----- Original Message -----
From: "Andy Levy" <andy.levy@gmail.com>
To: "Nico Kadel-Garcia" <nkadel@comcast.net>
Cc: <Steve.Craft@sungard.com>; <users@subversion.tigris.org>
Sent: Thursday, June 08, 2006 1:02 PM
Subject: Re: Windows does not Stink, Now Really OT (was RE: Re: Look for
help on windows server platform)
> I'm still trying to wrap my head around this one. At my previous
> employer, we had well over 200 Windows servers, and I can count on one
> hand with fingers left over the number that required an Office
> installation. Those that did only had this requirement because the
> applications running on them had to manipulate/output files in Office
> format.
No Outlook email and Calendar requirement, and corresponding Word
requirement? I had too many work requests marked "do this now!" sent via
email because the users didn't understand or want to use the trouble ticket
or helpdesk system (for various other reasons, some of them Windows
related!) that I often had to open the mail with the Word document and work
directly from it to address the issue, then set up a meeting for the trouble
analysis, and play with the Excel spreadsheets to mark off licenses used or
expenses involved.
> On top of that, we had anti-virus running on all our fileservers and
> desktops, so the chances of an "infested Word document" finding their
> way to an app/web server were miniscule. And *none* had email clients
> installed on them - 90% of them couldn't browser the internet either,
> so no worry about people getting infected via webmail either.
Antivirus is fine, and even necessary. But there's often a significant
lag-time between the first appearance of a virus in the wild, and when the
anti-virus and security patches are deployed to block it, and sometimes even
longer before the existence of the flaw is admitted publicly. This is partly
because groups like CERT and Symantec are loathe to publish the existence of
the flaws without Microsoft's explicit agreement, and Microsoft is known to
refuse such agreement for long periods.
That means a serious window of vulnerability exists: it's hard to assess how
long they are, but I've certainly bitten by at least one in the last few
years when a laptop that the owner refused to patch got plugged in at his
desktop and started spewing attacks at firewall protected machines. It led
to a serious shake-up on patch policy, but those are often temporary: I've
gone through such temporary patch policy changes before, for Linux and
Windows implementations, and find them easier to manage under Linux for
reasons described elsewhere.
> But then we also had a *very* hands-off approach to the console (and
> rdesktop) - did everything via MMC or other remote management
> interfaces whenever possible, and only logged in when you absolutely
> *had* to.
Good for you: that would help address many of the exact concerns I raised.
I've had much more success doing that kind of policy in the Linux world,
seriously. I'll take your experience seriously: it really doesn't match
mine, with small sets of core Windows servers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jun 8 20:15:49 2006