Roadshow: No, WSUS can’t do that

As mentioned earlier, I am on the road presenting a part of the security content for Microsoft Technet seminars and meeting partners and professionals all over the state. It is quite exciting and most of all – insightful. As a service provider I make my bacon fixing problems out there and sometimes you don't hear all the problems through your own feedback channels, you have to see people face to face.

The speach of the day: "WSUS doesn't fix stupid. I guarantee that nowhere in WSUS categories will you find a patch class for stupid user keeps on clicking on things. You can't fix stupid, but you can eliminate the amount of things they can be stupid with."

To put it into some context I opened my portion of the Microsoft event by saying that at least half of all the security problems with the Microsoft software are Microsofts fault. Not in terms of them writing insecure operating systems, but in terms of system administrators not applying service packs, patches and hotfixes in a timely manner. I held a quick poll asking people if they waited a few days to deploy critical patches. A surprising number of hands went up. Well folks, this is why your networks get pwned. If you don't have a clear schedule every second Tuesday of the month and plan to spend an hour or two at the Wednesday Technet webcast covering the patchday… well, update your resume. There is this notion that nobody wants to be the first to blow things up. Ok, fair enough – thats what testing is for folks. You test the service pack, you roll, you call PSS if you must to clean things up, you define a process. You don't stick your head in the sand, trust that Microsoft published every single thing that patch fixed and put your security in the hands of 16 year olds that got nothing to do between TRL and American Idol. Cleaning up a box with a broken patch is a hell of a lot easier than cleaning up a rootkit, if you even notice you've been pwned to begin with.

The other half of the security blame falls squarely on the user. You can patch your servers. You flash your firewalls. You can define strict firewall rules. You can turn up logging to find potential problems. You can backup. You can patch your workstations 15 different ways. But you can't fix stupid. If your junior admin got his MCSE from a paper-mill and his solution to NTFS permission problem is elevating end user security roles you've got a case of stupid going on. Give it up, you won't be able to train your accountant. Or your marketing guy. Or your boss (unless I'm your boss, in which case you can suck it monkeys – thats why I'm on a separate server than the rest of you serfs). They are untrainable. But you can train your staff. You can define a plan. You can set a schedule. You control your stupid exposure.

Security is a process. Do you have a clear one?