Jeff wrote:
On Mon, Aug 04, 2003 at 11:44:43PM +0530, D N Vaidya wrote:
[...]
Which tool is best for vulnerability accessment?
See <http://www.insecure.org/tools.html> for Fyodor's/Insecure.org's 'Top 75 Security Tools'.
[...]
I do not use Microsoft, so I cannot comment on their update policy, but basically anytime a vendor releases a patch you will need to evaluate it carefully based on what it "fixes" given your computing environment.
We use Windows2000 Advanced Server as a hostingplatform at $WORK and everytime a patch is released by Microsoft, we read the securitybulletin(s) to see where the patch is for.
If it's for something we have installed, we install the patch, but we will never install a patch for (e.g.) Office. Simply because it's not available on our servers.
All patches can be installed remotely, using TSC (Terminals Service Client).
on my own network, I pretty much update immediately whenever Red Hat releases a patch-- I use 'up2date -u' and it all just works, and I've never had a problem with their patches.
My homesystems are all Debian installs and I read debian-security-announce to keep track of bugs and I install them using dselect and/or apt-get.
Regards, Jan
-- /"\ ASCII Ribbon Campaign \ / No HTML in mail or news! X / \ DSINet: http://www.dsinet.org
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
