Damned if they do, damned if they dont

| 4 Comments

I had just sold management in the company I am clienting for on the ability of W2K3 to avoid these, with the line that during the Windows Security Push, all 9,000+ Windows developers stopped and poured over essentially every line of Windows code remove these kinds of situations and make W2K3 the most secure OS. Now two of these in the last month. To say that this has stopped a massive redeployment is an understatement.Sam Gentile's Blog

So you oversold an idea to a client and now you're mad at Microsoft?

You're concerned about the security of your server platform. W2K3 is more secure than W2K and NT4. NT4 is no longer supported and won't be getting any patches. Client has NT4 servers.

What do you advise and why?

These changes have made Windows Server 2003 much more secure than any previous version of Windows. Microsoft is intent upon improving the security of its products and technologies: the Windows Security Push was only one part of the company's ongoing commitment to creating more secure software. The Windows Security Push

They have to move from NT4. No choices there. You can't run production systems on an unsupported OS... If they have to stay on a Microsoft platform then they should move to either W2K or W2K3. If everything they need to run is compatible with W2K3 then move to that; if not move to a mixed bag with W2K3 in all places that it can be and maintain an aggressive migration strategy.

Why? W2K3 is the most secure of the options; therefore your client is limiting their exposure to security threats by choosing the most secure option they have.

Your position doesn't change just because a patch is released for all of the OSs you could choose including W2K3. It only changes if more patches are released for just W2K3 and even then it only changes if these new patches are for functionality that works just fine in the other server platforms (ie not new functionality that you cant get elsewhere) and it only changes if your client uses the functionality that was patched (and was, thus, vulnerable).

Your client's wrong not to move and you were wrong to convince them to move by overselling W2K3. Be pragmatic. Move on.

I don't buy the 'when we move to 100% managed code things will be lovely' idea either. Sure we'll eliminate a whole host of buffer overrun related issues but I expect there will still be security issues. It may take a while for the attackers to switch gears and start exploiting these new issues but they will. So even if the whole world switches to a 100% managed OS there will still be security vulnerabilities and there will still be patches required. Why? People write the code, people make mistakes. Bugs are the result of mistakes. The solution isn't a new tool or set of tools its more thought and testing. If Microsoft want their OS to be really secure then you need people whos job it is to break it and you need them trying to break it all the time and they need to be doing it with full access to all the source they need. If they want the doubters to trust they're really trying then these people need to be an independent company...

I agree that these patches shouldn't require a reboot, I'd like to think that Microsoft were trying to move in that direction, but I'd also prefer to have a patch that works and a patch that's available to me quickly. If that means I have to reboot then OK I'll have the patch now please and you can continue working towards a no reboot situation.

Reading back through this it comes across as a bit aggressive towards Sam, it's not supposed to be, but I can't be arsed to rework it. ;)

4 Comments

I'll email you when I get home from work. This post grossly misrepresents me, my knowledge of Win2K3 (for gosh sakes I worked on it) and what I do and said. I'm not going to get into it here. I have removed the trackback to here and I will speak to you privately.

Where's your bloody email link on this site?

Sam,

Like I said, perhaps it came across harsher than I intended. I've mailed you my email address so you can respond privately if you wish. I would have thought it would have been better to respond publically.

Anyway, I can't be expected to know your background and history from a post you make that doesn't include enough information to make these things obvious. If you want to rant then I guess you should expect to get ranted back at ;)

Nothing personal.

Sam mailed me some comments and we exchanged a few mails. I asked him if he was OK with me posting the outcome here to complete the thread
and he said that he was:

---------

> Please. I merely pointed out the benefits. One of them was
> supposed to be the much touted security push where we all
> poured over millions of lines of code for 9 months.

Sam, in the blog post that I was responding to you said this:

"I had just sold management in the company I am clienting for on the ability of W2K3 to avoid these, with the line that during the Windows Security Push, all 9,000+ Windows developers stopped and poured over essentially every line of Windows code remove these kinds of situations and make W2K3 the most secure OS. Now two of these in the last month. To say that this has stopped a massive redeployment is an understatement."

What you were saying was that the security issues caused the client to stop an important redeployment. Quite sensational stuff. I pointed out that to stop merely because of the security issues in the last month was foolish. The security issues, in themselves, didn't change the need to move from one platform to another.

Why is a client is stopping such a migration due to an issue with only one of the benefits that you pointed out to them? Did they allocate too much importance to this one benefit? Did they somehow think that the security push would have eliminated all security issues rather than accepting that the push will only have eliminated X potentially exploitable issues and that exploits could and will still occur? Who knows. But, IMHO, it's certainly something to think about for the future. Preventing client's from reading too much into certain initiatives is often the hardest part...

Anyway, I expect that you've advised them of all this and that they're now continuing the move to W2K3. IMHO that would be a far more important blog entry.

> We didn't
> do a good enough job. Period. This is still a mess.

Agree. But it's a hard problem and the recent work has moved things a long way in the right direction.

Len

---------

Okay points taken. They are moving forward...

Sam

---------

Moral of the story. If I think a posting is a bit harsh then the person I'm posting about is quite likely to take it the wrong way. This is likely to reduce the value of the posting to nothing more than a flame (in their eyes at least) and if that wasn't the intention then it's always worth taking the time to rework or delete the posting.

Live and learn.

Leave a comment