Dear Microsoft... Rebooting servers id NOT security..

The recent rend for critical patches for win 2003 to require rebooting the
server is USELESS!!!

Win 2003 is a SEVER, it cannot be continually rebooted and offer any Server
level to its users.

Additionally the fact that only a partial installation occures ( which
leaves the server in a unstable state) is also USELESS...

FYI: server are NOT workstations and do not have people sitting at them to
monitor and react to your auto updates and installs..

Is this truely what you think improving security is....

Unhappy..

From: "Duse" <>

| The recent rend for critical patches for win 2003 to require rebooting the
| server is USELESS!!!
|
| Win 2003 is a SEVER, it cannot be continually rebooted and offer any Server
| level to its users.
|
| Additionally the fact that only a partial installation occures ( which
| leaves the server in a unstable state) is also USELESS...
|
| FYI: server are NOT workstations and do not have people sitting at them to
| monitor and react to your auto updates and installs..
|
| Is this truely what you think improving security is....
|
| Unhappy..
|

It was like that for BT4 and Win2K server. To install files that are in use the have to be
qued and upon a reboot and before the OD goes into the GUI, the files are replaced with
their respective updates.

The only way to mitigate this is download the EXE versions of the patches. Create a script
that runs the patched with the switch parameters to require no user intervention and don't
don't allow the server to be rebooted. the the files are queued and upon the next sceduled
reboot the fuiles are replaced. Relize that whiles the patches may have been executed, thet
patches will not be in effect until the server is rebooted.

Here is an example of a NT4 patch and its switch parameters to show you this has been around
for quite a while...

WindowsNT4Server-KB840987-x86-ENU.exe -z -n -q

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

Sorry...

That should have been...

"It was like that for NT4 and Win2K server. To install files that are in use they have to
be
queued and upon a reboot and before the OS goes into the GUI, the files are replaced with
their respective updates."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Duh - that's why you install patches during your companies scheduled
down/maintenance time. Our company down/maintenance time is Sunday at
00:00am through 05:00am, where it makes the least impact on our business.
Now this philosophy may make the most impact on your weekend, but hey, you
choose the profession, and that's why you get paid the "big bucks".

--

Star Fleet Admiral Q @ your Service!

http://www.google.com
Google is your "Friend"

"Duse" <> wrote in message
news:...
> The recent rend for critical patches for win 2003 to require rebooting the
> server is USELESS!!!
>
> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
> Server level to its users.
>
> Additionally the fact that only a partial installation occures ( which
> leaves the server in a unstable state) is also USELESS...
>
> FYI: server are NOT workstations and do not have people sitting at them to
> monitor and react to your auto updates and installs..
>
> Is this truely what you think improving security is....
>
> Unhappy..
>
>
>

Hi,

I am not sure where you see the problem? Is the problem that you have to
reboot the server?

If this is the case, you can deploy clusters where you reboot one server
while the other takes the load and takes care of any user requests. Then you
patch and reboot the other node.

Personally I don't have any problem with rebooting server once a month (this
is how often Microsoft will in general release patches).

My practice is to automatically install and reboot client computers, but to
only download patches on server. After the update has been evaluated that it
will not cause any problem it is installed on servers...

There are also quite a few tools that will allow you to remotely deploy and
control installation of patches on server. One tool that comes to mind is
Microsoft SMS (Microsoft System Management Server) or WSUS (Windows Server
Update Services) that will soon be released.

When was last time you updated your active network equipment (routers,
switches etc)? E.g. CISCO, IBM, Juniper, Symantec, 3COM, etc... all have
same problem that is described in MS05-19 for Microsoft. It is a critical
bug that could allow DoS against your network. Let me know how it went with
rebooting routers and switches.
http://news.com.com/2102-1002_3-5669...=st.util.print

--
Mike
Microsoft MVP - Windows Security

"Duse" <> wrote in message
news:...
> The recent rend for critical patches for win 2003 to require rebooting the
> server is USELESS!!!
>
> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
> Server level to its users.
>
> Additionally the fact that only a partial installation occures ( which
> leaves the server in a unstable state) is also USELESS...
>
> FYI: server are NOT workstations and do not have people sitting at them to
> monitor and react to your auto updates and installs..
>
> Is this truely what you think improving security is....
>
> Unhappy..
>
>
>

If you operate servers that require 24 by 7 or 99.999% availability then you
need to plan for a process of allowing for patching. This is often achieved
through the use of technologies such as clustering etc where you
cooperatively fail over the resources to another server to allow for the
maintenance of the first server.

How do you handle maintenance on your current server infrastructure if you
cannot accept a reboot for a security patch update since you seem to imply
that you are operating in actual 24 by 7 availability of the services
offered by your servers.?

As an aside we are working on technology to remove the reboot requirement in
many situations for patching.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Duse" <> wrote in message
news:...
> The recent rend for critical patches for win 2003 to require rebooting the
> server is USELESS!!!
>
> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
> Server level to its users.
>
> Additionally the fact that only a partial installation occures ( which
> leaves the server in a unstable state) is also USELESS...
>
> FYI: server are NOT workstations and do not have people sitting at them to
> monitor and react to your auto updates and installs..
>
> Is this truely what you think improving security is....
>
> Unhappy..
>
>
>

From: "Mike Brannigan [MSFT]" <>

< snip >

|
| As an aside we are working on technology to remove the reboot requirement in
| many situations for patching.
|
| --
|
| Regards,
|
| Mike
| --
| Mike Brannigan [Microsoft]


Mike:

That's good news. Any info on that ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%...
> From: "Mike Brannigan [MSFT]" <>
>
> < snip >
>
> |
> | As an aside we are working on technology to remove the reboot
> requirement in
> | many situations for patching.
> |
> | --
> |
> | Regards,
> |
> | Mike
> | --
> | Mike Brannigan [Microsoft]
>
>
> Mike:
>
> That's good news. Any info on that ?

No, nothing public at this time

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%...
> From: "Mike Brannigan [MSFT]" <>
>
> < snip >
>
> |
> | As an aside we are working on technology to remove the reboot
> requirement in
> | many situations for patching.
> |
> | --
> |
> | Regards,
> |
> | Mike
> | --
> | Mike Brannigan [Microsoft]
>
>
> Mike:
>
> That's good news. Any info on that ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

From: "Mike Brannigan [MSFT]" <>


|
| No, nothing public at this time
|
| --
|
| Regards,
|
| Mike

I anxiously await public information on that subject matter. ;-)

There is nothing tougher than keeping systems IA Compliant.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:...
> From: "Mike Brannigan [MSFT]" <>
>
>
> |
> | No, nothing public at this time
> |
> | --
> |
> | Regards,
> |
> | Mike
>
> I anxiously await public information on that subject matter. ;-)
>
> There is nothing tougher than keeping systems IA Compliant.
>
> --

see
http://support.microsoft.com/default...b;en-us;897341

for more of what I am talking about.
It will get even better over time.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:...
> From: "Mike Brannigan [MSFT]" <>
>
>
> |
> | No, nothing public at this time
> |
> | --
> |
> | Regards,
> |
> | Mike
>
> I anxiously await public information on that subject matter. ;-)
>
> There is nothing tougher than keeping systems IA Compliant.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>