Ask Slashdot: Should Hosting Companies Have Change Freezes?

AngryDad writes "Today I received a baffling email from my hosting provider that said, 'We have a company-wide patching freeze and we will not be releasing patches to our customers who utilize the patching portal for the months of November and December.' This means that myself and all other customers of theirs who run Windows servers will have to live with several critical holes for at least two months. Is this common practice with mid-tier hosting providers? If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?"

Green light

[michaelmalak]

If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?

At least 10 countries have just been given the green light for hacking.

Re:Green light

[xaxa]

No, that list includes 18 countries. The 10 that are eastern are:

Serbia
Montenegro
Croatia
Bosnia-Herzegovina
Macedonia (Former Yugoslav Republic of)
Albania
Belarus
Moldova
Russia
Ukraine

(The first few would often be called southeastern.)

windows? what were you thinking?

Using windows to provide an internet facing service was the first mistake.

Re:windows? what were you thinking?

[gavron]

What he said.

I'm sorry the Windows-mods modded it down. It's instructional and it's informational. NOBODY should EVER use windows servers as Internet-facing devices.

Sorry, mods. Reality suggests the 0 is your score for having a clue.

E

Re:windows? what were you thinking?

[erroneus]

Seriously. Even Windows-only people should know this. If they aren't placing protective devices in front of their Windows boxes to control access and limit the damage of attacks, they just aren't in touch with reality.

The funny thing is that most of these security appliances are running... what?

Re:windows? what were you thinking?

Exchange

Re:windows? what were you thinking?

[MightyMartian]

Well, I do have OWA open to the world, mainly because of ActiveSync, but the actual SMTP server, no way. I've seen joe job and dictionary attacks bring an Exchange server running on damned heavy hardware brought to its knees. I run a Postfix server running postgrey, SpamAssassin and ClamAV that sits on port 25 and weeds out all the nasty bits and hands everything else off to Exchange. There's no way in hell I'd ever let Exchange's SMTP service feel the full force of what the nastier folks on the tubes can throw at it. If someone DDoSs Exchange's IIS daemon, oh well.

Re:windows? what were you thinking?

[Penguinisto]

No effing way. Only a complete and total newbie would even contemplate that, and I'd fire the first admin who tried to put such a thing in place.

Exchange as an MTA sits behind firewalls and a spam filter (be it home-brewed atop a Linux machine, or an automated commercial appliance, e.g. Barracuda). OWA you put in its own DMZ, insulated on all ends by industrial-grade firewall/security devices. Even Microsoft anticipated that one, and allows you to rig it exactly like that (with the MTA and all other bits buried in your internal network).

Back to TFA, I'm curious as to what's stopping the article submitter from sticking in a simple SCCM** box (or at least script something in Powershell that ties into Windows Update) and do his own %}$#@! patching? Relying on anyone other than the OEM to do patches is kinda, well, dumb.

.
** I know, I know - SCCM blows goats. But it's not like it's completely impossible to set up, and besides - that's the price you pay for using so much Windows gear.

Re:windows? what were you thinking?

[dbIII]

Since in this case you can patch without reboots, the answer is just switching to linux (or anything else that can patch without reboots) CAN solve the problem.
Of course it doesn't solve every server problem, but nobody above said it would, just you dishonestly shifting the goalposts and pretending it's no good unless it fixes problems that were not even being discussed here. That's a bit of a slimy little tactic IMHO so you must feel very strongly if you are prepared to lower yourself to that level, but let's keep all the mindless emotive fanboy bullshit out of it since it just makes you look like more of an idiot than you actually are.

Re:windows? what were you thinking?

[aiht]

Using windows to provide an internet facing service was the first mistake.

What would you suggest if someone wants to run ASP.NET code on their website?

Reverse proxy.

Re:windows? what were you thinking?

[TheRaven64]

What would you suggest if someone wants to run ASP.NET code on their website?

Therapy.

Re:windows? what were you thinking?

[fritsd]

I once saw an advertisement for a protection service for MS IIS servers, to protect them from attack. (Sorry no link, I forgot, and it was years ago):
It was some kind of proxy that made it look as if the website was on Apache instead of IIS.

I'm not joking; it really seemed like a legit product, for money, that protected large banks etc. by making it appear as if they used Apache. So that attackers wouldn't bother trying to attack it.

To be honest,I have no experience with MS IIS, but to me that says that at least 10 years ago, the perception was that IIS was less secure than Apache, so much so that 3rd parties developed and marketed this kind of webserver shell around it.

Call it "Mimicry"; protective coloration :-)

Sure

[Capt.DrumkenBum]

may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?

Just reply to this message with the IP addresses of any servers you want to make sure will not be hacked and I will make sure the list gets to the right people.

Happy to help.

Re:Sure

[phorm]

127.0.0.1 ::1
fe00::0
127.0.0.2

Re:Sure

[houghi]

127.31.33.7
HTH. HAND.

change freeze

I work for a company with 1200+ VMs and the change freeze concept is nothing new. For us, it's only 1 month around new years and mainly due to staffing issues if something goes wrong.

It's not that bad

[bigtrike]

The server will be spending 50% of its life rebooting to apply minor updates and install software, reducing the risk of a security breach.

Go dedicated or go home

[A+bsd+fool]

Under any shared hosting, or control-panel-abstracted hosting, you're at the mercy of your provider for things like this. I realize they offer stuff on the cheap, but it's times like these when you realize you're getting what you've paid for. Many more hosting companies have hypervisors amongst their offerings than did just five years ago, and you can get a basic ESXi server for $50/month or thereabouts. Add memory, disk space, IPs, and bandwidth to suit.

Re:Go dedicated or go home

[GNUALMAFUERTE]

I'm using server4you. Their support sucks if you have to call them (they speak german, and very very limited english). If you need support, this is not your company. But if you can manage your own boxes, their uptime is great, and so is the hardware and bandwidth. In the last year we had less than an hour of downtime, and it was after midnight.

The interesting thing: The prices. $28 for an Athlon X2 with 4GB RAM, 2 SATA disks and unlimited bandwidth.

Again, the support desk is impossible mostly due to the lack of English proficiency, and their billing department suffers the same problem if you ever have an issue, but they do offer web reboots (you click a button, your servers gets rebooted usually in under 5 minutes). I once requested a server re-imaging and it was processed in 20 minutes. Hardware issues are taken care of very fast too. So, if you know what you are doing, and need nothing but hard-reboots and re-imaging if something goes horribly wrong, it doesn't get any cheaper than that.

Better safe than sorry.

This is for automated patching, you may certainly request to be patched by the support teams. Typically these two months are the busiest for online shopping sites and a botched patch could cost the business tons of money. Since you know your business the best, you make the call. Better safe than sorry in my opinion.

Translation

[bersl2]

Translation: "Dear Slashdot, I'm looking for a good Windows host. Any suggestions?"

Exercise that redeployment plan

[RichMan]

As company using a hosted service you do have a redeployment plan should movement to another hosting service be required, don't you ?

Now would be a good time to exercise that plan.

This is common, but....

This ("change moratoriums") is a common practice around the holiday season. A number of the datacenters and other vendors I work with implement similar policies starting right before "black friday" and ending a week after new years. The logic is that changes could have undesirable consequences and the volume of e-commerce around this time would result in a potentially detrimental impact on operations. However, I have never heard of a company that holds out on security updates and other critical fixes due to such a moratorium.

Re:This is common, but....

[sjames]

It's a tough call, but it's worth keeping in mind that not all windows updates go smoothly.

What does your contract say?

[HaeMaker]

Two months is a looong time. 17% of the year not getting full fidelity on your contracted services seems excessive. Usually, changes freezes are a few hours in the middle of the night, once a week.

What Ever You Have to Say About Hostess Company

[Jeremiah+Cornelius]

It's just too late. No more Twinkies.

And if you are concerned about freezing them, as the article seems to state? Don't bother. The shelf-life is astronomical!

Hardly baffling

[Gothmolly]

Real (TM) IT shops have change freezes all the time. It's called release management. Perhaps you should a) host on some more stable platform, or b) co-lo your own gear where you can run daily patches and reboots and only affect your own stuff.

Re:Hardly baffling

[nabsltd]

Perhaps you should co-lo your own gear where you can run daily patches and reboots and only affect your own stuff.

Unless the OP is sharing an actual Windows instance with other clients (which would mean he should be paying about $1/month in fees), rebooting his instance should only affect him.

It's possible that he is paying for a Windows instance on top of Hyper-V, and the underlying OS isn't getting patched, but that really shouldn't be much of a security risk for the OP, as the hypervisor OS isn't visible to the outside world. Likewise, even if he is sharing access to back-end services like SQL server, it's unlikely that the API he is using to connect to those services is vulnerable in such a way that a patched client would be a problem for an unpatched server. It's far more likely that there are SQL injection or other issues on the clients than a non-administrator connection to an unpatched server causing a compromise.

Re:Hardly baffling

[AK+Marc]

Everywhere I've seen a "change freeze" stated, "critical" changes/updates are allowed, just with "critical" being variable.

Re:POS

[viperidaenz]

Are you referring to Point of Sale business or Piece of Shit business?

Careful you don't hurt yourself

[Sycraft-fu]

When you fall off that high horse.

What is the reason for an anti-outsourcing rant in this thread? To me, it sounds like the guy has his own website and that's what he's talking about. Do you host your own website? By that I mean do you have your own server, on your own property? If not, then you are outsourcing it. Even if you do, you are still probably outsourcing your Internet access and power generation.

If you don't like outsourcing that's fine and there's plenty of arguments against it, but save it for when it is relevant. Don't just go off on it.

Most individuals outsource their webhosting, and for good reason.

Re:Careful you don't hurt yourself

[BitZtream]

Yes, I have a server sitting on my property. I have a government regulated Internet connection and power connection with HARD SLAs regarding availability. You want to try that one again?

That is entirely besides the point. There is nothing wrong with outsourcing. I also host certain parts of my infrastructure in someone elses data center. What I do not do is depend on someone else to do the job of Windows update when they provide absolutely no advantages of turning on auto-updates and the provide obvious downsides like the very one the submitter submitted.

I evaluate the benefits and risks of outsourcing and then decide where I'll get the better fit for my situation.

I walked into managing a cluster of servers with that outsourced patch crap, worst idea ever. They provide no advantage over just turning on auto-updates. They don't actually test it with 'your software'. They don't generally provide any better way to roll back a patch set other than 'use the system restore'. They do absolutely nothing that turning on auto-updates wouldn't do for you.

Its just another way to blame a problem on someone else rather than being responsible for it yourself. Its like buying support contracts for Linux. Its just an excuse. It doesn't actually solve the problem, it just shows you aren't capable of doing the job yourself.

In this case it shows the submitter didn't bother to even consider what the benefits of having the company do patch management for him were, which are none. That is why I can stay seated on my horse.

Top it off ... he couldn't bother to do some Googling for the answer. He isn't qualified for the job.

"Your" servers?

How are they "your" servers if you cannot patch them whenever you deem necessary?

Standard practice

[Jethro]

Having change freezes is standard practice. Most places I've worked have a short month-end freeze, and a couple of month year-end freeze.

However, critical security vulnerabilities are exempt from these freezes. Those still get done using whatever emergency protocols are in place.

rackspace

If you read the email properly, they are not doing automatic patching of these releases, but nothing to stop you applying them yourself.. or getting them to apply them if you specifically ask for them.

Not hosting

[LordLucless]

You didn't get this email from your hosting company. You got it from the company managing your servers. The fact that it's the same company is largely irrelevant.

If the server management company isn't flexible enough to meet your needs, do it yourself. You keep track of the patches, you decide when they're ready for release, you release them, you test them. If you don't have the skills for that, or the money to hire someone with the skills, then get another company to do it. If you're using a dedicated server, there's nothing stopping you giving someone else the access to manage and patch it.

If you yourself don't have root/Administrator access, then you don't have a server; you have access to a server. Fork out a little bit extra, and get a dedicated box that you control.

Re:POS

[Dewin]

In my experience, they are one and the same.

Words vs Actions

[holophrastic]

You can't put up a sign that says "only a few people allowed beyond this point". And you can't put up a sign that says "very little loitering accepted". So you put up signs that read "no access beyond this point" and "no loitering", and then you simply don't enforce it for the first few people.

If this company has a reduced staff, or wants to ensure that large problems don't happen during sensitive times, then they might want the freeze. And saying that there will be a freeze is the way to do that. But calling them and saying "hey, I know there's a freeze, but I'd really appreciate this patch when it's convenient." won't likely be met with a solid "no, screw you, we're in a freeze".

Ice is usually still a little wet. Not every molecule freezes at the same instant.

Look at it as an opportunity for you to be nice. They said "we'd really like to ease the harsh environment of christmas IT", and you can optionally say "I'll help you out by not patching for a while". It's an opt-out instead of an opt-in scenario, but it's the same.

You're complaining about the default, not the final. And you can override the default with a phone call. Don't sweat it.

Troll

[vawarayer]

If so, may I ask Eastern-EU folks to please refrain from hacking my servers

If so, may I ask the Slashdot editors to please refrain from letting people post trolls.

216.34.181.45

[kf6auf]

Whatever you do, don't take down 216.34.181.45.

Article is based on incorrect reading

[phoebusQ]

I know which host and to which announcement this refers. All this is is a suspension of fully automated patching during the holiday season. If you want patching performed anyway, jut contact your support team. They prefer to make patching opt-in during this period to avoid site outages due to patching miscommunications.

Customer satisfaction is important to us.

[Mr2cents]

may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?

Sure, just provide me with your domain name, provider and root password and I'll add you to my do-not-hack list.

Why still allow top hacking countries?

[Moskit]

I'm sorry to say that OP seems to be nationalistic about his "hacker countries" conception, promoting negative stereotypes, not to mention that he confused EU with Europe.

Top hacking countries are very different from Eastern Europe countries: USA (yup, still number 1 spot), China (Eastern, but not European), Russia (not Europe, just Eastern), Brazil, Germany (Europe and EU, but not Eastern), UK (an island off Europe coast), India (totally away from Europe)...

With your attempt at "humour" you basically allowed all those people right to hack your servers over the next two months ;-)