A while back Windows 2000 and Windows XP were touted as much more stable and secure operating systems than their predecessors. By in large that is true (despite the monthly patching cycle). However, with that very same patch cycle we now are to the point that if a machine is online for more than 30 days, you can be 100% assured it is missing patches or a patch has not been 100% applied (e.g. Reboot Pending).
I also see machines, which are behind on anti-virus updates. The typical trend I have noticed is that the machine has usually been online for 20, 30, 60 or more days. (Current longest I can recall is 72 days). Up, but not entirely stable, eh?
Hell, which is great right. A mature robust operating system that can stay up and work for 72 days without a reboot. Back in the Win9X days or even some of the NT days who would have thought that? Well, some people I am sure, is that a good thing?
If you have a machine in your environment today that has an uptime of 72 days, you can be assured that it is vulnerable to many exploits. Some minor, some severe. Taking today’s example you would have a machine that is vulnerable to MS-038, MS-039, and MS-043, all wormable exploits. (Some in the wild already, and more to come)
On the workstation side of the coin, you do not want to see long uptimes, and even in the server world you do not as well, because that means the machine has not been patched. Today most patches still require a reboot. We can get them all chained together upon boot, but if that machine is not fully bounced it is not fully patched.
What is the answer? Two fold.
Microsoft must implement patch installs that do not require a reboot (Not much chance for XP/2000 and probably even Vista).
System Administrators will need to ensure that one measure for problematic machines is an uptime report; perhaps even schedule automatic reboots at 7, 14, or 21 days if the patch cycle alone is not enough.
Even with having to shorten the uptime of all machines, we are still a lot better off than the Win9X days…
No comments:
Post a Comment