Sep 14 2009 1:49PM GMT
Posted by: Troy Tate
Microsoft,
information security,
vulnerability,
risk management,
patches,
tcp-ip,
tcp,
tcp/ip,
Windows,
windows 2000,
support,
Microsoft support,
threat,
risk
Last week was the September issue of Microsoft “patch Tuesday”. The September 2009 Microsoft Security Bulletin lists a number of vulnerabilities. Microsoft held the bulletin webcast on Wednesday, September 9, to discuss the vulnerabilities and customer concerns.
One particular bulletin is creating some concerns for Microsoft Windows 2000 users. MS09-048 is a bulletin for a vulnerability to the TCP/IP stack in all current supported versions of Windows. The bulletin describes the vulnerability:
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Even though the bulletin here describes it as potential remote code execution, the webcast focused more on the denial of service threat due to this vulnerability. Unfortunately, Microsoft has chosen to not issue a patch for Windows 2000, even though Windows 2000 is a supported version of Windows with regards to patches and security fixes. ComputerWorld gives a good amount of detail in the article: Microsoft: Patching Windows 2000 ‘infeasible’ Dark Reading published Microsoft, Cisco Issue Defenses For TCP Denial-Of-Service Attack and The Register published Microsoft, Cisco issue patches for newfangled DoS exploit.
I know that there is a reasonable population of Windows 2000 machines in operation at my organization. So, this choice by Microsoft to not issue a patch for this vulnerability raises some concerns. Fortunately the vulnerable population is not publicly exposed and does not have mobile users. The layered defenses we have in place should help mitigate the risks to our environment. However, the risk is still there and the threat needs to be addressed. What other vulnerability will come out that Microsoft chooses not to address in a supported operating system? Are you facing the same situation in your environment? How large is the risk to your environment? What are you doing to address these threats? Why are you doing what you are doing? Share your thoughts with other ITKE readers.
Thanks for reading & let’s continue to be good network citizens.
Jun 25 2009 3:37PM GMT
Posted by: Troy Tate
managed services,
contract negotiation,
strategy,
management,
support,
cost reduction,
vendor management,
vendor selection,
sla,
service level agreement,
negotiation,
rfp,
proposal,
request for proposal,
project management,
project work breakdown schedule,
wbs,
technical requirements,
technical vendor management,
evaluation,
vendor evaluation
You have now received back the proposals from the vendors based on the RFP that you built according to the RFP anatomy described previously.
Maybe you forgot the steps before the RFP. You can go back and review:
The first post in this series covered two questions: Where are you? and Where do you want to go?
The second article in the series described the calendar of events or how many shopping days do we have?
This third article in the series covered the actual RFP (request for proposal) anatomy and contents.
This final posting will discuss the vendor selection process - planning for the wedding (or engagement).
Let’s get talking about vendor selection and awarding the contract! Continued »
Jun 24 2009 2:00PM GMT
Posted by: Troy Tate
managed services,
contract negotiation,
strategy,
management,
support,
cost reduction,
vendor management,
vendor selection,
sla,
service level agreement,
negotiation,
rfp,
proposal,
request for proposal,
project management,
project work breakdown schedule,
wbs,
technical requirements,
technical vendor management
The first post in this series covered two questions: Where are you? and Where do you want to go?
The second article in the series described the calendar of events or how many shopping days do we have?
This third article in the series will cover the actual RFP (request for proposal) anatomy and contents.
The fourth article will discuss the vendor selection process - planning for the wedding.
Hopefully you are now ready to dive into the RFP itself. Continued »
Jun 15 2009 8:45PM GMT
Posted by: Troy Tate
managed services,
contract negotiation,
strategy,
management,
support,
cost reduction,
vendor management,
vendor selection,
sla,
service level agreement,
negotiation,
rfp,
proposal,
request for proposal
The first post in this series covered two questions: Where are you? and Where do you want to go?
This second article in the series will describe the calendar of events or how many shopping days do we have?
The third article in the series will cover the actual RFP (request for proposal) anatomy and contents.
Continued »
Jun 12 2009 2:29PM GMT
Posted by: Troy Tate
managed services,
contract negotiation,
strategy,
management,
support,
cost reduction
IT is not the first business of a manufacturing company. Nor is it very high on the list. Having said that, a lot of manufacturing (and other organizations) use various managed IT services. I will be writing a short series on how to negotiate managed IT services for your organization.
This first posting starts with two questions. Continued »
Jan 19 2009 8:13PM GMT
Posted by: Troy Tate
Skype,
VoIP,
Security,
Firewalls,
support
Recently I posted a question about using Skype in a corporate environment. Based on the lack of any feedback, it really makes me wonder if Skype is an overhyped solution for corporate environments. I also posted the same questions to another professional mailing list I subscribe to and received only one (very good) response from that peer group.
So, to be redundant, I want to ask you blog readers the same questions. If there are no responses, then I will take this to mean that either your organizations do not use Skype or that you would rather not share poor experiences. I would appreciate feedback either positive or negative about using Skype in corporate environments.
As is true with most organizations today, we are under pressure to reduce costs where we can. Some users are coming and asking why we are not using Skype for international calling. I’m not sure if I fully understand the risks so I am posting this question here on ITKE.
Has anyone implemented Skype for their organization and is supporting it on company networks and equipment? If not, why not? If you have implemented Skype services, some additional information would be useful.
What precautions were required before implementing this service/application?
What has network usage been like since implementation?
What configuration changes at the firewall (both edge & client) were needed to support the application?
Please feel free to share any other advice you may have about this type of service/application.
