One of my biggest peeves is that companies (prime example being Microsoft) should not blame admins so much.

If M$ could be bothered to release recompiled versions of their products that incorporate the latest fixes, new installations and implementations would be that much safer.

Imagine Microsoft releasing a recompiled version of IIS4/5 that INCLUDED the fixes provided by patches?

Not everyone is as well educated as others... nor can we really expect them to be. Perhaps in larger corporations where there are well delineated job function separations you might to find a competent (relatively of course) web site/server administrator.

Problems are:

In NT, web site security and NTFS security go hand in hand, and having web admins doing one part and server admins do the other part can only inevitably lead to a greater number of misimplementations.

The other problem is in small companies, where IT staff is stretched thin, and simply do not have either the time or the resources to learn and do everything properly.

Microsoft and other vendors need to take the initiative here, rather than blaming security breaches on open disclosure, or incompetent/overworked/underknowledged admins.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/270/8354#8354