Yup Called Up My ISP this morning telling them to Patch. :) Where would they be without me? ;)

Soooo glad I am not on MS servers!

dave

Well I wonder when the next one will be?
Tomorrow?
Mac

Soooo glad I am not on MS servers!

Now now you Apache folk have security issues as well - just not as many.

Remember, the easier it is to use, the more use friendly it becomes, the more can be broken with it.

It's a trade off for not having to learn Unix and Apache.

We deal with it. Just put the patch on, and pray that the hackers get the big guys first.....

Not sure if I agree with that. To be honest I find it much easier to admin a Linux/Apache box than an Win2K/IIS box.

You just have to learn how to use a text editor and deal with not having an "Apply" button.

I find the text file much more intuitive and easy to fine tune compared to the MS Wizzards.

I find the text file much more intuitive and easy to fine tune compared to the MS Wizzards.

ditto

txbakers:

Right. Steep learning curve on Unix/Apache. I never thought I would understand it for the first couple months. (Well, I still don't!) Luckily for me, when I made the jump to my own server, my ISP tech support held my hand for a LONG time. But like anything, you get used to it, and learn it.

I did not mean that som much as a slam on MS (but that was on my mind!) but more in that wasn't there a big virus a couple weeks/ a month ago that attacked MS servers? The last major security patch I remember for FreeBSD was 2-3 years ago, and it was for a telnet problem. Sure there have been upgrades and whatnot since then, but it always seems to happen bigger (and the fall harder) on the IIS systems

From microsoft.com:

An identified security vulnerability in Microsoft® Windows® 2000 could allow an attacker to take control of your computer. This issue is most likely to affect computers used as Web servers. You can help protect your computer from this vulnerability by installing this update from Microsoft.

Did you notice the wording? "You can help protect...": it is not like saying you can protect your computer. Tomorrow we'll read about a new security flaw and a new patch. I will stay with Apache, that (and I am sure I am not alone) I also find easier to deal with.

I was just talking with a friend at a large windows hosting service. We were talking about how much time was required to maintain operating systetms. He says the number of fixes and updates and time required to maintain windows servers has easily been 20 fold that of their unix servers over the last two years.

I couldn't help but wonder how long before MS hosts start to pass along the cost of all these updates?

There is no way I can use Apache for my Intranet. Windows servers are far better with regards to facilities and features they provide.

With regards to this recent problem, all good administrators will not be affected as windows lockdown already protects you server against this vulnerability.

Lets take the issue of applying service packs. No problems I have configured Windows update to automatically do this and all critical service packs get applied without much of a problem.

We currently develop muti-tier systems and are willing to spend the time required to keep the servers safe because as far as we know other Web servers and environments come no way near MS servers and tools.

I know a lot of hardcore Unix people will now flame me but I had to put my 2 cents in.

G,

You must be doing something *VERY* specific if you *MUST* run on Windows. As much as I do not like windows it serves a purpose. Those I can't immagine anything that you can do on Win2K/IIS that you are unable to do on *nix/Apache. And the *nix system will give more bang for it's buck since it need not run a GUI 24/7 :)

YAY! A fellow Windows users!

I was going to add that downloading and installing the service packs takes very little time and effort and the added convenience of ease of operation makes it worth the "trouble".

I've hardly had to reboot my server as well, dispelling an oft quoted myth that Windows servers are unreliable.

While far from perfect, I find the Windows server quite useable and easy to get going and configure.

Would I like to learn nix and Apache? Yes, of course, but I'm in no rush to switch gears at the moment.

I just started writing JSP pages and tried to install Tomcat. The installation was successful but to try to run it through IIS was a nightmare. I asked for help in these forums and was told of other horror stories. So I installed JRUN, a GUI JSP container, and it went up flawlessly and I never had to go back and tweak it since.

Can anyone explain why the anti-MS sentiment?

The Microsoft bashing is because 80% of the people on the forum are Apache/Linux webmasters, who, as a rule, dispise everything Microsoft.

IIS has some distinct advantages, especially with .NET. Also, the next version of IIS will have text (actually XML) file configuration, lessening the configuration issues necessary for ISPs.

IIS ISPs already pass on the costs to customers. Compare the prices. Much of that cost passing, though, is because it costs a significant amount of money for Windows 2000 Server, whereas Apache/Linux is free. That cost actually goes down in the next version of windows as they release a Web server specific version.

---

Getting back to the original topic, though--this security flaw could be devestating as unpatched servers all over the web get compromised. What I'd wish they'd tell you in the security bulletins is how to analyze your server logs to tell if you've been attacked/compromised before you could apply the patch.

Can anyone explain why the anti-MS sentiment?

They're an easy target because they're so big. And ruthless and arrogant about it.

And they charge a lot for their products.

And Bill Gates is way too rich.

One of my three servers got hit before I could patch it. After much effort I have been able to put the patch on and now I am struggling to remove the uploaded files. The hackers are basically using my server to save and run games for free. Anybody seeing something similar, please let me know if you know how to remove these files.

As a side note, I just discovered that you can have the patches installed automatically on a W2K server just like you can on an XP system on your home computer. I had been using the automated "check for updates" system on MS and installing updates as they came out. But when I tried to do this with the most recent fix, it wouldn't install because the hackers already had control of my machine. They had filled up the hard drive with their crap so there was nowhere to put the update file. Now I see that in the control panel you can have updates downloaded AND installed automatically. Has anyone else used this? If it works properly, I would say the cost of doing patches is now something like -0-!

Metafunc writes --

There is no way I can use Apache for my Intranet. Windows servers are far better with regards to facilities and features they provide.

... especially to hostile attackers ...

[news.bbc.co.uk...]

US Military caught out as well...

No one can say anything about Microsoft on this one. Linux has a root exploit in thier kernal about the same time.

[slashdot.org...]

If you read the article this is a local root exploit. Very bad but you need a valid local account with shell access before you can do anything since you much run the program "ptrace" as a local logged in user.

taxpod, I'm running W2K-SP3 with the auto download & install patches thing switched on.
When I saw this thread here I immediately looked to see if this patch had been applied - it hadn't, so I did it manually.
Now I'm wondering what it takes to get critical security patches installed automatically ..........

I've noticed on the windows update tool that it times things so that not everyone is hitting their server at the same time. So it could be 24 hours before the patch downloads on your machine.

scareduck - Nice one. I won't comment on this otherwise it will escalate.

Xoc -

>Getting back to the original topic, though--this security >flaw could be devestating as unpatched servers all over?>the web get compromised. What I'd wish they'd tell you in >the security bulletins is how to analyze your server logs >to tell if you've been attacked/compromised before you >could apply the patch.

I always wondered about this. However if we were told exactly how this was done the all the wanna be hackers will be trying there luck on the un-patched servers.

G,