Re: OpenVMS - When downtime is not an option

In article <wpudnW3ibNFhyRrbnZ2dnUVZ_qSrnZ2d@xxxxxxxxxxxxxxxxxxxxxxxx>,
Bill Todd <billtodd@xxxxxxxxxxxxx> writes:
Paul Raulerson wrote:
The only answer to this is that anyone who believes it *is* only half
competent.

Sorry: the answer is that anyone who believes your position in this
matter is ignorant (and thereby incompetent, since the competent
understand the limitations of their knowledge).

It is very VERY important to keep patches up to date on the
Window server(s). The vast majority of the harmful and expensive virii,
Trojans, and worms that get in get in via the server.

Then you're using it incompetently.

E-Mail,

Please explain exactly how a virus, trojan, or worn can infect a server
via any legitimate use of email on that server. Do you run email in an
account without restricted privileges? That's incompetent. Do you
allow execution of scripts, ActiveX, or even html in email on a server?
That's incompetent. Do your users execute attachments without being
sure where they came from? That's incompetent in a server environment
even if you've already subjected the attachment to a virus/malware scan
(the lack of which would also of course be incompetent). Using
Microsoft email rather than a potentially safer alternative (which,
incidentally, you can patch to your heart's content without fear of
side-effects in other areas of your server) might be considered
incompetent, for that matter.

Similar comments apply to using Internet Exploder, for which virtually
the only required use is during interactive Microsoft Update activity
(though a well-managed server environment will instead collect the
updates and then apply them locally rather than interactively in WU,
eliminating the need to run IE in a privileged context): your server
firewall shouldn't let IE talk to the outside world at all (in *or* out)
without interactive user permission, and when such external interaction
is allowed no script execution should be permitted without interactive
user permission (and one can make a reasonable case for not allowing
ActiveX execution under any circumstances: if you could get alone
without it with a non-Windows alternative, why would you need it?).

It's not clear why any other interactive browser use would require
privileges either (not that general surfing is an appropriate server
activity in any event) - and people who can't be trusted to use such
resources appropriately can't be trusted with privileged accounts
(though gentle reminders never hurt - e.g., eliminating privileged
account browser and email access icons such that a user has to make an
active effort to run a browser or email in such an account). In fact,
the threat of infection even in a privileged account running completely
unpatched software is minimal as long as browser and email components
are buttoned down as described above and used responsibly (e.g., any
threat from malicious Web sites is minimal, because there's no
justification for encountering one in the normal course of server
management), and when such applications run almost exclusively in
non-privileged accounts the threat virtually disappears.

SQL Server,
IIS,

Those are layered products: if they don't meet your safety criteria,
use the alternatives that you'd use on a different OS (since most of
them will run on Windows as well - and, again, you can patch them
without fear that the patches will have unforeseen side-effects
elsewhere in your server).

etc. And yes, it is fact, for *whatever* reason, that the VAST majority
of Windows Server time is spent putting in patches and fixes and working
HooDoo on the Registry.

Unless that registry twiddling is directly related to applying
*necessary* patches it's irrelevant to the current discussion. Perhaps
you're confusing the general overhead of managing a Windows environment
(where I'd heartily agree that other platforms can be more
cost-effective in terms of managerial overhead) with the very specific
allegation that inability to secure the platform and/or the volume of
Windows patches make Windows an untenable server choice.

I just took a quick look back through our past 3 months' worth of Win2K
patches, and couldn't find a single one that seemed of immediate
importance to apply to a properly-managed, buttoned-down server. Some
exposures required local log-on and explicitly running specially-crafted
malware (or in one case running image software to view a corrupted EMF
image file) to leverage. Others required a visit to a malicious Web
page and running scripts there, resulting at worst in denial of service
or the ability to run malicious software in the (appropriately
restricted) privilege context of the current user. None involved any
external threat that could not be parried by the kind of sensible
procedures described above until such time as it might be convenient to
apply a specific patch.


Does not mean Windows is not deucedly useful though.

Would you care to rethink your statement? Surely you could NOT have meant to
say what you actually said.

As usual, I meant *exactly* what I said.

I hope this doesn't give anyone a heart attack or anything but even given
our differences of opinion in the past this is one time you and I are
totally in agreement. Could this signal the arrival of the final times? :-)

bill

--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
bill@xxxxxxxxxxxxxxx | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
.