12 minutes

They say that your unpatched Microsoft Windows machine will live for only 12 minutes on the net before getting 0wned. Now, a lot of people are saying a lot of different things about Windows security, but I tend to agree to this particular one. I’ve seen it plenty of times at work. In fact, we now have a requirement for all colocated clients to fully patch their servers before connecting to our backbone.

Slashdot has a story. And a dup.

2 thoughts on “12 minutes”


  1. It’s very interesting how truth easily becomes lies. Such tests are not new, so 12 minuets it’s the one of the best result for windows system what I’ve seen. Usually it’s between 2-3 minuets, not greater then 5.

    But there few not mentioned things:
    First, all cracked windows system was fully un patched with service pack not greater then 1 and with disabled firewall. It like say that Ford car is very dangerous, because if you drive the car at night with light off, without belt and with speed more then 200 km/h, you will certainly dye!

    Second, on some test they also tested fully patched windows service pack 2 with enabled firewall. Result – in this configuration windows never has been cracked. Properly configured security is not a problem – you need just Windows Security Center.

    And last, real purpose of the test is not measuring of speed of cracking but investigate bot nets, so testers actually wants windows system to be cracked, that’s why they use such stupid configuration.

    …we now have a requirement for all colocated clients to fully patch their servers before connecting to our backbone.

    Finally! Finally people began to listen little bit what Microsoft is talking about all this years. I am glad to hear this. By the way don’t forget to make your windows admins to learn also quarantine policy, domain and zone isolation policy, Patch Management discipline and tools. And last thing – current service pack for Windows Server 2003 is 1, all servers should already have it. It ships with Security Configuration Wizard, which should be run on key servers and security policy created by it should be applied to all other servers.


  2. While your points hold some truth, let me remind you that most of the businesses are still running on Windows 2000 and not Windows 2003. Windows 2000 didn’t have built-in firewalls. Windows 2000 patches and Service Packs are not that easily available on CDs in the shops. At least around here. How does one suppose to patch his machine if it can’t stay alive long enough to download those patches?

    To correct your analogy with the Ford: it’s like Ford distributing cars without head lights and seat belts. And than selling, oh, no wait, giving away for free those head lights and seat belts in the service centers which are open only during the night time and are located on the highways with minimum 200 km/h speed limit. :)

Leave a Reply to WhyCancel reply