Everyone's situation is different.

We have a webmaster and his incompetent staff who hardly know anything about Microsoft products .asp and other Ms stuff they push to do their development. So imagine the boat I am in trying to convince these bozos to switch platforms to Unix/Linux hardened systems running Apache!

All they know is that this other stuff outside of MS is buzzwords they are so lost. So convincing departments and managers they need to get off MS and .asp is not as easy as it sounds...to much political crap...plus they would have to actually learn .php, Java Unix/Linux shell/scripting etc...which they don't have the ability to do in our organization...just too much incompetence going around.

Also, you can't expect Microsoft to test everything out there with a patch...example...we had a 5 year old Compaq with old raid adapter and drivers...guess what?!?! Security patch somehow broke the driver...well reboot time and...whoops...no more booting...server down....

Is MS really responsible for testing all hardware compatibility as it pertains to scenarios like this? Not in my opinion...it's our bad for running on antiquated servers and technology...that is life in the business...I'm not letting them off the hook by these statements, just see this side of due diligence they are required is all I am asking...

A simple plan to harden OS/IIS and monitoring security updates...logs...and best practices is all that is needed to make these boxes 99.99 percent secure...nothing is 100 percent as we know. Better than the 10 percent when you take all the defaults...

There are plenty of docs out there on how to do this...While you have some extra time with a hardened windows install..help me convince our web team to get off these darn MS boxes...Please!!!



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/74/11948#11948