nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Lenovo: If you value your server, block Microsoft's November security update

Silver badge
Linux

Go ahead

This must be some new definition of "Secure boot" that I was previously unaware of - it's time to upgrade to Linux anyway.

28
13
Anonymous Coward

Re: Go ahead

No problem. Can you let everyone know the Linux equivalent of Lync.

You know the one that does IM, Video,Ppresence, whiteboarding, all with office suite and calendaring?

And that s just one example.

Linux is good, but it can't do everything.

24
15
Silver badge

Re: Go ahead

Sure, what's the Windows equivalent to systemd?

Sound stupid? That's because it is.

Horses for courses, and I've not worked in a workplace that uses Lync and I've been doing IT and network management for 20 years.

In fact, even Exchange is rare in some industries, even in Windows-only environments.

Hedging your bets on a product that only works on Windows is a dumb business decision, even if "everyone else does it". We found that out in the 90's but some of us never learn.

And with virtualisation, it really doesn't matter what OS the server runs any more, so long as the individual VM's (which is where the Lync Server would sit) have the right OS.

In this case, what we're questioning is why you'd run a Windows hypervisor, not a Windows server serving a Windows-only application that you've decided to standardise on. Plenty of places survive just fine without ever having had, used, or afforded Lync.

Not that that makes Linux any better or worse, to be honest. But at least it's not Mac.

(P.S. 30+ virtual servers, about 60% Windows, 30% Linux).

With cloud services, virtualisation and modern systems, you're an idiot to put all your eggs in one basket. For instance, here, if you had all Lenovo servers with all Windows Server and had - as recommended - auto-update turned on, you would have taken all EVERYTHING in one fell swoop. That's just stupid.

And how long, honestly, before Lync / Skype is "just another cloud-service"? Not long, it's already here:

https://technet.microsoft.com/en-us/cloud/gg671923.aspx

40
20
Silver badge

Re: Go ahead

Can you let everyone know the Linux equivalent of Lync.

That would have been fine if lync actually worked. Ever since it was renamed Skype for Business its "success rate" is about 30%. That drops to sub<10% if there are people on Mac, VPNs, etc.

You can get the Skype For Business functionality on Linux using google talk and google apps (if you surrender to the idea of google knowing each and every step you make). It also works properly on a mobile (something Lync stopped doing once it became Skype for Business). IM works. Video works significantly better than Lync, Presence works, whiteboarding and other conference facilities also work and so does calendaring. It has only one massive downside - it pretty much requires VOIP and you need decent data connectivity. Not usable out in the sticks. The upside is that it is significantly more reliable than Skype For Business.

Alternatively - you get that easily using webex + a decent xmpp server of your choice. It is a bit more hassle and you need to cobble it together for a team. It has the advantage that it works pretty much anywhere and the bandwidth requirements are ~ NIL unless you have an idiot PHB in the team which insists on his mug always being displayed to his subordinates.

In both cases you also can integrate into that 3rd party systems and apps. Something which you can forget about as far as lync is concerned.

I have to use all 3 of these on a weekly basis and I would overall rate them: Webex, Hangouts and Skype for Business as a very remote unreliable third.

36
5

Re: Go ahead

Without turning this into a contest, 30+ servers aren't really much to write home about.

The game changes when running enterprise IT systems when you are dealing with hundreds of servers and thousands of users. For all it's faults, Microsoft has a decent directory system that links very well with a lot of it's other products.

Now perhaps if a software house wanted to run purely Linux and had the expertise to deploy full Chef/Puppet orchestration then the argument may hold a bit of weight.

PS. I am not a fan of Hyper-V and much prefer VMWare.

15
1
Anonymous Coward

Re: Go ahead

My point, is saying "upgrade to Linux" is the usual dumb blinkered answer that some people give out as a stock answer, it's a little sad and pathetic.

As you said horses for courses.

(About 4000 servers about 64% Windows, 34% Linux and a smattering of custom black boxes running all kinds of random stuff)

22
4
Anonymous Coward

Re: Go ahead

"No problem. Can you let everyone know the Linux equivalent of Lync. Linux is good, but it can't do everything."

I don't know about Lync, but can you let me know how to stop Windows Servers from needing a reboot every month or from being the biggest target of malware?

It's hardly surprising that vender's propriety software package inter-operates with vender's other propriety software.

18
11
Silver badge

Re: Go ahead

Why would you need Lync on a server?

22
1
Anonymous Coward

Re: Go ahead

"My point, is saying "upgrade to Linux" is the usual dumb blinkered answer that some people give out as a stock answer, it's a little sad and pathetic"

...and in response, the usual dumb blinkered answer is "Linux is useless because I can randomly think of one application I use that doesn't have a Linux version, even though numerous alternatives exist". The only thing more pathetic than the "Linux does everything" answer is the "Linux doesn't run every Windows application and I don't want to think or put in any effort to migrate" answer

38
12

Re: Go ahead

Every month?

Just looking at the file and SQL servers at my site - both virtualised under Hyper-V - uptime shows 408 days right now. And before you ask, the reboot before that was planned.

Every month, indeed.

6
7
Silver badge

Re: Go ahead

>Linux equivalent of Lync.

>You know the one that does IM, Video,Ppresence, whiteboarding, all with office suite and calendaring?

BS, Lync is so bad that they replaced it with Teams, which also suffers some of the same issues ... like, messages no appearing ... you get the notification pop up "New message from x", then you go to the conversation with "x", and of course, the message is not there ... yes, a reboot temporarily fixes it, but that does not count, right ?

Anyway, POL is your friend, if you insist on that crap ....

14
2

Re: Go ahead

So you're admitting to having remote execution and privilege escalation flaws in your file server? Even if they're not accessible from the internet, insiders are the greatest threat.

Good move.

11
0
Silver badge

Re: Go ahead

>Now perhaps if a software house wanted to run purely Linux and had the expertise to deploy full Chef/Puppet orchestration then the argument may hold a bit of weight.

You should in any case deploy that, it has many advantages over AD, even for windows-only/windows-mostly shops, and can comfortably be implemented alongside AD.

UNIX supported LDAP natively a decade before Microsoft, what are you mumbling ? LDAP is quite a widespread protocol. Kerberos is another example, again, was available on UNIX ~20 years before Windows ... just saying.

AD/GPO suck when it comes to managing non-Windows systems or even non-registry-centric programs on Windows, on the other hand, Samba+OpenLDAP+Chef/puppet kicks ass, for those who cannot leave Windows 100%.

10
6

Re: Go ahead

easy nuff... jabber, cal/carddav, sendmail, dovecot prob. best to use something like Zentyal as your base where most of its already on...

5
2

Re: Go ahead

>Horses for courses, and I've not worked in a workplace that uses Lync and I've been doing IT and network management for 20 years.

While I agree with all of the arguments you make, I have to point out that doing something for a long time != doing it well. For example, the Bush family was in the oval office for how long? I'm sure you can think of other examples--nearly everyone works with at least one.

6
3

Re: Go ahead

> I don't know about Lync, but can you let me know how to stop Windows Servers from needing a reboot every month or from being the biggest target of malware?

How can we stop Linux from needing a reboot every two weeks due to kernel issues?

USN-3147-1: Linux kernel vulnerabilities - 30th November 2016

USN-3126-1: Linux kernel vulnerabilities - 11th November 2016

USN-3107-1: Linux kernel vulnerability - 19th October 2016

USN-3099-1: Linux kernel vulnerabilities - 11th October 2016

USN-3084-1: Linux kernel vulnerabilities - 19th September 2016

USN-3072-1: Linux kernel vulnerabilities - 29th August 2016

USN-3055-1: Linux kernel vulnerabilities - 10th August 2016

USN-3035-1: Linux kernel vulnerability - 14th July 2016

Every OS needs patches. You can elect not to patch any system, but standing up Linux as not needing patches and Windows does is pretty absurd.

16
4
LDS
Silver badge

Re: Go ahead

Also, if other devices are compromised somehow, intruders will look for vulnerable machines to expand and gather more information and privileges....

Pure "uptime" is really a "my dick is bigger than yours" thing - for teenagers sysadmins (and lazy ones). The only thing that is important is you have to match your services needs - including keeping the systems and their data secure. I really don't care if I reboot every n days (including Linux for kernel updates, and some services could need to be restarted anyway to load fixed code...), only I care to perform them when they don't impact services, or impact is minimal and anyway well planned.

5
0

Re: Go ahead

That is all very true but the real issue is always the bottom line.

Let's face it, it's cheaper to hire Windows professionals over Linux AND Windows professionals.

If I wanted to deploy Chef/Puppet within an enterprise environment then I would want to make sure that it was done correctly and supported by competent engineers. Windows does a lot of this stuff already for a lower TCO.

I love a bit of UNIX but sometimes you need to be pragmatic when working with limited budgets.

2
5
Silver badge
Linux

Re: Go ahead

I find pidgin(with sipe) works just fine for me. The whiteboarding crap in lync just plain does not work in a properly secured environment. Desktop sharing in lync works, but it really doesn't suit my requirements.

Other than the fact that having Lync and Outlook365 running on a windows system eventually chews up every last scrap of ram and then some, eventually hanging windows, I don't see an advantage to S4B.

4
0
Anonymous Coward

Re: Go ahead

I only have experience of using a single Lenovo product - the Thinkpad W541. And I think it's a bag of washing. For it's spec it's slow, expensive and it refuses to boot Ubuntu. Under both Windows and Mint the screen flickers when watching video's and despite an outstanding support case that I registered with the thing over a year ago, no answer. The support for projectors is dire (one or the other, not the two at the same time).

I guess the same "get it out the door fast" approach to firmware applies to servers as well as their laptops.

0
0

Re: Go ahead

"....even Exchange is rare in some industries...." And where did you get that information from? Where are the facts?

0
6

Re: Go ahead

"...Lync is so bad that they replaced it with Teams...." And where is the official news release from Microsoft saying this? Ya. There isn't any. Nice dreaming.

0
7

Re: Go ahead

Maybe they don't think a kernel vulnerability is critical?

0
5

Re: Go ahead

Linux does not need to be rebooted, you can live patch the kernel - That is the difference!

6
3

Re: Go ahead

To connect to a Skype for business aka Lynx server on Linux is possible. There is a commercial program called "Sky" formally Wync that works well. Pretty much full functionality, join meetings desktop sharing etc

2
0
Silver badge

Re: Go ahead @kryptylomese

"Linux does not need to be rebooted, you can live patch the kernel - That is the difference!"

How do I do that with my Mint installation? It requires a reboot to activate the latest kernel.

Please advise.

0
2

Re: Go ahead @kryptylomese

Not tried this but Google says:

http://blog.zwiegnet.com/linux-server/install-ksplice-on-linux-mint-2/

1
0

Re: Go ahead

Depends on your distribution... Ksplice allows for replacing the kernel without a reboot...

There are also other methods of patching a kernel without rebooting...

You also are not required to reboot - just apply the patches. When you next do a PM/other reason to reboot, then the kernel will be the patched one.

It is up to the administrator and management do decide when to do a reboot.

Unless you are on Windows when it is at the will of Microsoft.

5
4

Re: Go ahead

Actually, you mean a higher TCO.

Using Linux/BSD has always been good for limited budgets.

5
0

Re: Go ahead

Unless you are on Windows when it is at the will of Microsoft.

Only if you're daft enough to configure the server to reboot automatically if required. If you're a bit sensible, it will just sit there saying "Patches installed, please reboot", and if you're really sensible, it will sit there saying "Patches downloaded - ready to install".

The idea that Windows forces reboots is totally incorrect.

4
4

Re: Go ahead

Try and get that all up and running in a day, complete with robust HA. Exchange just works, for enterprises with more than a few dozen people.

1
4
Silver badge
Thumb Down

Re: Go ahead

> time to upgrade to Linux anyway

Good luck with trying to dual boot Windows 10 and Linux. I tried for a day to get round UEFI problems (on an HP junker, not a LeNovo) and concluded that whatever Win10 had done to the UEFI meant that none of the recipes and tricks for dual boot installation worked: all I could ever boot was bloody Win10, event though Linux Mint had installed perfectly.

Solution: blew away Windows completely on that machine. Worked like a charm.

7
1
LDS
Silver badge

Re: Go ahead

Is Ksplice the default? No, it isn't. It *can* be used, and you have to test carefully it won't create more problems than it solves.

Sure, you're not required to reboot - but until you do, the old kernel is active and any vulnerability in it also. It's a matter of managing risks.

Nor Windows Server reboots on its own unless you configure it to do so.

2
5
Silver badge
Happy

Re: Go ahead

"As you said horses for courses."

Some courses for racehorses, another course for donkeys.

1
1
Anonymous Coward

Re: Go ahead

Have you heard the expression "if you pay peanuts then you get monkeys"?

I have never worked with a unix BSer yet but I met plenty of MS Pros who I could only conclude had either suffer brain damage since certification or had someone else take the test.

7
1
Anonymous Coward

Re: Go ahead

Lync! Lync?!!!! You're kidding me, right. It has to be the worst mainstream IM tool I have ever used.

Your point is definitely valid, but Lync for $deity sake.

0
0

Re: Go ahead

You mean "hire dozens of Windows professionals over" two or three "Linux AND Windows professionals".

One Linux professional can handle many more systems than one Windows professional. The ratios reported are around 50 linux servers to 1 Windows server... But it does vary. Facebook is reported to use 1 engineer for some 1,000,000 users... or 1 engineer per 130 servers (I believe that was for the same engineer).

But the number varies a lot depending on the environment. For a while I was the Kerberos maintenance (and support) for about 15,000 users scattered across the world using several dozen different computer centers, so I tended to get the admins calling about any problems. If I added up all the servers supported that would be several thousand (between 30 and 100 per center, depending on the center).

Anywhere security was mandatory ... left windows out. You can't secure that.

4
1
Bronze badge

Re: Go ahead

No problem. Can you let everyone know the Linux equivalent of Lync.

You know the one that does IM, Video,Ppresence, whiteboarding, all with office suite and calendaring?

And that s just one example.

Linux is good, but it can't do everything.

But wouldn't NOT running Lync be a feature rather than a shortcoming???

1
0
Boffin

Re: Go ahead

How can we stop Linux from needing a reboot every two weeks due to kernel issues?

there is a reason why firewalls and other security related devices run older vetted kernels... if you are going to run bleeding edge stuff on your servers (and even workstations) you will be cut and have some blood loss at some point...

but then again, the v4 of the linux kernel has introduced inline patching (or something like that) where the kernel gets the fixes but the machine doesn't have to be rebooted...

so -1

Every OS needs patches. You can elect not to patch any system, but standing up Linux as not needing patches and Windows does is pretty absurd.

but i tend to agree with this statement in general so +1

that's a balance so your points remain the same ;)

0
0
Anonymous Coward

Re: you can live patch the kernel

I thought this season's preferred terminology was "hot patch":

https://www.youtube.com/watch?v=SYRlTISvjww

0
0
Silver badge
Linux

Re: Go ahead

either suffer brain damage since certification or had someone else take the test.

Or perhaps the writers of the test were the ones who suffered brain damage?

0
0
Anonymous Coward

Does this affect only Lenovo-badged servers

Or does it affect Lenovo-built ones as well? (who *doesn't* have Lenovo build their servers these days?)

0
0
Silver badge

"who *doesn't* have Lenovo build their servers these days?"

Er.. Lenovo don't even seem to make their own servers any more. The ones I've taken delivery of recently say "Made for Lenovo" on them, not "Made by".

1
0
Gold badge
Facepalm

Re: Does this affect only Lenovo-badged servers

Wouldn't be surprised.

Another well-known Lenovo "feature" is on their Desktop / Laptop range. If you install a new, standalone, licensed MS Office without wiping the machine and reinstalling the OS[1], it fucks the licensing up. Apparently Lenovo have done something naughty to the OEM version of "Get Office". Uninstalling the "Get Office" app doesn't help as they haven't tweaked the uninstall routine to recognise and remove the registry keys they've cocked up...

So, proven form for playing fast and loose with the MS standards...and not getting away with it(!)

[1] Ok you can manually edit the registry but, given Lenovo's record, it's safer to nuke the site from orbit.

2
0
Silver badge

End user ...

As an end user I don't see this problem. And, kindly, Microsoft automatically install my Win10 updates that will work 100% on the time and will never brick my system, alter its configuration or impact my workflow at all.

Thankfully, Microsoft have explained that they are infallible, always correct and there'll never be an occasion when they get it wrong and cost me time and money so I'm happy for them to continue.

21
5
Silver badge

Re: End user ...

You forgot to use either the sarcasm or irony icon.

What do you mean, there isn't one?

7
0
Silver badge
Joke

Re: End user ...

Is that YOU, Loverock Davidson?????

0
0

Re: my Win10 updates

Should one interpret the statement as a recognition of Win10 as a _server_ OS?

0
0

An OS update that changes your server's firmware?

From MS16-140:-

The security update addresses the vulnerability by revoking affected boot policies in the firmware.

Since when has Microsoft had the authority to change a feature of your HW without prior consultation?

19
1
Anonymous Coward

Re: An OS update that changes your server's firmware?

Since UEFI became a thing.

19
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing