Patching Up The Holes

Security is probably Topic #1 on every server administrator's mind these days...and on his or her boss's mind at the CIO level, and even up to the company president. Can anything cost your enterprise more money faster these days than a security breach? No, your corporate data is your crown jewels, and protecting that data is a top priority for admins nowadays -- and making sure you're secure at the server level should be a primary focus of that effort.

Fittingly, the concentration on security at the server level has become a competitive tool; Microsoft's emphasis on security provisions in the coming upgrade to Windows Server 2003 is enough proof of that. Now comes a report that says Windows Server 2003 is already more secure than Red Hat Enterprise Linux ES3. Does that fly in the face of conventional wisdom and/or constant press about Windows-based vulnerabilities? Maybe, and many people were quick to debunk the report's conclusions and base methodology. There's a lot of religion on either side of the issue, and the study's findings on core vulnerabilities and "days of risk" -- the speed with which security holes are identified by server software's manufacturers -- are at some odds with other examinations of the problem.

All of this, however, misses a fundamental point: Should a flap like this be a big deal to you as you're looking at your server platform? Yes, and no. If you're upgrading your server platform, ensuring a secure system from the get-go should easily be one of your primary considerations in choosing the system on which you'll base your servers. But in the real world, most of you are already running your chosen platform anyway, and one controversial report claiming that Windows is more secure than Linux -- or even a hypothetical rebuttal -- shouldn't send you running to one side or the other. The best strategy you can take now is to make sure whatever you're running today is as secure as it can be. "The expertise of the person deploying it is what matters. The default configurations are important, but once you start consolidating software on top of the system, the system is only as secure as what's running on it," says one security expert, and that statement could not be any more accurate.

In the end, server security is largely up to you. Have you been patching? Upgrading your Linux releases? Keeping an eye on security news sites like Security Pipeline to stay abreast of the constant flow of information? It's time-consuming and costly; Lord knows Microsoft can wear anybody out with the constant flow of patches for both desktop and server environments. But IT IS NECESSARY. Maintaining a secure server environment is the ultimate demonstration of that old axiom: "You can pay now, or you can pay later."