Ask Slashdot: Should Hosting Companies Have Change Freezes?

AngryDad writes "Today I received a baffling email from my hosting provider that said, 'We have a company-wide patching freeze and we will not be releasing patches to our customers who utilize the patching portal for the months of November and December.' This means that myself and all other customers of theirs who run Windows servers will have to live with several critical holes for at least two months. Is this common practice with mid-tier hosting providers? If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?"

Green light

[michaelmalak]

If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?

At least 10 countries have just been given the green light for hacking.

windows? what were you thinking?

Using windows to provide an internet facing service was the first mistake.

Re:windows? what were you thinking?

[gavron]

What he said.

I'm sorry the Windows-mods modded it down. It's instructional and it's informational. NOBODY should EVER use windows servers as Internet-facing devices.

Sorry, mods. Reality suggests the 0 is your score for having a clue.

E

Re:windows? what were you thinking?

[MightyMartian]

Well, I do have OWA open to the world, mainly because of ActiveSync, but the actual SMTP server, no way. I've seen joe job and dictionary attacks bring an Exchange server running on damned heavy hardware brought to its knees. I run a Postfix server running postgrey, SpamAssassin and ClamAV that sits on port 25 and weeds out all the nasty bits and hands everything else off to Exchange. There's no way in hell I'd ever let Exchange's SMTP service feel the full force of what the nastier folks on the tubes can throw at it. If someone DDoSs Exchange's IIS daemon, oh well.

Re:windows? what were you thinking?

[Penguinisto]

No effing way. Only a complete and total newbie would even contemplate that, and I'd fire the first admin who tried to put such a thing in place.

Exchange as an MTA sits behind firewalls and a spam filter (be it home-brewed atop a Linux machine, or an automated commercial appliance, e.g. Barracuda). OWA you put in its own DMZ, insulated on all ends by industrial-grade firewall/security devices. Even Microsoft anticipated that one, and allows you to rig it exactly like that (with the MTA and all other bits buried in your internal network).

Back to TFA, I'm curious as to what's stopping the article submitter from sticking in a simple SCCM** box (or at least script something in Powershell that ties into Windows Update) and do his own %}$#@! patching? Relying on anyone other than the OEM to do patches is kinda, well, dumb.

.
** I know, I know - SCCM blows goats. But it's not like it's completely impossible to set up, and besides - that's the price you pay for using so much Windows gear.

Re:windows? what were you thinking?

[dbIII]

Since in this case you can patch without reboots, the answer is just switching to linux (or anything else that can patch without reboots) CAN solve the problem.
Of course it doesn't solve every server problem, but nobody above said it would, just you dishonestly shifting the goalposts and pretending it's no good unless it fixes problems that were not even being discussed here. That's a bit of a slimy little tactic IMHO so you must feel very strongly if you are prepared to lower yourself to that level, but let's keep all the mindless emotive fanboy bullshit out of it since it just makes you look like more of an idiot than you actually are.

Sure

[Capt.DrumkenBum]

may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?

Just reply to this message with the IP addresses of any servers you want to make sure will not be hacked and I will make sure the list gets to the right people.

Happy to help.

change freeze

I work for a company with 1200+ VMs and the change freeze concept is nothing new. For us, it's only 1 month around new years and mainly due to staffing issues if something goes wrong.

It's not that bad

[bigtrike]

The server will be spending 50% of its life rebooting to apply minor updates and install software, reducing the risk of a security breach.

This is common, but....

This ("change moratoriums") is a common practice around the holiday season. A number of the datacenters and other vendors I work with implement similar policies starting right before "black friday" and ending a week after new years. The logic is that changes could have undesirable consequences and the volume of e-commerce around this time would result in a potentially detrimental impact on operations. However, I have never heard of a company that holds out on security updates and other critical fixes due to such a moratorium.

Re:POS

[viperidaenz]

Are you referring to Point of Sale business or Piece of Shit business?

Standard practice

[Jethro]

Having change freezes is standard practice. Most places I've worked have a short month-end freeze, and a couple of month year-end freeze.

However, critical security vulnerabilities are exempt from these freezes. Those still get done using whatever emergency protocols are in place.

Re:POS

[Dewin]

In my experience, they are one and the same.

216.34.181.45

[kf6auf]

Whatever you do, don't take down 216.34.181.45.