Microsoft: September 2005 Archives

Perception Isn't reality

Channel 9 over at MSDN has a chat with Roger Grimes on IIS 7 security. I'm half way through it and spend more time talking about the misconceptions of Microsoft Security. Microsoft has a very secure Operating System in Windows 2003. It was released nearly 2.5 years ago. Yet people want to talk about Microsoft Security as if it is still pre-ntfs and Windows 95.

By Roger on September 8, 2005 12:21 PM | | Comments (0)

"Patch First and Ask Questions Later"

There seems to be a school of thought that says the lesson to be learned from MS05-039 is "patch faster". Dont stop, dont think, dont consider. Just patch. They say fixing the result of patching is easier than fixing the result of the virus getting in.

If you're on a treadmill and someone starts hitting you with a baseball bat, the solution isn't 'run faster'. It may be time to look for a different solution. How many people got hit with MS05-039 who were running with personal firewalls on all systems? How many people got hit with MS05-039 who were running Host Based Intrusion Prevention systems got hit? How many people who locked down their computers got hit?

Patch faster they say, the real problem was with Configuration Management "bureaucracy".

Is computer security a science or an art? Is it your gut feeling that gets you to know you need to patch quickly? Is it rumors from SANS? Is it the result of a rational risk assessment? Is there too much gut checking and not enough Risk=Threat x Vulnerability?

By Roger on September 6, 2005 2:52 PM | | Comments (0)

Microsoft Monitor: Closed Debate on Open Standards

It really scares the hell out of me when a technologist gets the ear of a politician. Sometimes the results are just funny, like when Senator Chuckie Schumer (NY-D) starts talking about viruses. But othertimes the results seem to be geared to wards encoding in law the particular biases of the tech staffer.

Over at Microsoft Monitor(a Jupiter Research weblog) Joe Wilcox commends on last weeks decision by the peoples republic of Massachusetts to only support "open" standards. In spite of all the news articles this is currently a proposal and it is public comment period. Also back in January there was a speech where Adobe Acrobat and Microsoft Word were listed as open standards.

By Roger on September 4, 2005 12:16 PM |

You have 150 MB of updates

I'm trying to put ms05-029 on a users desktop via sms remote control.
First attempt: nope, you need Windows Installer 3.1, reboot.
Seconds attempt: You're running Windows 2000 SP3. Ok, I've got that on the file server, no need to download it. Reboot.
Third attempt: You have 150 MB of updates!!!
Windows Update now does office patches too. So after deselecting the post SP4 rollup, I deselected all the SPs for Office. (for some reason we haven't deployed that at work, so I'll make things easier on myself and only bring this computer into parity with the other computers. No need to be testing a Office service pack upgrade on a weekend on someone else's computer). After trimming that down, I "only" have 25 updates to install.

By Roger on September 3, 2005 6:26 PM |
« Microsoft: August 2005 | Main Index | Archives | Microsoft: October 2005 »

Search