I was reading this article and it reminded me of a few things.  Sometimes when sitting in the Microsoft camp we say how good / bad others are at security, but rarely reflect on what people need to do and why.

When there is a known issue with a package, I suspect many don't go to a test environment and pull the patch apart, many just do a quick test on 1 pc and then deploy wider.  Obviously SBS 2003 R2 makes this process easier as you can now control the deployment and retraction of patches via the console.

It also reminds me that it a patch is needed, it is really a mute discussion on how many issues it fixes, reboots or any other aspect - if your systems are vulnerable, you need to patch of mitigate.  To do neither is inviting huge issues - and I have seen plenty of customers with issues.

What I did also see was a comparison table showing that systems often thought to not be at risk, such as those by Apple, can still be very susceptible.  When a security issue exists on a system, it does not matter if 1 or a 100 people are gunning for you, you will be got.  It is a bit like the human body - just because you have some medicine and some vaccinations, if you miss a preventative medicine and then get exposed to the illness, you will get ill.  If each month there are 1 or 100 issues with your security, they will all be tested, so you need to patch them all, on any system from any organization.  It is nice to see that MS does not top the list, even when including Office, Windows, Media Player and IE all in 1 go.

Obviously for info on R2 go to the SBS website, for Security patches, visit the security site and finally, for general advice, try the http://www.getsafeonline.org.

ttfn

David