Comments inline.
Paul Schmehl (pauls@utdallas.edu)
Supervisor of Support Services
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
> -----Original Message-----
> From: David F. Skoll [mailto:dfs@roaringpenguin.com]
> Sent: Monday, July 15, 2002 3:25 PM
> To: full-disclosure@lists.netsys.com
> Subject: RE: [Full-Disclosure] Counseling not to use Windows
> (was Re:Anonymoussurfing my ass\!)
>
>
> On Mon, 15 Jul 2002, Schmehl, Paul L wrote:
>
> > That depends on how the admins configure things. :-) Here
> at UTD, for
> > example, it isn't possible to execute a VBS file unless you
> know what
> > you're doing.
>
> Well, that's very good. How about .exe?
If they're attachments, they bounce at the mail gateway.
>
> > It's also possible to restrict the executables that a
> > user can run, using group policies.
>
> Yes, it is. How much work is it to set all this up?
Very easy. A few points and clicks in the admin's interface deploys the
policy to the whole domain.
>
[snip]
>
> These are granular indeed, and confusing as hell. A good
> security model should be simple; the Windows one is anything
> but. I can probably outline the UNIX security model in 300
> words. I challenge any Windows user to do the same for Windows.
>
> And complexity is the enemy of security. It can lead to
> misunderstanding, incorrect implementation, and ambiguity.
>
I totally agree with you.
> > It isn't the OS that's the problem.
>
> I disagree. The design of the OS is a large part of the
> problem. (I say "OS" here to include Microsoft applications
> like IE, which (after
> all) Microsoft insists are part of the OS.)
>
I think you're taking anecdotal evidence to condemn Windows
unnecessarily. Just because Code Red ran around the world in short
order doesn't *necessarily* mean the OS is flawed. It could mean the
*philosophy* is flawed or the training is flawed or the admins are
flawed. Remember, Unix admins have 30 years of experience under their
belts telling them what is good security practice and what is not.
Windows admins have 10? Maybe?
>
> That may have been true 3 or 4 years ago, but (at least in
> the Linux and *BSD worlds) is no longer. The default
> installation settings are pretty good nowadays.
>
Good point. I'm setting up a RedHat box for a website I do volunteer
work for, and I have to say I'm pretty impressed. (First time I've
worked with RedHat.) It had telnet and ftp and a number of services
disabled by default, tcpwrappers installed and enabled, ipchains
installed and enabled, etc., etc. Took me a little while just to figure
out how to open the box up enough for me to ssh into it.
>
> I'm not arguing with you on that point. But I think it's
> correct to say that any organization interested in long-term
> security planning should consider weaning itself away from
> proven-insecure software. Microsoft's track record is really
> terrible, and I don't see any indications that things are
> changing. How much benefit of the doubt do vendors deserve, anyway?
>
I really hate defending Microsoft. In fact I believe that the next few
years will see them losing significant market share as the momentum of
open source software really starts to impact them. (Walmart is now
selling $500 boxes with Mandrake preinstalled.) However, their security
track record is *not* as bad as you seem to think it is. You have to
keep two things in mind; 1) their security advisories are for *all*
their software, not just the Oses and 2) they're a huge company. It's
like trying to manuever an oil tanker to make a 180 degree turn. You'd
better have lots of time and room.
Microsoft's two biggest problems are that decisions they made a long
time ago, when the OS wasn't Internet-enabled, have come back to bite
them big time since they added the TCP/IP stack, and their programmers
have had no direction WRT security whatsover (until recently one would
hope.) When I wrote my article about the UPnP Vulnerability for
Securityfocus, it was almost laughable. They bought (or wrote - I don't
know which) some software to discover buffer overflows and ran it on the
XP release code. One of their VP's confidently announced that they had
"eliminated" buffer overflows from XP. Two months later Marc released
the UPnP vuln info about a buffer overflow that was **by far** the most
devastating B/O MS had ever had.
You have to remember that, for a business to switch from MS to *nix
takes not only a huge shift in thinking on the part of management and
users but also *wholesale* changes in the IT staff. I can quarantee you
that our senior Windows admin would drown in a week if you threw *nix
boxes at him and asked him to configure them securely (or even do "ls
-l" for that matter.) Yet he's never had a Code Red or Nimda infected
box and never had a breakin on his web servers. We haven't had a single
major compromise on a Windows box under his control. (Can't say the
same for other areas of the campus, but that's true of *nix as well.)
Paul Schmehl (pauls@utdallas.edu)
Supervisor of Support Services
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
> -----Original Message-----
> From: David F. Skoll [mailto:dfs@roaringpenguin.com]
> Sent: Monday, July 15, 2002 3:25 PM
> To: full-disclosure@lists.netsys.com
> Subject: RE: [Full-Disclosure] Counseling not to use Windows
> (was Re:Anonymoussurfing my ass\!)
>
>
> On Mon, 15 Jul 2002, Schmehl, Paul L wrote:
>
> > That depends on how the admins configure things. :-) Here
> at UTD, for
> > example, it isn't possible to execute a VBS file unless you
> know what
> > you're doing.
>
> Well, that's very good. How about .exe?
If they're attachments, they bounce at the mail gateway.
>
> > It's also possible to restrict the executables that a
> > user can run, using group policies.
>
> Yes, it is. How much work is it to set all this up?
Very easy. A few points and clicks in the admin's interface deploys the
policy to the whole domain.
>
[snip]
>
> These are granular indeed, and confusing as hell. A good
> security model should be simple; the Windows one is anything
> but. I can probably outline the UNIX security model in 300
> words. I challenge any Windows user to do the same for Windows.
>
> And complexity is the enemy of security. It can lead to
> misunderstanding, incorrect implementation, and ambiguity.
>
I totally agree with you.
> > It isn't the OS that's the problem.
>
> I disagree. The design of the OS is a large part of the
> problem. (I say "OS" here to include Microsoft applications
> like IE, which (after
> all) Microsoft insists are part of the OS.)
>
I think you're taking anecdotal evidence to condemn Windows
unnecessarily. Just because Code Red ran around the world in short
order doesn't *necessarily* mean the OS is flawed. It could mean the
*philosophy* is flawed or the training is flawed or the admins are
flawed. Remember, Unix admins have 30 years of experience under their
belts telling them what is good security practice and what is not.
Windows admins have 10? Maybe?
>
> That may have been true 3 or 4 years ago, but (at least in
> the Linux and *BSD worlds) is no longer. The default
> installation settings are pretty good nowadays.
>
Good point. I'm setting up a RedHat box for a website I do volunteer
work for, and I have to say I'm pretty impressed. (First time I've
worked with RedHat.) It had telnet and ftp and a number of services
disabled by default, tcpwrappers installed and enabled, ipchains
installed and enabled, etc., etc. Took me a little while just to figure
out how to open the box up enough for me to ssh into it.
>
> I'm not arguing with you on that point. But I think it's
> correct to say that any organization interested in long-term
> security planning should consider weaning itself away from
> proven-insecure software. Microsoft's track record is really
> terrible, and I don't see any indications that things are
> changing. How much benefit of the doubt do vendors deserve, anyway?
>
I really hate defending Microsoft. In fact I believe that the next few
years will see them losing significant market share as the momentum of
open source software really starts to impact them. (Walmart is now
selling $500 boxes with Mandrake preinstalled.) However, their security
track record is *not* as bad as you seem to think it is. You have to
keep two things in mind; 1) their security advisories are for *all*
their software, not just the Oses and 2) they're a huge company. It's
like trying to manuever an oil tanker to make a 180 degree turn. You'd
better have lots of time and room.
Microsoft's two biggest problems are that decisions they made a long
time ago, when the OS wasn't Internet-enabled, have come back to bite
them big time since they added the TCP/IP stack, and their programmers
have had no direction WRT security whatsover (until recently one would
hope.) When I wrote my article about the UPnP Vulnerability for
Securityfocus, it was almost laughable. They bought (or wrote - I don't
know which) some software to discover buffer overflows and ran it on the
XP release code. One of their VP's confidently announced that they had
"eliminated" buffer overflows from XP. Two months later Marc released
the UPnP vuln info about a buffer overflow that was **by far** the most
devastating B/O MS had ever had.
You have to remember that, for a business to switch from MS to *nix
takes not only a huge shift in thinking on the part of management and
users but also *wholesale* changes in the IT staff. I can quarantee you
that our senior Windows admin would drown in a week if you threw *nix
boxes at him and asked him to configure them securely (or even do "ls
-l" for that matter.) Yet he's never had a Code Red or Nimda infected
box and never had a breakin on his web servers. We haven't had a single
major compromise on a Windows box under his control. (Can't say the
same for other areas of the campus, but that's true of *nix as well.)