Version 1.2.1 of the Microsoft Baseline Security Analyzer has been posted to TechNet. This version supports XP SP2 and appears to have been cleaned up a bit in terms of the recommendations it gives. There's also some support for checking for Alternate File Version usage. Looks like a great tool to use in planning and managing your XP SP2 deployments.
I do mean to go off on rant here...
Ugh! If I hear one more person gritching about XP SP2 being classified as “critical update” and whining about how they are going to have work around it, I'm going to lose it. All of your pain was technically avoidable:
- Too few of us were paying attention last October when Microsoft announced that this was in the works.
- Deploying just SUS or SUS and SMS would give you at least some control over this.
- Realistically, how many companies decided to use “wait-and-see what broke testing?”
Based on our past experiences with Microsoft, we all should have known that they would be blasting this out the world as quickly as they could. What we should be praising them for is giving us much earlier notice, testing and feedback opportunities than they have in the past. I've been hard on the company for rolling out fixes with virtually no notice. They seem to learned a lesson here. Now its up to us to take them up on it.
I know that in too many cases, this isn't the fault of the technical folks. I do feel your pain, since in many cases you were the ones asking management for time and resources to prepare. Since the bits weren't released, I can somewhat understand why business decision makers were hesitant to commit to that on beta bits. What the Business decision makers need to understand if Microsoft lags a general release of an Service Pack too much, the blackhats have an easier time attacking unpatched machines (since they can compare the new code to the old code and the “closed” exploit vectors.) It shouldn't take an advanced degree in finance or Economics to figure out that prevention of that is more cost effective than damage control. So, it is in everybodys' best interest to get current as quickly as possible. That means that we all have an obligation to test and plan well ahead of time. Hopefully, the push of XP SP2 will underscore the need well managed networks, good testing and planning. Not because its just a best practice, but because its the only practice that truly helps to realize the best ROI and TCO.
The critical questions:
- We were warned. Over and over. Did we pay attention?
- We had ample opportunity to prepare. Did we make the best of it?
- We had the chance to improve ROI with a well managed process rather than reduce ROI by crisis management. Why did or didn't we?
- What have we learned from this? What plans are going to undertake to turn those lessons into regular business and IT processes?
Its time for everybody to be asking and answering those questions, IMHO.
Don't even get me started on the $#*@ who insist that the machine firewalls must be disabled...