lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <200301302222.JAA08769@caligula.anu.edu.au>
From: avalon at coombs.anu.edu.au (Darren Reed)
Subject: SQL Server patch - why doesn't Windows update help?

> Windows Update does not cover SQL Server. You need to use the Microsoft
> Baseline Security Analyzer if you are looking for an automated method
> in this case. MBSA handles a few things that WU does not, for instance
> SQL Server, and Exchange. Admins sometimes become complacent, thinking
> that "I run Windows Update and so now I'm secure". WU helps, but is only
> a piece of the Windows patching pie. MBSA is useful, although I've found
> that it misreports a variety of items, so you still have to vigilant.

Well, I downloaded MBSA and from the start it did not make a good
impression.  I asked the installer not to put an icon on the desktop
and what does it do?  Put an icon on the desktop.

As for running it, did it help ?  No.

I got "Could not perform the security update scan." as a result for the
"Security Update Scan Results" for "Windows Security Updates",
"SQL Server Security Updates", "Windows Media Player Security Updates"
and "Exchange Server Security Updates".  IIS it realised wasn't installed
but why wasn't it intelligent enough to work out Exchange wasn't either ?

Having said that, it did do an SQL server scan but failed to say that
the patch was missing, only that a bunch of SQL server settings were
problematic.  Does this mean I have installed the patch but in stealth
mode where "Add/Remove Programs" doesn't show it?

It also didn't like the idea of me defining my own security zones and
using them (Custom) in preference to High, etc. mmm, Higher security.

Darren

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ