a nice Small biz guidance from Microsoft Australia.  Then go bore your friends, neighbors and relatives at events you attend.  Everyone is aware of the ‘gunk’ out here but may not know how to handle it.  SANS.org has a new newsletter called OUCH. A blog for Ma and Pa and the Corporate Clueless is a great starter.  Always use Protection is another great place.  Be your own Security evangelist to your communities.  Urge folks to have a firewall, antivirus, visit windows update and add anti-spyware.


Next week is Thanksgiving in the United States.  If Norman Rockwell was alive today, I’d want him to add to his Roosevelt Four Freedom series and add to the Freedom from Want “Thanksgiving’ image and perhaps add to his “Freedom from Fear“ picture.  Okay so it’s a cheesy idea, but consider these days the uncertainty and fear people have with their computers.  I’d have a picture of everyone crowded around the Personal computer while a person is there teaching people about the basics of Computer Security.


So as you prepare for traveling home, burn in a couple of copies of XP sp2 will ya?  Check out the status of the antivirus.  Go to grc.com’s Shields Up and do a quick scan to make sure the firewall is in place.  Run a spybot/adaware clean up and DONATE or BUY their products.  They can’t keep fighting the good fight for free you know. Talk to the parents the importance of knowing who is on their childrens’ IM listing.


It takes all of us good guys to keep it safer out here.  We joked at the Security Summit that the day that we know everyone will “get“ security, will be the day that Oprah calls and wants Rich Kaplan on her show to talk about computer security.  [Trust me, he doesn’t look that geeky in person – he looks more normal]


And with that… it’s time for me to patch for the last time… thank you again SBS 2000 …you served me well.

 

Comments are closed.