Security Patching for IIS

ComputerWorld's Dan Verton recently reported on an interesting study titled "Constant Security Fixes Overwhelming IT Managers." UK-based managed-security service provider Activis, a subsidiary of Germany-based Articon-Integralis, performed the study. The study found that the number of security patches and updates is overwhelming IT staffs and, as a result, IT staffs are falling behind and, in some cases, deliberately not applying patches because the bandwidth to do so isn't available. Downtime from applying patches and rebooting servers only makes the problem worse.

The study looked at typical configurations in companies, including Checkpoint Software Technologies' firewall products, Sophos' antivirus applications, and Internet Security Systems' RealSecure network and server scanners. Verton maintains that the study examined Windows NT servers, not Windows 2000 servers. The study also looked at Microsoft SQL Server 7.0 and Microsoft Exchange Server 5.5, both noncurrent versions of Microsoft's server lineup. Keeping NT 4.0 and earlier versions of Exchange and SQL Server security updated takes Herculean effort.

Microsoft does a good job of providing security patches and updates for Win2K. Similarly, the new version of IIS—IIS 6.0—will come locked down by default and will automatically patch itself. However, these steps do nothing for people still running on the NT 4.0 platform. What is Microsoft doing to help customers who use earlier versions of its server products? After all, the company doesn't have any incentive to keep these older systems running."

IIS Administrator UPDATE reader Paul Smith, a senior systems analyst at Snap-on, agrees. "The problems we're running into are related to supporting more than 250 NT servers worldwide with only about eight people," he says. "I know Active Directory (AD) would make my job easier, but when it comes down to it, we're functioning fine now. We're a tool-manufacturing company first and foremost. The IT department isn't a revenue generator. We can increase efficiency, but we're a draw against the bottom line that makes the cost of a Win2K upgrade difficult to justify to management."

Time and again I hear this sentiment from IT professionals such as Paul Smith. He's in a difficult situation. The study points out that "security managers at a company with an IT infrastructure consisting of only eight firewalls and nine servers would have had to make 1315 updates to their systems in the past 9 months alone—that's equal to five updates a working day. That number is based on the total number of updates and patches released during that timeframe by some of the major software and security vendors." In addition to that workload, the study maintains that "IT managers at companies of this size would have to manage more than 500,000 log file entries every day. Each firewall generates an average of 200,000 to 300,000 log entries and 20 alerts each day. Likewise, each network sensor [generates] between 20 and 50 console alerts per day, and each server sensor [generates] between 1 and 20 console alerts per day." Given the amount of work it takes to maintain servers, understanding why IT shops are falling behind is easy.

Will there ever be an end to this burden? The end doesn't seem to be in sight. In fact, the problem seems to be getting worse.

If you're interested in the details of the Activis study, you can find them at the Activis Web site.

Do you agree? Give me your feedback about this critical issue.