Installing Software Remotely – Harmful Until Proven Otherwise

Avoid the traffic jam!
Photo by Striatic

“Developers should consider all data input by a user as harmful until proven otherwise.” ~ Rocky Heckman

I liked this statement so much I had to use it for this article. Though somewhat unrelated, the sentiment is precisely what I was looking for.

ZDNet Australia ran a story by Josh Taylor who discussed a TechNet 2010 discussion by Rocky heckman about hackers inadvertently sending their malicious code to Microsoft during the development phase of their soon-to-be virus. Heckman went on to say that the same practices have been occuring for over six years, meaning that developers aren’t listening to their security counterparts.

Thanks Mr. Heckman. Now, let’s expand that statement not to just developers who might have to deal with an outsiders malicious code, but to our jobs as Windows administrators, specificially as it relates to remotely installing applications to our users desktops.

Just like a realtor cares about location, location, location, sys admins should care about testing, testing, testing.

From time to time we receive suppport requests from users who have pushed the lastest bleeding edge package (or patch) to all of their systems. This is careless and can cause some serious problems.

First off, we define serious problems as anything that:

  • prevents or hinders a users ability to complete their tasks
  • compromises system security

Testing is a fairly straight forward proposition. Get the application or patch into a controlled environment and test the installation. Once you get an installation that is successful (i.e. the patch or application is working as advertised), review the event logs and test any other critical applications. (Testing critical apps, even though they may be unrelated to the installed app or patch is very important when it comes to installing anything on servers.)

We are big proponents of VMWare, especially the ESXi flavor. We have several in our lab and we use them extensively for testing and support.

Read the documentation of the app or patch. Does it change your security posture in any way? Does it open new ports? Does it necessitate the creation of any service level accounts? Does it make any changes to system files? All of these answers (and more) are included in the documentation that we all just love to read.

I know, I know. Documentation is a bore. But it’s part of our jobs as sys admins. Reading docs is like shoveling dirt. It’s boring and tedious, but once in a while you’ll find a nugget, and that will make the work worthwhile.

I’m a big believer that we’ll not as a society achieve true utopian peace until every entity (that is person and business) backs up their data and verifies that those backups actually work. (That’s another way of saying I think that utopian thinking is nonsense.) True too the testing of apps prior to major deployments.

Be that as it may, just because there are groups of admins who cowboy up and deploy with reckless abandon doesn’t mean that you have to. Just like the guys being chased by the bear realize that they don’t have to outrun the bear, they just need to outrun their slowest group member.

Remember, ESXi is free and is only a download away.


Follow @admarsenal on Twitter