Ask Slashdot: Should Hosting Companies Have Change Freezes? 138
AngryDad writes "Today I received a baffling email from my hosting provider that said, 'We have a company-wide patching freeze and we will not be releasing patches to our customers who utilize the patching portal for the months of November and December.' This means that myself and all other customers of theirs who run Windows servers will have to live with several critical holes for at least two months. Is this common practice with mid-tier hosting providers? If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?"
This is what happens when you outsource (Score:1, Interesting)
While I think its rather unacceptable for this to be done, its not all that surprising and you kind of deserve the result.
When you outsource you sacrifice things. Why are you letting them patch for you anyway? Its not like they are going to do anything special. All the do is release patches from their own internal WSUS server (or whatever its called now) rather than you have to do it yourself or letting the machine auto-patch on its own.
Realistically, if you're going to have someone else auto-patch, you might as well just turn automatic updates on fully and be done with it. They only thing they are going to 'save' you from is if a patch happens to interfere with something locally on their network which is going to be pretty damn rare.
This is common, but.... (Score:4, Interesting)
This ("change moratoriums") is a common practice around the holiday season. A number of the datacenters and other vendors I work with implement similar policies starting right before "black friday" and ending a week after new years. The logic is that changes could have undesirable consequences and the volume of e-commerce around this time would result in a potentially detrimental impact on operations. However, I have never heard of a company that holds out on security updates and other critical fixes due to such a moratorium.
Re:windows? what were you thinking? (Score:5, Interesting)
Well, I do have OWA open to the world, mainly because of ActiveSync, but the actual SMTP server, no way. I've seen joe job and dictionary attacks bring an Exchange server running on damned heavy hardware brought to its knees. I run a Postfix server running postgrey, SpamAssassin and ClamAV that sits on port 25 and weeds out all the nasty bits and hands everything else off to Exchange. There's no way in hell I'd ever let Exchange's SMTP service feel the full force of what the nastier folks on the tubes can throw at it. If someone DDoSs Exchange's IIS daemon, oh well.
Re:windows? what were you thinking? (Score:1, Interesting)
Why the hell would you want to code in asp in the first place?
Years ago (circa y2k) I worked for a hosting company as a sysadmin. We had some customers that demanded ASP support (less than 10%), and we tried a solution, I think it was called chilliasp, that was essentially a classic ASP implementation for Apache on Linux. It was able to run simple stuff, but complex sites failed. So my boss insisted on getting some windows servers. We ended up running 2 NT4 servers. Those 2 servers took more effort to administrate than our +30 LAMP boxes. In the years I worked there, we had 6 security breaches, and 4 of them were on windows. Of course, the security breaches we had on windows where MAJOR (as in, they took over the entire server), while the 2 security breaches we had on Linux weren't really Linux vulnerabilities, but vulns on phpnuke installations our customers left wide open and unpatched, so those only affected a single site.
I don't get why people would want to code in ASP, what does it have that Perl or PHP don't? I mean, besides expensive licenses, platform restrictions, and huge security issues.