Slashdot Mirror
Ask Slashdot: Should Hosting Companies Have Change Freezes?
AngryDad writes "Today I received a baffling email from my hosting provider that said, 'We have a company-wide patching freeze and we will not be releasing patches to our customers who utilize the patching portal for the months of November and December.' This means that myself and all other customers of theirs who run Windows servers will have to live with several critical holes for at least two months. Is this common practice with mid-tier hosting providers? If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?"
If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?
At least 10 countries have just been given the green light for hacking.
Using windows to provide an internet facing service was the first mistake.
Just reply to this message with the IP addresses of any servers you want to make sure will not be hacked and I will make sure the list gets to the right people.
Happy to help.
If I were God, wouldn't I protect my churches from acts of me?
I work for a company with 1200+ VMs and the change freeze concept is nothing new. For us, it's only 1 month around new years and mainly due to staffing issues if something goes wrong.
The server will be spending 50% of its life rebooting to apply minor updates and install software, reducing the risk of a security breach.
This is for automated patching, you may certainly request to be patched by the support teams. Typically these two months are the busiest for online shopping sites and a botched patch could cost the business tons of money. Since you know your business the best, you make the call. Better safe than sorry in my opinion.
As company using a hosted service you do have a redeployment plan should movement to another hosting service be required, don't you ?
Now would be a good time to exercise that plan.
This ("change moratoriums") is a common practice around the holiday season. A number of the datacenters and other vendors I work with implement similar policies starting right before "black friday" and ending a week after new years. The logic is that changes could have undesirable consequences and the volume of e-commerce around this time would result in a potentially detrimental impact on operations. However, I have never heard of a company that holds out on security updates and other critical fixes due to such a moratorium.
Two months is a looong time. 17% of the year not getting full fidelity on your contracted services seems excessive. Usually, changes freezes are a few hours in the middle of the night, once a week.
Are you referring to Point of Sale business or Piece of Shit business?
Having change freezes is standard practice. Most places I've worked have a short month-end freeze, and a couple of month year-end freeze.
However, critical security vulnerabilities are exempt from these freezes. Those still get done using whatever emergency protocols are in place.
In the land of the blind, the one-eyed man is kinky.
Perhaps you should co-lo your own gear where you can run daily patches and reboots and only affect your own stuff.
Unless the OP is sharing an actual Windows instance with other clients (which would mean he should be paying about $1/month in fees), rebooting his instance should only affect him.
It's possible that he is paying for a Windows instance on top of Hyper-V, and the underlying OS isn't getting patched, but that really shouldn't be much of a security risk for the OP, as the hypervisor OS isn't visible to the outside world. Likewise, even if he is sharing access to back-end services like SQL server, it's unlikely that the API he is using to connect to those services is vulnerable in such a way that a patched client would be a problem for an unpatched server. It's far more likely that there are SQL injection or other issues on the clients than a non-administrator connection to an unpatched server causing a compromise.
You didn't get this email from your hosting company. You got it from the company managing your servers. The fact that it's the same company is largely irrelevant.
If the server management company isn't flexible enough to meet your needs, do it yourself. You keep track of the patches, you decide when they're ready for release, you release them, you test them. If you don't have the skills for that, or the money to hire someone with the skills, then get another company to do it. If you're using a dedicated server, there's nothing stopping you giving someone else the access to manage and patch it.
If you yourself don't have root/Administrator access, then you don't have a server; you have access to a server. Fork out a little bit extra, and get a dedicated box that you control.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
In my experience, they are one and the same.
Of course nobody reads the FAQ! If people read the FAQ, the Questions wouldn't be so Frequently Asked.
You can't put up a sign that says "only a few people allowed beyond this point". And you can't put up a sign that says "very little loitering accepted". So you put up signs that read "no access beyond this point" and "no loitering", and then you simply don't enforce it for the first few people.
If this company has a reduced staff, or wants to ensure that large problems don't happen during sensitive times, then they might want the freeze. And saying that there will be a freeze is the way to do that. But calling them and saying "hey, I know there's a freeze, but I'd really appreciate this patch when it's convenient." won't likely be met with a solid "no, screw you, we're in a freeze".
Ice is usually still a little wet. Not every molecule freezes at the same instant.
Look at it as an opportunity for you to be nice. They said "we'd really like to ease the harsh environment of christmas IT", and you can optionally say "I'll help you out by not patching for a while". It's an opt-out instead of an opt-in scenario, but it's the same.
You're complaining about the default, not the final. And you can override the default with a phone call. Don't sweat it.
I'm using server4you. Their support sucks if you have to call them (they speak german, and very very limited english). If you need support, this is not your company. But if you can manage your own boxes, their uptime is great, and so is the hardware and bandwidth. In the last year we had less than an hour of downtime, and it was after midnight.
The interesting thing: The prices. $28 for an Athlon X2 with 4GB RAM, 2 SATA disks and unlimited bandwidth.
Again, the support desk is impossible mostly due to the lack of English proficiency, and their billing department suffers the same problem if you ever have an issue, but they do offer web reboots (you click a button, your servers gets rebooted usually in under 5 minutes). I once requested a server re-imaging and it was processed in 20 minutes. Hardware issues are taken care of very fast too. So, if you know what you are doing, and need nothing but hard-reboots and re-imaging if something goes horribly wrong, it doesn't get any cheaper than that.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Whatever you do, don't take down 216.34.181.45.
I know which host and to which announcement this refers. All this is is a suspension of fully automated patching during the holiday season. If you want patching performed anyway, jut contact your support team. They prefer to make patching opt-in during this period to avoid site outages due to patching miscommunications.
may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?
Sure, just provide me with your domain name, provider and root password and I'll add you to my do-not-hack list.
"It's too bad that stupidity isn't painful." - Anton LaVey