ANY reason not to appy MS Security updates?

I've been battleing with the Admin's here about how all of our NT4.0 machines at work don't have any Security updates other than the usual McAffee Virus updates. The last time they were updated with Microsoft Security updates was last fall and that was only because every single machine running NT4.0 server was turned into a brink by Nimda. The ones running non-server versions were hit hard too. Am I right to assume that if these security updates were in place, we would have still been hit by Nimda, but not as bad?

These computers are shipped with special configs and are meant to basically run one set of programs. I could see how most changes to the setup would require authorization by the vender - but our Admin is a full time employee of that company hired to be on-site here 40 hrs a week.

Any comments or opinions?

The lack of security updates on our internal NT servers is the whole reason we were hit by Nimda. It was using a method of propogation which would have been null and void if we'd had the latest patches installed.

My mistake was thinking that our internal network was safe from Nimda because it was behind a firewall. I didn't count on our corporate offices having an infected machine hitting us across the non-firewalled frame relay line.

So if you want to protect yourself against exploits, apply those security patches. Even if you think you're fine because you're on a private network.

Thanks for the backup Tony. Like I mentioned, I don't have permission to change anything on these machines, but I am trying to make a fuss so that the right people do. Being self trained in computers (only my dad who is a programmer and my old roommate who was a CS and math major taught me stuff - oh, and this board too!) I don't have as much clout as someone who took a 2 week Microsoft cert. course. Even though I warned about something like Nimda hitting us one day.... sigh.

I'm an NT admin for a large New Engalnd University (pity me) and I install the updates as soon as they are released. I check to see what they are for first, and make sure they wont conflict or break any server software that might be running, and if they're ok then I go ahead and patch em.
We had nimda pretty bad and my servers remained unscathed.
The rest of the network was hosed so it didnt really matter that they were up, but I was happy.

Having the latest updates would have prevented most of the Code Red/Nimda update, but the problem was that MS didn't have the updates in an easy to find place.

One thing to keep in mind is that MS does have some sort of e-mail list that they use to just announce security patches. I am subscribed to a similar one from SuSE, and every one has links to the file I need to tell Yast to grab to update it's self. Any NT admin should be subscribed to this list.

Also, checking with the hardware vendor may be a good idea for any known issues with patches. Microsoft has a bad habit of including their own drivers in Service Packs or major updates that overwrite a vendors newer driver and could cause problems. The solution is to usually install the vendors driver updates after installing an MS update, but before letting the MS update reboot the machine.

but the problem was that MS didn't have the updates in an easy to find place.

Um, I don't see how it could be any easier than http://windowsupdate.microsoft.com .

Okay, sure, you have to upgrade your version of IE to use the feature, but once you've done that, you can easily see which updates the OS needs and apply them with a single click. Don't see how it could get any easier.

The only reason my servers weren't upgraded was simply lazyness on my part. I assumed they were safe because they were on an internal-only network, and they were running stable. My standard operating procedure is "if it works, don't fix it", which has kept the servers stable for a long time. I was leery about applying upgrades if I didn't need them. So I allowed them to run without the security patches for a lot longer than they should have. But ease of locating the patches had nothing to do with why they weren't upgraded.

Um, I don't see how it could be any easier than http://windowsupdate.microsoft.com

Yes, they are there now, but the days before Code Red, the patches necessary wern't there. Thats why so many people got hit. (That and the MS defaults of everything should be on).

Here is where all hotfixes are posted. Note the one in June, 2001 called "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise". That was a big part of how those viruses worked, and noone knew the fix had been posted months before the problem to the hot fix site. Most people just wait for new service packs instead of installing individual hot fixes. Also, top of that page is the e-mail list I was talking about.

HFNetChk is also a good program for any NT admin to have. It will allow you to scan all servers and NT running workstations you have admin access to, and inform you of what updates need to be applied.

edit: Just as a followup, I downloaded the HFNetChk to my Windows 2000 laptop, checked Windows Update, then ran it. Windows Update listed no Critical Updates, nor any updates beyond IE 6, Media Player 7.1, and some other programs. HFNetChk found I don't have 3 patches applied.

Thanks for that link to HFNetCheck. That could be useful to me.

Thank you very much guys! Looks like I'm becoming a little whistle blower here... and I have mixed feelings about that. But it bugs me that someone is getting paid twice what I am and I care more about the network security than them... At least now I can be a little more informed about it as I explain the situation.

An amusing aside - the Microsoft hotfix for the recently publicised SNMP vulnerability didn't work. It's sorted now, but if you downloaded it straight away you'd best get back there and grab the updated version.
As IT Security Advisor for various financial institutions I can only say - "YES! GET SECURITY HOTFIXES ASAP!" So much of my work is purely due to sysadmins not installing patches or fixes. Usually the excuse is "Not enough time" but it's amazing how much more time you have when you aren't firefighting!

Try and persuade the sys admin to read anything on securityfocus.com. If they know anything about their network/systems they should get very scared.

If that doesn't work, get them to hire me or one of my colleagues at Ernst&Young to scare them - it's astonishing how easy it is to demonstrate instant access to a network which could be fixed (mostly) by a half hour's work.

(This isn't a self promotional post, honestly)

Usually the excuse is "Not enough time"

I have a sign over my desk that says: "There's never time to do it right, but always time to do it over."

tanstaafl.

That sounds very like the standard IT mantra...

JUST REDO IT!!!

of course the solution where I work is a simple multi stage process.
1. Never let NT servers near anything critical, a bit like don't let a 2 year old play with a power socket and a paper clip.
2. Never, ever, EVER allow anyone to install, or god forbid, use IIS.
3. If you have your system running just right, immediately disable Windows Update.
4.When the CEO comes in saying how cute Outlook is, slowly reach for the baseball bat under your desk and get him on the way out. Dispose of the body later.

These simple steps will keep your network running much better

After our local network hardware wiz wouldn't listen to me, I finally sent a letter off to my super about all this stuff... (using Lotus notes - you proud of me? ). I detailed the 14+ CRITIAL security updates that we lacked. I tried to handle this without going to him, but we lost TONS of money during Nimda and people were pointing fingers at our network when it was really IMHO the fault of the hardware people... (we have a network team that just handles transport and connection to the backbaone - a seperate company handles hardware and is responsible for keeping it upto date).

Someone's mad at me, but I don't feel like coming in on Saturdays again.... sigh.

Why do some people have to make things so hard?

God, how I wish I could follow those rules at my company...

Tony, I was actually reminded of one of your stories, I think it was around Christmas time, when you heard some story on the radio about a virus attack or something and you raced to the office to patch your servers in time. And our person won't quit a game of Solataire to do a little work.

Ah the new BOFH. ROFL

Ahhh, BOFH
my hero

BOFH Bastard Operator From Hell
BOFH Beautiful Operatress from Heaven
BOFH Bitch Operator from Hell

that would be the former