Dear Microsoft... Rebooting servers id NOT security..

The recent rend for critical patches for win 2003 to require rebooting the
server is USELESS!!!

Win 2003 is a SEVER, it cannot be continually rebooted and offer any Server
level to its users.

Additionally the fact that only a partial installation occures ( which
leaves the server in a unstable state) is also USELESS...

FYI: server are NOT workstations and do not have people sitting at them to
monitor and react to your auto updates and installs..

Is this truely what you think improving security is....

Unhappy..

From: "Duse" <dude@soft.com>

| The recent rend for critical patches for win 2003 to require rebooting the
| server is USELESS!!!
|
| Win 2003 is a SEVER, it cannot be continually rebooted and offer any Server
| level to its users.
|
| Additionally the fact that only a partial installation occures ( which
| leaves the server in a unstable state) is also USELESS...
|
| FYI: server are NOT workstations and do not have people sitting at them to
| monitor and react to your auto updates and installs..
|
| Is this truely what you think improving security is....
|
| Unhappy..
|

It was like that for BT4 and Win2K server. To install files that are in use the have to be
qued and upon a reboot and before the OD goes into the GUI, the files are replaced with
their respective updates.

The only way to mitigate this is download the EXE versions of the patches. Create a script
that runs the patched with the switch parameters to require no user intervention and don't
don't allow the server to be rebooted. the the files are queued and upon the next sceduled
reboot the fuiles are replaced. Relize that whiles the patches may have been executed, thet
patches will not be in effect until the server is rebooted.

Here is an example of a NT4 patch and its switch parameters to show you this has been around
for quite a while...

WindowsNT4Server-KB840987-x86-ENU.exe -z -n -q

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

Sorry...

That should have been...

"It was like that for NT4 and Win2K server. To install files that are in use they have to
be
queued and upon a reboot and before the OS goes into the GUI, the files are replaced with
their respective updates."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Duh - that's why you install patches during your companies scheduled
down/maintenance time. Our company down/maintenance time is Sunday at
00:00am through 05:00am, where it makes the least impact on our business.
Now this philosophy may make the most impact on your weekend, but hey, you
choose the profession, and that's why you get paid the "big bucks".

--

Star Fleet Admiral Q @ your Service!

http://www.google.com
Google is your "Friend"

"Duse" <dude@soft.com> wrote in message
news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
> The recent rend for critical patches for win 2003 to require rebooting the
> server is USELESS!!!
>
> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
> Server level to its users.
>
> Additionally the fact that only a partial installation occures ( which
> leaves the server in a unstable state) is also USELESS...
>
> FYI: server are NOT workstations and do not have people sitting at them to
> monitor and react to your auto updates and installs..
>
> Is this truely what you think improving security is....
>
> Unhappy..
>
>
>

Hi,

I am not sure where you see the problem? Is the problem that you have to
reboot the server?

If this is the case, you can deploy clusters where you reboot one server
while the other takes the load and takes care of any user requests. Then you
patch and reboot the other node.

Personally I don't have any problem with rebooting server once a month (this
is how often Microsoft will in general release patches).

My practice is to automatically install and reboot client computers, but to
only download patches on server. After the update has been evaluated that it
will not cause any problem it is installed on servers...

There are also quite a few tools that will allow you to remotely deploy and
control installation of patches on server. One tool that comes to mind is
Microsoft SMS (Microsoft System Management Server) or WSUS (Windows Server
Update Services) that will soon be released.

When was last time you updated your active network equipment (routers,
switches etc)? E.g. CISCO, IBM, Juniper, Symantec, 3COM, etc... all have
same problem that is described in MS05-19 for Microsoft. It is a critical
bug that could allow DoS against your network. Let me know how it went with
rebooting routers and switches.
http://news.com.com/2102-1002_3-5669392.html?tag=st.util.print

--
Mike
Microsoft MVP - Windows Security

"Duse" <dude@soft.com> wrote in message
news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
> The recent rend for critical patches for win 2003 to require rebooting the
> server is USELESS!!!
>
> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
> Server level to its users.
>
> Additionally the fact that only a partial installation occures ( which
> leaves the server in a unstable state) is also USELESS...
>
> FYI: server are NOT workstations and do not have people sitting at them to
> monitor and react to your auto updates and installs..
>
> Is this truely what you think improving security is....
>
> Unhappy..
>
>
>

If you operate servers that require 24 by 7 or 99.999% availability then you
need to plan for a process of allowing for patching. This is often achieved
through the use of technologies such as clustering etc where you
cooperatively fail over the resources to another server to allow for the
maintenance of the first server.

How do you handle maintenance on your current server infrastructure if you
cannot accept a reboot for a security patch update since you seem to imply
that you are operating in actual 24 by 7 availability of the services
offered by your servers.?

As an aside we are working on technology to remove the reboot requirement in
many situations for patching.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Duse" <dude@soft.com> wrote in message
news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
> The recent rend for critical patches for win 2003 to require rebooting the
> server is USELESS!!!
>
> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
> Server level to its users.
>
> Additionally the fact that only a partial installation occures ( which
> leaves the server in a unstable state) is also USELESS...
>
> FYI: server are NOT workstations and do not have people sitting at them to
> monitor and react to your auto updates and installs..
>
> Is this truely what you think improving security is....
>
> Unhappy..
>
>
>

From: "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com>

< snip >

|
| As an aside we are working on technology to remove the reboot requirement in
| many situations for patching.
|
| --
|
| Regards,
|
| Mike
| --
| Mike Brannigan [Microsoft]


Mike:

That's good news. Any info on that ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23IsmRahXFHA.3584@TK2MSFTNGP14.phx.gbl...
> From: "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com>
>
> < snip >
>
> |
> | As an aside we are working on technology to remove the reboot
> requirement in
> | many situations for patching.
> |
> | --
> |
> | Regards,
> |
> | Mike
> | --
> | Mike Brannigan [Microsoft]
>
>
> Mike:
>
> That's good news. Any info on that ?

No, nothing public at this time

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23IsmRahXFHA.3584@TK2MSFTNGP14.phx.gbl...
> From: "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com>
>
> < snip >
>
> |
> | As an aside we are working on technology to remove the reboot
> requirement in
> | many situations for patching.
> |
> | --
> |
> | Regards,
> |
> | Mike
> | --
> | Mike Brannigan [Microsoft]
>
>
> Mike:
>
> That's good news. Any info on that ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

From: "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com>


|
| No, nothing public at this time
|
| --
|
| Regards,
|
| Mike

I anxiously await public information on that subject matter. ;-)

There is nothing tougher than keeping systems IA Compliant.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OLrBdukXFHA.1796@TK2MSFTNGP15.phx.gbl...
> From: "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com>
>
>
> |
> | No, nothing public at this time
> |
> | --
> |
> | Regards,
> |
> | Mike
>
> I anxiously await public information on that subject matter. ;-)
>
> There is nothing tougher than keeping systems IA Compliant.
>
> --

see
http://support.microsoft.com/default.aspx?scid=kb;en-us;897341

for more of what I am talking about.
It will get even better over time.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OLrBdukXFHA.1796@TK2MSFTNGP15.phx.gbl...
> From: "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com>
>
>
> |
> | No, nothing public at this time
> |
> | --
> |
> | Regards,
> |
> | Mike
>
> I anxiously await public information on that subject matter. ;-)
>
> There is nothing tougher than keeping systems IA Compliant.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

On Sat, 21 May 2005 06:53:22 +1000, "Duse" <dude@soft.com> wrote:

>The recent rend for critical patches for win 2003 to require rebooting the
>server is USELESS!!!

Then don't use Server 2003. Use something that requires no reboots.

>Win 2003 is a SEVER, it cannot be continually rebooted and offer any Server
>level to its users.

Continually? For one service pack run a month?

>Additionally the fact that only a partial installation occures ( which
>leaves the server in a unstable state) is also USELESS...

Then don't install until you can reboot, if needed.

>FYI: server are NOT workstations and do not have people sitting at them to
>monitor and react to your auto updates and installs..

This is all quite possible to script, or handle remotely.

>Is this truely what you think improving security is....
>
>Unhappy..

You have options. You can switch operating systems. You can ignore
patching. You can use the tools available to manage this. You can
cluster servers so a reboot is not an issue. You can also bitch
randomly in newsgroups. Which is about the only thing you can do that
is entirely unproductive and useless. Which is the same complaint you
voiced about critical updates.

Jeff

"Star Fleet Admiral Q" <Star_Fleet_Admiral_Q(NO-SPAM)@(SPAM-NOT)hotmail.com>
wrote in message news:OyKnzNaXFHA.2540@tk2msftngp13.phx.gbl...
> Duh - that's why you install patches during your companies scheduled
> down/maintenance time. Our company down/maintenance time is Sunday at
> 00:00am through 05:00am, where it makes the least impact on our business.
> Now this philosophy may make the most impact on your weekend, but hey, you
> choose the profession, and that's why you get paid the "big bucks".

<< Thats fine for non-critical updates, and how we do it..
The problem is with critical security patches..

But in any case, the concept of rebooting is simply wrong for a server.


>
> --
>
> Star Fleet Admiral Q @ your Service!
>
> http://www.google.com
> Google is your "Friend"
>
> "Duse" <dude@soft.com> wrote in message
> news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
>> The recent rend for critical patches for win 2003 to require rebooting
>> the server is USELESS!!!
>>
>> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
>> Server level to its users.
>>
>> Additionally the fact that only a partial installation occures ( which
>> leaves the server in a unstable state) is also USELESS...
>>
>> FYI: server are NOT workstations and do not have people sitting at them
>> to monitor and react to your auto updates and installs..
>>
>> Is this truely what you think improving security is....
>>
>> Unhappy..
>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:%23mOcA8dXFHA.2288@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> I am not sure where you see the problem? Is the problem that you have to
> reboot the server?

There are two parts to the problem, a patch which seems to partially load
files,a nd not others, and leaves the system unstable..

The second is the need to reboot just to make the first part work...


>
> If this is the case, you can deploy clusters where you reboot one server
> while the other takes the load and takes care of any user requests. Then
> you patch and reboot the other node.
>
> Personally I don't have any problem with rebooting server once a month
> (this is how often Microsoft will in general release patches).

<< My only concern is critical patches...

>
> My practice is to automatically install and reboot client computers, but
> to only download patches on server. After the update has been evaluated
> that it will not cause any problem it is installed on servers...
>
> There are also quite a few tools that will allow you to remotely deploy
> and control installation of patches on server. One tool that comes to mind
> is Microsoft SMS (Microsoft System Management Server) or WSUS (Windows
> Server Update Services) that will soon be released.
>
> When was last time you updated your active network equipment (routers,
> switches etc)? E.g. CISCO, IBM, Juniper, Symantec, 3COM, etc... all have
> same problem that is described in MS05-19 for Microsoft.
Not so, have not rebooted my CISCO router for about three years, symantec
VPN 2 plus years, firewall six months...



>It is a critical bug that could allow DoS against your network. Let me know
>how it went with rebooting routers and switches.
> http://news.com.com/2102-1002_3-5669392.html?tag=st.util.print
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Duse" <dude@soft.com> wrote in message
> news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
>> The recent rend for critical patches for win 2003 to require rebooting
>> the server is USELESS!!!
>>
>> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
>> Server level to its users.
>>
>> Additionally the fact that only a partial installation occures ( which
>> leaves the server in a unstable state) is also USELESS...
>>
>> FYI: server are NOT workstations and do not have people sitting at them
>> to monitor and react to your auto updates and installs..
>>
>> Is this truely what you think improving security is....
>>
>> Unhappy..
>>
>>
>>
>
>

"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:eDU$mGhXFHA.3464@TK2MSFTNGP10.phx.gbl...
> If you operate servers that require 24 by 7 or 99.999% availability then
> you need to plan for a process of allowing for patching. This is often
> achieved through the use of technologies such as clustering etc where you
> cooperatively fail over the resources to another server to allow for the
> maintenance of the first server.

This is fine, but we are talking about critical security patches here, on a
server..
The process must match the function being performed..
Sorry dont accept that the only way to have a reliable Windows server is via
clustering..
What do you think a server does..


>
> How do you handle maintenance on your current server infrastructure if you
> cannot accept a reboot for a security patch update since you seem to imply
> that you are operating in actual 24 by 7 availability of the services
> offered by your servers.?
>
> As an aside we are working on technology to remove the reboot requirement
> in many situations for patching.

<< It was ok, but the last few months have been nothing but
problems,especially with the unstablity which caused all sorts of client
problems.. This has only happened in the last month or so..




>
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Duse" <dude@soft.com> wrote in message
> news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
>> The recent rend for critical patches for win 2003 to require rebooting
>> the server is USELESS!!!
>>
>> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
>> Server level to its users.
>>
>> Additionally the fact that only a partial installation occures ( which
>> leaves the server in a unstable state) is also USELESS...
>>
>> FYI: server are NOT workstations and do not have people sitting at them
>> to monitor and react to your auto updates and installs..
>>
>> Is this truely what you think improving security is....
>>
>> Unhappy..
>>
>>
>>
>
>

"Duse" <dude@soft.com> wrote in message
news:O%23RgCFQYFHA.796@TK2MSFTNGP09.phx.gbl...
>
> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> news:eDU$mGhXFHA.3464@TK2MSFTNGP10.phx.gbl...
>> If you operate servers that require 24 by 7 or 99.999% availability then
>> you need to plan for a process of allowing for patching. This is often
>> achieved through the use of technologies such as clustering etc where you
>> cooperatively fail over the resources to another server to allow for the
>> maintenance of the first server.
>
> This is fine, but we are talking about critical security patches here, on
> a server..
> The process must match the function being performed..
> Sorry dont accept that the only way to have a reliable Windows server is
> via clustering..
> What do you think a server does..
>
>

If you are planning on running a 24/7 business critical system and you are
doing it on a single server with no capability to cope with a server outage
for whatever reason (patching, maintenance or system failure) then you have
been remiss in your planning and operational practices.
You have not built a system that can run at the levels you expect.
Clustering is only one possible option (hence my "such as") as it depends on
the application and workload etc.
This is basic high availability stuff - one server does not give you this.

>>
>> How do you handle maintenance on your current server infrastructure if
>> you cannot accept a reboot for a security patch update since you seem to
>> imply that you are operating in actual 24 by 7 availability of the
>> services offered by your servers.?
>>

I noticed you did not respond to this point. I assume that you are not
running your systems with the appropriate operational management processes
in place to maintain high availability. Maybe you may wish to consider
looking at the relevant MOF or ITIL process documents etc.

>> As an aside we are working on technology to remove the reboot requirement
>> in many situations for patching.
>
> << It was ok, but the last few months have been nothing but
> problems,especially with the unstablity which caused all sorts of client
> problems.. This has only happened in the last month or so..
>

I can only say that my clients server systems have not had any increase in
instability in the last few months with security patches etc.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Duse" <dude@soft.com> wrote in message
news:O%23RgCFQYFHA.796@TK2MSFTNGP09.phx.gbl...
>
> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> news:eDU$mGhXFHA.3464@TK2MSFTNGP10.phx.gbl...
>> If you operate servers that require 24 by 7 or 99.999% availability then
>> you need to plan for a process of allowing for patching. This is often
>> achieved through the use of technologies such as clustering etc where you
>> cooperatively fail over the resources to another server to allow for the
>> maintenance of the first server.
>
> This is fine, but we are talking about critical security patches here, on
> a server..
> The process must match the function being performed..
> Sorry dont accept that the only way to have a reliable Windows server is
> via clustering..
> What do you think a server does..
>
>
>>
>> How do you handle maintenance on your current server infrastructure if
>> you cannot accept a reboot for a security patch update since you seem to
>> imply that you are operating in actual 24 by 7 availability of the
>> services offered by your servers.?
>>
>> As an aside we are working on technology to remove the reboot requirement
>> in many situations for patching.
>
> << It was ok, but the last few months have been nothing but
> problems,especially with the unstablity which caused all sorts of client
> problems.. This has only happened in the last month or so..
>
>
>
>
>>
>>
>> --
>>
>> Regards,
>>
>> Mike
>> --
>> Mike Brannigan [Microsoft]
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>>
>> Please note I cannot respond to e-mailed questions, please use these
>> newsgroups
>>
>> "Duse" <dude@soft.com> wrote in message
>> news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
>>> The recent rend for critical patches for win 2003 to require rebooting
>>> the server is USELESS!!!
>>>
>>> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
>>> Server level to its users.
>>>
>>> Additionally the fact that only a partial installation occures ( which
>>> leaves the server in a unstable state) is also USELESS...
>>>
>>> FYI: server are NOT workstations and do not have people sitting at them
>>> to monitor and react to your auto updates and installs..
>>>
>>> Is this truely what you think improving security is....
>>>
>>> Unhappy..
>>>
>>>
>>>
>>
>>
>
>

"Duse" <dude@soft.com> wrote in message
news:O%23RgCFQYFHA.796@TK2MSFTNGP09.phx.gbl...
>
> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> news:eDU$mGhXFHA.3464@TK2MSFTNGP10.phx.gbl...
> > If you operate servers that require 24 by 7 or 99.999% availability then
> > you need to plan for a process of allowing for patching. This is often
> > achieved through the use of technologies such as clustering etc where
you
> > cooperatively fail over the resources to another server to allow for the
> > maintenance of the first server.
>
> This is fine, but we are talking about critical security patches here, on
a
> server..
> The process must match the function being performed..
> Sorry dont accept that the only way to have a reliable Windows server is
via
> clustering..
> What do you think a server does..
>


And you can name any current operating system that can provide
total functionality availability and uptime without use of some form
of redundant hardware/systems ??

--
Roger Abell


>
> >
> > How do you handle maintenance on your current server infrastructure if
you
> > cannot accept a reboot for a security patch update since you seem to
imply
> > that you are operating in actual 24 by 7 availability of the services
> > offered by your servers.?
> >
> > As an aside we are working on technology to remove the reboot
requirement
> > in many situations for patching.
>
> << It was ok, but the last few months have been nothing but
> problems,especially with the unstablity which caused all sorts of client
> problems.. This has only happened in the last month or so..
>
>
>
>
> >
> >
> > --
> >
> > Regards,
> >
> > Mike
> > --
> > Mike Brannigan [Microsoft]
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights
> >
> > Please note I cannot respond to e-mailed questions, please use these
> > newsgroups
> >
> > "Duse" <dude@soft.com> wrote in message
> > news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
> >> The recent rend for critical patches for win 2003 to require rebooting
> >> the server is USELESS!!!
> >>
> >> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
> >> Server level to its users.
> >>
> >> Additionally the fact that only a partial installation occures ( which
> >> leaves the server in a unstable state) is also USELESS...
> >>
> >> FYI: server are NOT workstations and do not have people sitting at them
> >> to monitor and react to your auto updates and installs..
> >>
> >> Is this truely what you think improving security is....
> >>
> >> Unhappy..
> >>
> >>
> >>
> >
> >
>
>

"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:%23OFBbPQYFHA.3212@TK2MSFTNGP10.phx.gbl...
> "Duse" <dude@soft.com> wrote in message
> news:O%23RgCFQYFHA.796@TK2MSFTNGP09.phx.gbl...
>>
>> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
>> news:eDU$mGhXFHA.3464@TK2MSFTNGP10.phx.gbl...
>>> If you operate servers that require 24 by 7 or 99.999% availability then
>>> you need to plan for a process of allowing for patching. This is often
>>> achieved through the use of technologies such as clustering etc where
>>> you cooperatively fail over the resources to another server to allow for
>>> the maintenance of the first server.
>>
>> This is fine, but we are talking about critical security patches here, on
>> a server..
>> The process must match the function being performed..
>> Sorry dont accept that the only way to have a reliable Windows server is
>> via clustering..
>> What do you think a server does..
>>
>>
>
> If you are planning on running a 24/7 business critical system and you are
> doing it on a single server with no capability to cope with a server
> outage for whatever reason (patching, maintenance or system failure) then
> you have been remiss in your planning and operational practices.

<< I SEE the problem...
a) It has to be the client who pays for the software problem!!...
b) It could not perhaps be that 1. Msoft not spending time testing patches
before releasing them, Hey.. let the user do our testing for us... 2. Hey..
they have put up with junk for so long they probaly dont expect any better
from us anyway.. 3. Spend some more money on advertising, this is cheeper
than doing any actual work, and perhaps they will belive the hype.
c) Why address the issue when perhaps we can get them to spend even more
money on clustering sevrices to fix the crap we ship to servers, but wate it
has the same problems!!.. But hey what would I know, I am just the person
that pays for this...


PLEASE READ the original problem...
Its would appear to be about the lack of any quality control....and it is
getting WORSE NOT better...


> You have not built a system that can run at the levels you expect.
> Clustering is only one possible option (hence my "such as") as it depends
> on the application and workload etc.
> This is basic high availability stuff - one server does not give you this.
>
<< Wrong... missed the point...
What I cannot accept is a patch which is applied leaves the system unstable
but operational...
And only a reboot will make it right....

>>>
>>> How do you handle maintenance on your current server infrastructure if
>>> you cannot accept a reboot for a security patch update since you seem to
>>> imply that you are operating in actual 24 by 7 availability of the
>>> services offered by your servers.?
>>>
>
> I noticed you did not respond to this point. I assume that you are not
> running your systems with the appropriate operational management processes
> in place to maintain high availability. Maybe you may wish to consider
> looking at the relevant MOF or ITIL process documents etc.

<< Did not respond as it is off topic, and not the issue, you may wish it to
be the issue but it is NOT...
The problem is a fundementially falawed patch process that needs to eb
fixed...

>
>>> As an aside we are working on technology to remove the reboot
>>> requirement in many situations for patching.

<< This is long past due...
But the problem is a basic lack of quality control, and testing,as well as
the above...


>>
>> << It was ok, but the last few months have been nothing but
>> problems,especially with the unstablity which caused all sorts of client
>> problems.. This has only happened in the last month or so..
>>
>
> I can only say that my clients server systems have not had any increase in
> instability in the last few months with security patches etc.

Great, and this means what?
The above process is OK... wrong...




>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Duse" <dude@soft.com> wrote in message
> news:O%23RgCFQYFHA.796@TK2MSFTNGP09.phx.gbl...
>>
>> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
>> news:eDU$mGhXFHA.3464@TK2MSFTNGP10.phx.gbl...
>>> If you operate servers that require 24 by 7 or 99.999% availability then
>>> you need to plan for a process of allowing for patching. This is often
>>> achieved through the use of technologies such as clustering etc where
>>> you cooperatively fail over the resources to another server to allow for
>>> the maintenance of the first server.
>>
>> This is fine, but we are talking about critical security patches here, on
>> a server..
>> The process must match the function being performed..
>> Sorry dont accept that the only way to have a reliable Windows server is
>> via clustering..
>> What do you think a server does..
>>
>>
>>>
>>> How do you handle maintenance on your current server infrastructure if
>>> you cannot accept a reboot for a security patch update since you seem to
>>> imply that you are operating in actual 24 by 7 availability of the
>>> services offered by your servers.?
>>>
>>> As an aside we are working on technology to remove the reboot
>>> requirement in many situations for patching.
>>
>> << It was ok, but the last few months have been nothing but
>> problems,especially with the unstablity which caused all sorts of client
>> problems.. This has only happened in the last month or so..
>>
>>
>>
>>
>>>
>>>
>>> --
>>>
>>> Regards,
>>>
>>> Mike
>>> --
>>> Mike Brannigan [Microsoft]
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights
>>>
>>> Please note I cannot respond to e-mailed questions, please use these
>>> newsgroups
>>>
>>> "Duse" <dude@soft.com> wrote in message
>>> news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
>>>> The recent rend for critical patches for win 2003 to require rebooting
>>>> the server is USELESS!!!
>>>>
>>>> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
>>>> Server level to its users.
>>>>
>>>> Additionally the fact that only a partial installation occures ( which
>>>> leaves the server in a unstable state) is also USELESS...
>>>>
>>>> FYI: server are NOT workstations and do not have people sitting at them
>>>> to monitor and react to your auto updates and installs..
>>>>
>>>> Is this truely what you think improving security is....
>>>>
>>>> Unhappy..
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uJJo94TYFHA.1868@TK2MSFTNGP14.phx.gbl...
> "Duse" <dude@soft.com> wrote in message
> news:O%23RgCFQYFHA.796@TK2MSFTNGP09.phx.gbl...
>>
>> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
>> news:eDU$mGhXFHA.3464@TK2MSFTNGP10.phx.gbl...
>> > If you operate servers that require 24 by 7 or 99.999% availability
>> > then
>> > you need to plan for a process of allowing for patching. This is often
>> > achieved through the use of technologies such as clustering etc where
> you
>> > cooperatively fail over the resources to another server to allow for
>> > the
>> > maintenance of the first server.
>>
>> This is fine, but we are talking about critical security patches here, on
> a
>> server..
>> The process must match the function being performed..
>> Sorry dont accept that the only way to have a reliable Windows server is
> via
>> clustering..
>> What do you think a server does..
>>
>
>
> And you can name any current operating system that can provide
> total functionality availability and uptime without use of some form
> of redundant hardware/systems ??

<< Not loooking for this, see original post, this thread was a side issue
created by Msoft, nothing to do with the actual problem...

But I would be happy if MSoft matched my CISCO router, no duplication, no
updates, no security issues and no loss of service or reboots for three
years, while delivering the sevrice as specified at time of purchase, not
via endless hacks ( some introducing more problems than they fox) costing
untold $ for download charges, and time fixing them...

I believe its time that MSoft started providing software that meets basis
requirements, on a server this means not having to reboot several times a
month ( this one a month is crap, see the updates in the last 30 days
alone)...


>
> --
> Roger Abell
>
>
>>
>> >
>> > How do you handle maintenance on your current server infrastructure if
> you
>> > cannot accept a reboot for a security patch update since you seem to
> imply
>> > that you are operating in actual 24 by 7 availability of the services
>> > offered by your servers.?
>> >
>> > As an aside we are working on technology to remove the reboot
> requirement
>> > in many situations for patching.
>>
>> << It was ok, but the last few months have been nothing but
>> problems,especially with the unstablity which caused all sorts of client
>> problems.. This has only happened in the last month or so..
>>
>>
>>
>>
>> >
>> >
>> > --
>> >
>> > Regards,
>> >
>> > Mike
>> > --
>> > Mike Brannigan [Microsoft]
>> >
>> > This posting is provided "AS IS" with no warranties, and confers no
>> > rights
>> >
>> > Please note I cannot respond to e-mailed questions, please use these
>> > newsgroups
>> >
>> > "Duse" <dude@soft.com> wrote in message
>> > news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
>> >> The recent rend for critical patches for win 2003 to require rebooting
>> >> the server is USELESS!!!
>> >>
>> >> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
>> >> Server level to its users.
>> >>
>> >> Additionally the fact that only a partial installation occures ( which
>> >> leaves the server in a unstable state) is also USELESS...
>> >>
>> >> FYI: server are NOT workstations and do not have people sitting at
>> >> them
>> >> to monitor and react to your auto updates and installs..
>> >>
>> >> Is this truely what you think improving security is....
>> >>
>> >> Unhappy..
>> >>
>> >>
>> >>
>> >
>> >
>>
>>
>
>

From: "Duse" <dude@soft.com>


|
| << Not loooking for this, see original post, this thread was a side issue
| created by Msoft, nothing to do with the actual problem...
|
| But I would be happy if MSoft matched my CISCO router, no duplication, no
| updates, no security issues and no loss of service or reboots for three
| years, while delivering the sevrice as specified at time of purchase, not
| via endless hacks ( some introducing more problems than they fox) costing
| untold $ for download charges, and time fixing them...
|
| I believe its time that MSoft started providing software that meets basis
| requirements, on a server this means not having to reboot several times a
| month ( this one a month is crap, see the updates in the last 30 days
| alone)...


You just proved my theory that your complaint stems from a complete lack of knowledge.

The following statement clinched it -- " MSoft matched my CISCO router, no duplication, no
updates, no security issues..."

That's a crock of sh!t !

I have received numerous for public and "not for public" CERT releases of information on
vulnerability assesments on CISCO IOS and other products.

http://www.cisco.com/warp/public/707/cisco-sn-20050518-tcpts.shtml

http://secunia.com/vendor/5/

http://secunia.com/advisories/10696/
http://secunia.com/product/184/
http://secunia.com/product/183/
http://secunia.com/product/182/

http://netsecurity.about.com/cs/securityalerts/qt/aaalert0204b.htm


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

>But I would be happy if MSoft matched my CISCO router, no duplication, no
>updates, no security issues and no loss of service or reboots for three
>years, while delivering the sevrice as specified at time of purchase, not
>via endless hacks ( some introducing more problems than they fox) costing
>untold $ for download charges, and time fixing them...

Cool. An upatched IOS I can exploit...

>I believe its time that MSoft started providing software that meets basis
>requirements, on a server this means not having to reboot several times a
>month ( this one a month is crap, see the updates in the last 30 days
>alone)...

Can't happen. Can get better, has gotten a lot better, but if you
want perfection you'll have to do without innovation. Of course, you
could buy a Gameboy. Oh wait, they still crash occasionally.

Jeff

"Duse" <dude@soft.com> wrote in message
news:OjZJSpXYFHA.1384@TK2MSFTNGP09.phx.gbl...
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uJJo94TYFHA.1868@TK2MSFTNGP14.phx.gbl...
> > "Duse" <dude@soft.com> wrote in message
> > news:O%23RgCFQYFHA.796@TK2MSFTNGP09.phx.gbl...
> >>
> > And you can name any current operating system that can provide
> > total functionality availability and uptime without use of some form
> > of redundant hardware/systems ??
>
> << Not loooking for this, see original post, this thread was a side issue
> created by Msoft, nothing to do with the actual problem...
>

Total side-stepping bull. This is the crux of the original post, albeit
such
that the original poster does not recognize this.

> But I would be happy if MSoft matched my CISCO router, no duplication, no
> updates, no security issues and no loss of service or reboots for three
> years, while delivering the sevrice as specified at time of purchase, not
> via endless hacks ( some introducing more problems than they fox) costing
> untold $ for download charges, and time fixing them...
>

You must have bought it and forgotten it, and forgotten to check with Cisco
on IOS vulnerabilities and version updates !!!!

> I believe its time that MSoft started providing software that meets basis
> requirements, on a server this means not having to reboot several times a
> month ( this one a month is crap, see the updates in the last 30 days
> alone)...
>

You must be reapplying the same patch over and over ?? My W2k3's have
managed to go on average a couple months between patching (as all IE and
OE usage on them is not allowed).

--
Roger

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%239$tTzXYFHA.796@TK2MSFTNGP10.phx.gbl...
> From: "Duse" <dude@soft.com>
>
>
> |
> | << Not loooking for this, see original post, this thread was a side
> issue
> | created by Msoft, nothing to do with the actual problem...
> |
> | But I would be happy if MSoft matched my CISCO router, no duplication,
> no
> | updates, no security issues and no loss of service or reboots for three
> | years, while delivering the sevrice as specified at time of purchase,
> not
> | via endless hacks ( some introducing more problems than they fox)
> costing
> | untold $ for download charges, and time fixing them...
> |
> | I believe its time that MSoft started providing software that meets
> basis
> | requirements, on a server this means not having to reboot several times
> a
> | month ( this one a month is crap, see the updates in the last 30 days
> | alone)...
>
>
> You just proved my theory that your complaint stems from a complete lack
> of knowledge.
>
> The following statement clinched it -- " MSoft matched my CISCO router, no
> duplication, no
> updates, no security issues..."
>
> That's a crock of sh!t !
>
<< Mmmm, just imagine...
Do a search on CISO 800 series...

A simple I must engage brain before mouth...would be fine...


> I have received numerous for public and "not for public" CERT releases of
> information on
> vulnerability assesments on CISCO IOS and other products.
>
> http://www.cisco.com/warp/public/707/cisco-sn-20050518-tcpts.shtml
>
> http://secunia.com/vendor/5/
>
> http://secunia.com/advisories/10696/
> http://secunia.com/product/184/
> http://secunia.com/product/183/
> http://secunia.com/product/182/
>
> http://netsecurity.about.com/cs/securityalerts/qt/aaalert0204b.htm
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

snip>

>
> You must be reapplying the same patch over and over ?? My W2k3's have
> managed to go on average a couple months between patching (as all IE and
> OE usage on them is not allowed).

What about KB898715 on 5/17?

>
> --
> Roger
>
>

From: "Duse" <dude@soft.com>

OK -- Have it your way...

* * Please engage your brain before you type ! * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Microsoft claims that with Windows 2003, far fewer patches require reboots.
Their number was around 80% fewer, I think. I haven't checked to confirm
this. Additionally, many patches that are critical for other OSes are not
critical for Windows 2003, as the vulnerabilities are mitigated by default
settings. If the patch isn't critical, you may be able to wait a month or
several to install it, depending on the details.

Microsoft is also working on hot patching technology to replace running
executables without rebooting. However, if you have to patch your web
server software, you're probably going to have to cause some sort of
downtime by stopping the web server service, whether you're talking Windows
or *nix. Having said all that, I'm sure it is frustrating if a patch for
something unrelated like RPC / DCOM forces you to reboot and lose your
unrelated web services, and many Microsoft customers have always hated that
MS forces you to install IE and Outlook on Windows servers and force you to
install patches nearly monthly. I think they may finally be listening to
the customers and fixing this as well, I don't know.

Most people that can't tolerate 5 minutes of downtime during a reboot 1) use
clustered servers for fault tolerance, because 2) they can't tolerate even
30 seconds of downtime that would be caused by stopping the web service on
Windows or *nix. There are large well known commercial web sites that run
in large Windows clusters in data centers.


"Duse" <dude@soft.com> wrote in message
news:Oyxg33XXFHA.2684@TK2MSFTNGP09.phx.gbl...
> The recent rend for critical patches for win 2003 to require rebooting the
> server is USELESS!!!
>
> Win 2003 is a SEVER, it cannot be continually rebooted and offer any
Server
> level to its users.
>
> Additionally the fact that only a partial installation occures ( which
> leaves the server in a unstable state) is also USELESS...
>
> FYI: server are NOT workstations and do not have people sitting at them to
> monitor and react to your auto updates and installs..
>
> Is this truely what you think improving security is....
>
> Unhappy..
>
>
>

"Duse" <dude@soft.com> wrote in message
news:OEamwHpYFHA.2768@tk2msftngp13.phx.gbl...
> snip>
>
> >
> > You must be reapplying the same patch over and over ?? My W2k3's have
> > managed to go on average a couple months between patching (as all IE and
> > OE usage on them is not allowed).
>
> What about KB898715 on 5/17?
>
> >

It has not caused me any problems on W2k3s.
--
Roger

While I personally don't have a problem with rebooting for installing
patches on the a Windows 2000 Server, I do have a problem with the
whole idea of installing patches in the first place. There has to
be a better way.

I operate a server for a small company, run the updates, etc. I do
not know everything about the the server's configurations, but I am
very knowledgable about computers & most Windows versions in general.
We had a networking company configure our server for us. I operate,
manage accounts, install Windows critical updates, etc.

Microsoft recently released some patches that caused a Generic Host
error on bootup for Windows XP desktops. For the past couple months I
was stumped on what was causing these. I was unable to find anyone
until recently with a definitive answer. Now Microsoft admits the
problem was caused by an update & released a patch to fix it. 3/4 of
all the info I found online mentioned viruses causing this, but my
instinct told me otherwise based on symptoms & experience.

What happens when I install a patch on the server that causes a
problem and have to wait 2 months to find out that Microsoft's updates
caused the problems? We only have one server, and depend on it.
(That was not my decision by the way).

At the very least, there seems to be a lack of testing by Microsoft
with their patches and what could go wrong by installing them. This
newsgroup is one of the few decent solutions i've found to see what's
going on, but it's not enough. How could Microsoft miss such a wide
spread problem with their updates that caused problems for so many,
then leave us all wondering if are computers are infected with a
virus?

Until there is a better solution, i'd have a hard time recommending
Windows based servers.

"Nate Goulet" <askifyouwantaaddress@yahoo.com> wrote in message
news:429e0e57.15472809@news.conversent.net...
> While I personally don't have a problem with rebooting for installing
> patches on the a Windows 2000 Server, I do have a problem with the
> whole idea of installing patches in the first place. There has to
> be a better way.
>
> I operate a server for a small company, run the updates, etc. I do
> not know everything about the the server's configurations, but I am
> very knowledgable about computers & most Windows versions in general.
> We had a networking company configure our server for us. I operate,
> manage accounts, install Windows critical updates, etc.
>
> Microsoft recently released some patches that caused a Generic Host
> error on bootup for Windows XP desktops. For the past couple months I
> was stumped on what was causing these. I was unable to find anyone
> until recently with a definitive answer. Now Microsoft admits the
> problem was caused by an update & released a patch to fix it. 3/4 of
> all the info I found online mentioned viruses causing this, but my
> instinct told me otherwise based on symptoms & experience.
>
> What happens when I install a patch on the server that causes a
> problem and have to wait 2 months to find out that Microsoft's updates
> caused the problems? We only have one server, and depend on it.
> (That was not my decision by the way).
>
> At the very least, there seems to be a lack of testing by Microsoft
> with their patches and what could go wrong by installing them. This
> newsgroup is one of the few decent solutions i've found to see what's
> going on, but it's not enough. How could Microsoft miss such a wide
> spread problem with their updates that caused problems for so many,
> then leave us all wondering if are computers are infected with a
> virus?
>
> Until there is a better solution, i'd have a hard time recommending
> Windows based servers.
>

And if you are managing an infrastructure with multiple desktops and servers
(or one of any size) it also falls to you to appropriately test all patches
in your specific environment to assess their suitability and impact prior to
releasing them on your estate.
Non of my corporate clients would ever roll out anything to desktop or
servers without testing it first - including patches

As regards our testing of patches we have instituted new procedures to
increase the depth and breadth of our testing prior to release.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Nate Goulet" <askifyouwantaaddress@yahoo.com> wrote in message
news:429e0e57.15472809@news.conversent.net...
> While I personally don't have a problem with rebooting for installing
> patches on the a Windows 2000 Server, I do have a problem with the
> whole idea of installing patches in the first place. There has to
> be a better way.
>
> I operate a server for a small company, run the updates, etc. I do
> not know everything about the the server's configurations, but I am
> very knowledgable about computers & most Windows versions in general.
> We had a networking company configure our server for us. I operate,
> manage accounts, install Windows critical updates, etc.
>
> Microsoft recently released some patches that caused a Generic Host
> error on bootup for Windows XP desktops. For the past couple months I
> was stumped on what was causing these. I was unable to find anyone
> until recently with a definitive answer. Now Microsoft admits the
> problem was caused by an update & released a patch to fix it. 3/4 of
> all the info I found online mentioned viruses causing this, but my
> instinct told me otherwise based on symptoms & experience.
>
> What happens when I install a patch on the server that causes a
> problem and have to wait 2 months to find out that Microsoft's updates
> caused the problems? We only have one server, and depend on it.
> (That was not my decision by the way).
>
> At the very least, there seems to be a lack of testing by Microsoft
> with their patches and what could go wrong by installing them. This
> newsgroup is one of the few decent solutions i've found to see what's
> going on, but it's not enough. How could Microsoft miss such a wide
> spread problem with their updates that caused problems for so many,
> then leave us all wondering if are computers are infected with a
> virus?
>
> Until there is a better solution, i'd have a hard time recommending
> Windows based servers.
>

"Nate Goulet" <askifyouwantaaddress@yahoo.com> wrote in message
news:429e0e57.15472809@news.conversent.net...
> While I personally don't have a problem with rebooting for installing
> patches on the a Windows 2000 Server, I do have a problem with the
> whole idea of installing patches in the first place. There has to
> be a better way.

There isn't. No OS or software company has found it. Switching your OS or
software vendor won't let you escape the necessity for patching and patch
testing. Mac OS X, Linux, even OpenBSD, all require patches.


> Microsoft recently released some patches that caused a Generic Host
> error on bootup for Windows XP desktops. For the past couple months I
> was stumped on what was causing these. I was unable to find anyone
> until recently with a definitive answer. Now Microsoft admits the
> problem was caused by an update & released a patch to fix it. 3/4 of
> all the info I found online mentioned viruses causing this, but my
> instinct told me otherwise based on symptoms & experience.

Usually people figure this out when they install a patch, reboot, and the
problem appears. True, there will be some cases here and there where this
is not always obvious to determine. But with any software or OS, you have a
choice between patching quickly for best security / confidentiality, or
patching slowly for [hopefully] best availability. Both are risks to your
system availability and to your support costs and frustration. You have
problems with one patch, but maybe you would have had even more problems had
you not installed that patch or all patches in general in a timely manner.
Also, a problem with one patch does not necessarily show that Microsoft
patches are unreliable or less reliable than other vendors' patches.

> What happens when I install a patch on the server that causes a
> problem and have to wait 2 months to find out that Microsoft's updates
> caused the problems? We only have one server, and depend on it.
> (That was not my decision by the way).
>
> At the very least, there seems to be a lack of testing by Microsoft
> with their patches and what could go wrong by installing them. This
> newsgroup is one of the few decent solutions i've found to see what's
> going on, but it's not enough. How could Microsoft miss such a wide
> spread problem with their updates that caused problems for so many,
> then leave us all wondering if are computers are infected with a
> virus?

Actually, the reason why it takes so long for MS to release patches is
because of the way more intensive testing done on them. Open source
software companies sometimes release patches in a day or three, meaning
there was less than a day or three for patch testing. MS typically takes 30
to 45 days to test, using real customers to help, because they have
different patch versions for all of the hundreds of combinations of windows
and software versions in different languages. I'm not saying this is all
great. This situation could be Microsoft's fault for chosing the
architecture they did. But I am convinced that MS knows patch testing and
reliable patches is important and has tried to spend lots of money and time
to make sure their patches are reliable. If they have failed, it might
still be their fault, but I don't think the cause is lack of trying or lack
of testing.

I do think that MS needs to look again at why other vendors are able to
release patches in a day or two without widespread problems. Third party
browsers, personal firewalls, etc. get patched frequently and updated with
new features frequently, and those vendors don't have to worry about support
for different languages. There must be something that Microsoft could do
differently in future versions. I'm thinking that bundling IE with Windows
and making future IE versions only available for one target OS is the
problem and not the solution. It makes the software even slower to get to
market, with fewer cool new features [tabbed browsing, pop-up blocking and
egress firewall filtering, anyone?] and even then it still takes way longer
to patch. Microsoft took 3+ years to make their partial firewall, and in
the same time period, other vendors like Sygate and Kerio released several
new revs with more features for the same price [free] and without all the
patching delays or complaining about patch testing difficulties for
localized language versions. Something is wrong here.

> Until there is a better solution, i'd have a hard time recommending
> Windows based servers.

That's fine, but other OSes do still require patching, and patch testing,
and troubleshooting. Everyone should pick the solution that makes the most
sense for their environment after considering these and other issues.
Windows is the right choice for some people and the wrong choice for others.
My thought is that many of the people who have problems supporting Windows
would possibly have even more problems supporting other OSes.