Slashdot Mirror

From Vendor: All of your organizations logged and network security alert data is compressed, encrypted and sent to the CIS SOC. This allows analysts to review previous network activity and search for specific threats or activity related to newly-released signatures, providing a distinct advantage over traditional security network monitoring services.

More importantly, the TLA foxes will be very concerned and interested about guarding this particular henhouse. To preserve the integrity of our elections, of course.

I know it is fashionable to bust on MS -- always has been here. I will say that from a security standpoint (if not a privacy standpoint, which is related but not the same), they have gotten better. That aside, the fact remains that if you don't do the first 5 of the CIS critical security controls, doing the remaining 15 doesn't really matter.
https://www.cisecurity.org/con...

Of course throwing blinkin-light boxes, doing pen tests, etc. is all the "sexy" parts of security, but here's the deal -- MS patched the vuln over a month before WannaCry hit and the crisis could have been averted by asset control and patch management before any signatures were released either for the vulnerability itself, or for specific threats such as WannaCry.

Within a day of ShadowBrokers dumping the haul which contained EternalBlue, nearly everyone in the security field that was paying attention understood that a patch already existed, MS had released it without fanfare as they usually do for this sort of thing, and that due to lack of attribution in the release notes that it was almost certainly NSA working on it with MS once they had reason to believe that EternalBlue was taken and would be burned by SB.

So, yeah "Don't use Microsoft" -- but if you go around not patching RedHat, you're not actually going to be that much better off. Unpatched software is still unpatched software, email has the quality of turning local exploits into remote exploits, and office workers whom you stick on an Ubuntu or RedHat box are still going to click whatever they're going to click. DAC and the Unix permissions model only goes so far, and most sites I've worked at have a tendency to have a "disable SELinux because it's hard and we're lazy" item in their deployment guide.

No one thing is the end-all/be-all of security. Layered defense and understanding that it is a constant arms race wherein blue team isn't likely to prevent a dedicated adversary from gaining a foothold but needs to do what is possible to increase the cost of success and extend operational time for the attacker to increase the likelihood of detection before exfiltration or destruction of data is it.

Depends on what procedures they adopted. If it was something like the PCI standard they likely could have followed everything, well except the part about not retaining sensitive information, and still gotten hacked. The PCI standard is the bare minimum that should be followed but is something written for MBA types so it has checkboxes that give you a warm fuzzy feeling. It does offer some protection but there are better standards but these are harder and require actual thought. Also if they were reasonably intelligent they would have implemented some well known system benchmarks but those can be inconvenient for people who want the keys to the kingdom. Given what has happened I would guess they implemented the parts of PCI that didn't deal with personal information and called it a day.

Personally, even if they were using PCI, I would love to see them get browbeat because there are better standards, such as the US government's NIST Special Publication 800 and/or 1800 series, the NERC CIP standard, the Cybersecurity Procurement Language for Energy Delivery Systems document. If those weren't enough there are other well respected ones out there as well to choose from. If a business, especially a large one, isn't required to be covered by one I would suggest looking at all of them and make rational choices out of each of them. If a business is required to follow one fully implement that but then still pull from the others to go beyond and then get regulators to scrutinize competitors who are lacking.

I see someone has no idea of what they are talking about in this regard. Here is the current standard that grid operators have to comply with. Also here is what is currently being asked of suppliers by the grid operators when getting a new system. Add in that the systems be benchmarked against these or these is also becoming written into the contracts now. I would assume that operators in the oil and gas industry either have similar things or are at least smart enough to re-purpose the above as the effort to do so would be minimal. A lot of the security efforts for securing the grid are not to protect it from the general internet, they are already separated and if not the company fucked up really bad and if NERC finds out the company will be paying some huge fines so let NERC know. Instead the security is to protect the control system from stupid users who find a USB rubber ducky in the parking lot, connects their corporate laptop to the control network, someone doing malicious things out at some remote substation that then gets into the main control system, or malicious insider. The people going after the grid are professionals and more often than not state actors not little Timmy from down the street who just found out about Low Orbit Ion Cannon or Armitage.

Probably except for the part about not storing personal information but then they aren't card processors. The PCI standard while it is a standard is really the bare minimum that companies should be held to for them to not be found guilty of criminally negligence for breaches. The actual standard is here and having had to deal MBAs asking about our compliance makes it seems like it is something written for the MBA types to check off a bunch of stuff. There are much better standards and if you aren't an MBA you can figure out how to make them applicable to your business. Personally I like the NERC CIP standard with liberal utilization of the CIS benchmarks as a good starting point for securing a system. If you want others there is always the US government's set of security benchmarks, the DoE document Cybersecurity Procurement Language for Energy Delivery Systems, or a bunch of stuff at the SANS site that you could use as a guide.

See my subject & this link: No denying it /https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785b [slashdot.org] & it's FAR from a complete list (even though it shows 100's of router security + inefficiency issues).

Your argument is so old and tired I get a /. 404 error, seriously I do. That said anyone who is using the factory provided firmware on a consumer router/firewall is dumb. OpenWRT or DDWRT are much better choices that offer better security and better options. Or if you prefer go and drop pfSense on some "powerful" but inexpensive hardware. As you will have a device like these between your computer and the internet I don't see how an argument about cost is an issue as you have your modem connected to the internet (DSL or Cable) and then either a router or firewall that your other gear sits behind. Depending on what hardware you have and layout your setup behind the router or firewall will vary greatly. * LMAO - again, that's you "networking menials" (that can't program their OWN solutions because you're limited) to a tee

Not a millennial (I assume that it what you meant) by a long shot I do actually program and have through my employer contributed to a number of open source projects. You may have heard of a few of them.

WRONG! I don't understand "layered-security"/"defense-in-depth"? I wrote guides on it that even GOT ME PAID https://www.google.com/search?... [google.com]

Guess what I have contributed to guides on securing systems and am paid by my employer to do so when new versions and updates are sought. The difference is that what I have contributed to are respected and well known.

Also it looks like you are a bit to copy/paste happy as I see you are getting frustrated and double posting (see above and below). You really should look into getting treatment for your ails as something does appear to be wrong.

You'd probably be surprised just HOW vulnerable most of the world's critical infrastructure really is.

Concerning power grids, no I wouldn't and people in the US and Canada would actually be surprised how well protected the bulk electrical system is here when compared to what is reported. Even small operators like to follow the security requirements that the large ones have to even if they don't as it does allow them to say that they are following the industry best practices which is a good CYA from lawsuits. Other countries are a different story and vary greatly but even those who hadn't cared much before are coming around after the Dec. 23, 2015 hack of the Ukranian grid caused a lot of European companies to collectively shit themselves.

I'll just leave a few things here for you. In the US and Canada those are either the regulations for cyber security of our power grid or specific requirements being written into contracts for new control systems for our power grid. All of them have to follow NERC CIP with the the other 2 being optional but widely used as a CYA. The Europeans do not have such requirements and it varies from country to country but those that do have regulations they are often very far behind even previous version of NERC CIP. That is not to say that those make you secure but they do offer a good start and following any one of those documents would provide more security than the preferred PCI DSS standard that everyone outside of power grid world thinks is great and the be all end all.

To be fair not all SCADA systems are as unprotected as you would imply but they are not the fortress for security one would hope. In North America there is the NERC CIP standards that need to be followed for grid operators which are a good start and should be approachable for most /. readers. The nice thing is that NERC has teeth and fines can be huge (I believe up to $1,000,000 per violation per day of non compliance) The NERC CIP standards go a whole lot farther than the other major standard that is mentioned often in these discussion which is PCI DSS which seems to be written more for managers who like check boxes. Another consideration is the Cybersecurity Procurement Language for Energy Delivery Systems which is being picked up by a number of organizations as a set of requirements. Then there is always the reasonable and prudent CIS Benchmarks for the OSes and software you are running. I do think that a lot of SWIFT operators think that something like PCI DSS is good enough but it isn't.

I think you have hit the nail on the head. Everyone wants a magic device or application that will stop all threats. Working as a security person I frequently interact with companies selling magic boxes and unfortunately it is most often at customer sites trying to integrate the steaming pile with the customer's existing system. My personal favorite interaction with a company selling a magic device was one that was selling a NIDS type device and my first question to them was "What does your product offer me over Snort". Their response was that their device did deep packet inspection and snort doesn't. At that point I told the guy to get out and not come back as they are either incompetent bordering on negligence or are liars and either way I don't deal with liars or people who are that incompetent.

When I work with customers to secure their systems I go after the things that actually provide value and don't cost a ton of money. Like limiting the amount of crap installed on a server, turning on and setting rules on the host based fire wall, putting a firewall applicace at the edge of your network and configuring it, staying up to date on patches, Configuring your system in a secure manner, etc. all of which probably fall into your "other low-tech solutions" bucket in addition to the other things you mention. I have been on site a number of times when customer systems have been audited for security, it is mandated and if an audit item fails there are real fines that are large and are assessed for each day of violation, so my goal is to provide a system for customers that is actually secure (well it has a good margin of security) and in all cases goes well beyond what is required for the audit.

Sounds like I have been doing shit wrong and could have gotten things done quicker and slacked off. I do start with the lists of best practices and regulations. Then I go and check their layout, settings, firewall rules, configuration, physical security, etc. seeing how they are running things. After that I go and do a proper vulnerability scan and system scan (outside looking in and inside looking out) to see if what they say their system is setup as is what is actually is. If the customer allows it I do some pen testing on links coming in, physical penetration testing with a little bit of social engineering, or pen testing from machine to machine in their environment. Finally after all that I spend a whole pile of time going over the collected results and create a nice report where I organize the threats and risks into actual threat levels and provide mitigation or remediation steps. Typically I spend 2 weeks on site gathering data, and then about another month going over it. I have never been a big fan of checkbox security as it leads to lots of stupid crap but there is something to be said for going through them because I have found a lot of low hanging fruit that was simply overlooked by others.

my computers all run Linux and are about as secure as you can reasonably expect

Some what serious question but are they really? Likely there are additional measures that can be taken as I found out a long time ago. The base level of security expected in the industry I work in is that specified in the Center for Internet Security benchmarks for what ever OS and large applications benchmarks are applicable. Anyone can go and view/download the benchmarks. These go well beyond patching, AV, firewall, and other simple standard protections that most are aware of. Even the windows protections will do a lot to stop standard attacks by at least forcing the user to jump through some hoops to really F up their system.

You are technically correct but SElinux is a real pain in the ass.

This reminds me of the hilarious definition of Level 2 in the CIS benchmark for RHEL:

Level 2: may negatively inhibit the utility or performance of the technology

https://benchmarks.cisecurity....

There comes a point where hackers cause less damage than this kind of "security".

I'm sorry, your argument for NOT using a tool that changes over time (JavaVM) is that they're just as bad as another tool that changes over time (IE/Windows). And yet, please who release windows 8/10 related services are somehow forgiven from your black hole of hate?

Pretty much every piece of generally iused software has bugs. Sure, if you have 0 use for Java, Flash, Video codec playbacks, document viewers, etc. then absolutely don't use them. But don't presume to think Java is in any way less secure than any other platform that allows for script execution. Just make the common sense approach of not auto-running arbitrary scripting code, including JavaScript if you're concerned about being hacked.

For instance: https://msisac.cisecurity.org/...

are you sure about that?

unsafe
{
// srcPtr and destPtr are IntPtr's pointing to valid memory locations
// size is the number of long (normally 4 bytes) to copy
    long* src = (long*)srcPtr;
    long* dest = (long*)destPtr;
    for (int i = 0; i < size / sizeof(long); i++)
    {
        dest[i] = src[i];
    }
}

that's valid C#, all you need to do is inject something like that into the codebase and let the JIT compile it (using all the lovely features they added to support dynamic code) and you're good to get all the memory you like.

Now I know the CLR will not let you do this so easily, but there's always a security vulnerability lying around waiting to be discovered that will, or an unpatched system that already has such a bug found in any of the .NET framework, for example this one that exploits... a "buffer allocation vulnerability", and is present in Silverlight.

The moral is ... don't think C programs are somehow insecure and managed languages are perfectly safe.

You mean like this?

The following should help set you in the right direction
http://benchmarks.cisecurity.org/en-us/?route=downloads

I am glad to see you are doing what I suggested because users (especially "noobs" as they are often wont to be called & why I used that term)? Are the MAIN WEAKEST LINK out there.

(You sound like you're more of a coder than a networker, as am I actually (since 1994 being doing MIS/IS/IT coding, mostly in Client-Server apps professionally))...

Now, as to THIS part from you, here's something you MAY like & you can tell Ms. Hester I sent you (email her):

"our business has over 4,000 emplyees just at head office and a further 200,000 throughout the business, a single nerd trying to educate will only go so far" - by Fluffeh (1273756) on Monday November 14, @12:15AM (#38045472)

This will help you, immensely, and it's EASY TO USE, multi-platform (does many OS') and you can get a FREE eval copy from which you can start basing logon script merges of .reg files even (what I do on bootup to reinforce Group & Local security policies here based on its advisement in Windows 7):

lhester@cisecurity.org
http://benchmarks.cisecurity.org/

Once the "freebie trial" does 'wear out' (written in multiplatform JAVA, so you will need it installed on a testbed rig for forming a SOLID security policy, & on MANY OS, and even if 32/64 bit etc.)?

You can SAVE the areas to alter (in registry or .reg merge files using either .reg merge files, OR "auditpol" command line modules (like in a logon script in Windows) such as these:

auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Distribution Group Management" /success:disable /failure:disable
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"File System" /success:disable /failure:enable
auditpol /set /subcategory:"Registry" /success:disable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:disable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable /failure:disable
auditpol /set /subcategory:"Logoff" /succe

Now, it might be worth it to have a piece of software (a script, really) that ran around a Windows install and tightened up security across the board -- turned the firewalls on, set passwords, disable autorun, install Firefox, grab updates, etc

Their called security templates. GPO's can be pretty useful if you use them properly. Granted, security templates don't install FF, but a decently-configured network and install process should cover whatever base software and updates you need/want. If you're not in a corporate environment, check out gpedit.msc > Computer Configuration > Windows Settings > Security Settings.

Combine that with a decent scoring/analysis tool and you can run a decent OS.

Yea, yea: I hear the "band-aid vs. design" argument. What I'm saying is that I know you run into problems when you build an OS that tries to play to the lowest common denominator. If you're using that OS though, you can lock it up properly to not be the lowest common denominator from a security standpoint, provided you manage your users properly ("No, you cannot run Limewire to download that fun new game your buddy told you about...").

They do

: )

You might try (on a test box) the security information/tools CIS (Center for Internet Security) has to offer. I have had good experience with the information for AIX (of all things). They provide automated tools for Windows and a few other OSs.

Anyway, your posts are full of words and hyperbole, but I'll try your test if I can actually get it for linux. I'm not going to pay for it though, and it appears to be free for .gov use only?

LOL... is that the best you have as a comeback? Weak, (as per usual) from /. posters, especially regarding this type of topic, backing up their statements that "Windows is less secure or securable than *NIX & its variants")...

Lots of talk, yet no action! I say this based on a history of evidences I noted in my last post, point-blank. Argue with the numbers.

No photo proof of a score from a *NIX rig, vs. what I produce as a challenge to those that say "Windows is less secure than (insert *NIX variant here)" as to a result on a valid multiplatform security benchmark...

Put your monies where you mouths are boys!

Just beat the 85.185/100 score I can obtain using Windows Server 2003 SP #2 fully patched & custom security hardened, with the *NIX of YOUR choice... & put up photo proof (unedited, because one fool said he could do that, how WEAK!)...

Simple.

APK

P.S.=> BOTTOM-LINE: Talk's cheap boys... especially "F.U.D."-based b.s. like:

"(Insert *NIX variant here) is more secure or securable than Windows!"

That I see here @ /., worse than any other website online in fact. I don't mind it if it has some basis in verifiable facts with examples, but I do when that statement or one like it, has none of the aforementioned requirements.

So - "Put up, or shut up"... prove it. Put your monies where your mouths are... & with YOUR OWN SYSTEM, not someone else's tests or info. (the BEST test, not only of your big talk, but of YOUR SKILLS IN PERSONALLY KNOWING HOW TO HARDEN YOUR *NIX RIGS, vs. mine on Windows Server 2003).

Download, & install CIS TOOL (@ the center for internet security's website, link is in the URL below):

CIS TOOL DOWNLOAD PAGE @ THE CENTER FOR INTERNET SECURITY:

http://www.cisecurity.org/index.html

(... run it, & beat that score I get on a Windows NT-based OS of 85.185/100 currently, & on a legitimate multiplatform test of security (noted by COMPUTERWORLD & SANS, 2 sites often cited here @ /., no less, in security-oriented threads no less) called CIS TOOL))... apk

Truth, @ last... my reply, per your statement which I will quote, ought to interest you:

====

"Linux systems are only as secure as the admins who manage them. - by HerculesMO (693085) on Wednesday August 15, @11:04AM (#20236869)

I agree, 110% (alongside the fact that their producer/oem of said OS & wares MUST issue patches/hotfixes as needed that work too)... & by the way?

Tell THIS guy, SanityInAnarchy, an UBUNTU user, that, here:

http://slashdot.org/comments.pl?sid=264303&cid=202 35261

SanityInAnarchy refuses to use SeLinux in a layered security pattern above & beyond things I had to point him to for *NIX (chmod/chown/chroot) for MAC-ACL layered security over filesystems & userrights... as well as SeLinux providing SOCKETS LEVEL CONTROL, for layered security above & beyond IPTables usage, alone!

That's in regards to taking the multiplatform test of security, CIS TOOL:

http://www.cisecurity.org/bench.html

&, using the *NIX of his choice to beat my score of 84.735/100 on that test (proofs of most of the evasions from he (& others) I encountered is in the root of my replies there, parent to his posts, as well as my overcoming their objections):

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

Fact is, I have challenged 30++ other *NIX users here @ /., & other LINUX sites, to that test as well (& NOT A ONE HAS EXCEEDED MY SCORE ON WINDOWS SERVER 2003 SP #2 fully hotfix patched).

They ALL ran, every *NIX user I challenged to this test... every time! SanityInAnarchy, is not alone, in that regard... Again - the proof of that, via 26 or so URL's from others here, is in the root of my replies to he, & my challenge to he & THEY as well, for a record of it.

All kinds of evasions were posted, each was overcome by myself using valid proofs &/or techniques mind you...

(Still - I would LIKE to see a *NIX user WITH A STRONG SECURITY BACKGROUND & SETUP TRY THIS LEGITIMATE MULTIPLATFORM SECURITY TEST!)

Preferably/specifically, an SeLinux bearing distro, like UBUNTU, or a FreeBSD user, with a "fully config'd right via layered security setup" (in place they are confident of, & have them Install CIS Tool, JAVA runtimes from SUN (latest for it))!

Then to see them post a valid unfaked photo of their score (yes, SanityInAnarchy said he could fake a photo, lol, believe it or not), & on that CIS TOOL multiplatform, legit/valid test of security...

CIS TOOL is noted as VALID/LEGITIMATE (vs. SanityInAnarchy's MAIN OBJECTION, that CIS TOOL could be "malware" etc., & IT IS ANYTHING BUT THAT, heck - it's "antimalware" if anything) per SANS &/or COMPUTERWORLD, no less:

----

SANS NOTES CIS TOOL:

http://www.sans.org/newsletters/newsbites/newsbite s.php?vol=9&issue=36

&

COMPUTER WORLD NOTES CIS TOOL and PURPOSE:

http://www.computerworld.com/action/article.do?com mand=viewArticleBasic&articleId=9018362&intsrc=hm_ list

So much for SanityInAnarchy's argument this tool might be "malware", lol... it is ANYTHING BUT THAT - it tells you how to secure yourself & points out areas that may be weak!

----

(Fact is - The admins of this system in THIS thread, which got 'hacked/cracked'? Ought to use it & learn SeLinux (which SanityInAnarchy was not aware of it being in UBUNTU first of all, but also he refuses t

"This in today- People wanting a secure server use Ubuntu Dapper Drake instead of Fiesty Fawn" - by daskinil (991205) on Wednesday August 15, @08:55AM (#20235231)

Ok, this just in/"new NEWS":

See this url:

http://slashdot.org/comments.pl?sid=264303&thresho ld=1&commentsort=0&mode=thread&cid=20159515

And download the multiplatform test of security by the CENTER FOR INTERNET SECURITY, noted by SANS + COMPUTERWORLD as a valid tool for benchmarking security on various *NIX derivant OS' (not all, no MacOS X or OpenBSD - noting a clear lack of development on them imo vs. other variants & yes, Win32) & Windows NT-based variants:

http://www.cisecurity.org/bench.html

& beat this score, obtained on a custom hardened-for-security build of Windows Server 2003 SP #2 fully hotfix patched (as of yesterday, "MS Patch Tuesday" & all):

84.735/100 score photo, obtained on Windows Server 2003 SP #2 fully hotfix patched:

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

On the *NIX variant of YOUR CHOICE, & of "server-class build"... I would honestly like to see a photo of the score on THAT multiplatform CIS TOOL test for security, which has been noted by SANS + COMPUTERWORLD, here:

SANS NOTES CIS TOOL:

http://www.sans.org/newsletters/newsbites/newsbite s.php?vol=9&issue=36

&

COMPUTER WORLD NOTES CIS TOOL and PURPOSE:

http://www.computerworld.com/action/article.do?com mand=viewArticleBasic&articleId=9018362&intsrc=hm_ list

As a legitmate program for the purposes of "shoring up" holes found by it on them!

APK

P.S.=> 30 *NIX people have outright evaded that test, & gee - "I wonder why"... I overcame each of their objections thru that thread, & those listed as well (27 of them prior to that url above)... no takers (though I suspect they tried, & their *NIX derivant OS could NOT surpass my score shown above)... & about *NIX vulnerabilities, vs. Windows ones (and, that apps that ride on them)?

National Cyber Alert System: Cyber Security Bulletin 2005 Summary:

http://www.us-cert.gov/cas/bulletins/SB2005.html

A quote from it:

"There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities."

Also, that URL & report show LINUX as having 3x as many security holes/vulnerabilities in it than Windows NT-based OS' have mind you (in year end 2005/beginning of 2006, between the OS & its apps riding on it), so, let's compare them on security & vulnerabilities on THAT note as well... apk

"As long as they claim to have the most secure operating system ever: No." - kimvette (919543) on Saturday August 11, @03:27PM (#20197269)

Well, tell you what (like I have to 25 others here 25 times here before, & had nothing but evasions over from *NIX people (AND, in fact? I can post the list of url's for that IF you like also in any replies to you IF you reply back)):

DOWNLOAD THIS MULTIPLATFORM TEST OF ONLINE SECURITY (by the CENTER FOR INTERNET SECURITY):

http://www.cisecurity.org/bench.html

Install & run it on your *NIX rig, & post the score you get!

(Then, I'll post a screenshot of what I am able to "CUSTOM HARDEN" Windows Server 2003 SP #2 fully current hotfix patched to, as a comparison (AND, how I do it as well)).

Fair enough?

BY THE WAY? THIS TEST IS LEGIT, & EVEN NOTED BY SANS + COMPUTERWORLD, IN THE NEXT 2 URLS BELOW:

COMPUTERWORLD - CIS tool aims to help federal agencies check Windows security settings:

http://www.computerworld.com/action/article.do?com mand=viewArticleBasic&articleId=9018362&intsrc=hm_ list

SANS - CIS to Release Windows Configuration Assessment Tool: (May 1, 2007)

http://www.sans.org/newsletters/newsbites/newsbite s.php?vol=9&issue=36#sID302

APK

P.S.=> Hey- it's true that benchmarks aren't "EVERYTHING", & it's more the 'man behind the wheel' (in configuring a system for PERFORMANCE, or SECURITY)!

HOWEVER? Benchmarks are the best initial comparisons we have (hence, why tools like benchmarks exist, period really)... apk

First, I did not use the tool you suggested because the tool itself would make my system less secure. Had you read my post, you would know this.

Obviously, you did not read my post. Apparently it was too long for you, so I am trying to make this nice and short. Even so, I've put the thrust of my argument first, so that hopefully you'll get the point before your attention span fades.

Anyhow, then, why don't you even try the CIS Tool 1.x, + post your score here so I can examine it + so YOU CAN PROVE THAT STATEMENT?

And you continue to rant about how obviously, if I didn't run your tool, it must mean that I'm either too stupid to figure out how, or I don't want you to know how insecure my system is.

I'll point you to their own readme file:

The NG Scoring Tool installation may make some or all of the Tool files world writable during installation.

This is a really fucking bad idea. It is a security bug in the software you want me to use to test my security?

Apparently, they know it too, because they go on to say:

This is a known issue and we are working very hard to correct this installation issue.

Oh, and yes, you should get a Slashdot account:

First of all - Why?

Why not?

Oh, by the way, that comment you link to? Got modded +2, started at 0, has no replies. My comments start at 2 (registered + good karma), and routinely get modded to +5. They almost always have replies, unless they are already deep inside a thread.

Also, I do not have to enter a CAPTCHA when commenting, I don't have to preview before posting, and I have to wait far less between posting. As for tracking, it's not about "peer pressure", it's about recognition, and that is a good thing.

"Don't say that we can't beat your security -- that's pure bullshit" - by SanityInAnarchy (655584) on Wednesday August 08, @08:51PM (#20164507)

Anyhow, then, why don't you even try the CIS Tool 1.x, + post your score here so I can examine it + so YOU CAN PROVE THAT STATEMENT?

(... & that's only if you run a *NIX on your PC of somekind, since the test is multiplatform??)

And... lol, I didn't have to fill out any survey form for the Windows model... you sure you're getting the file for your *NIX, from here:

http://www.cisecurity.org/bench.html

?

Plus, please:

If you cannot figure out how to download a program from the internet man & install it?

Honestly? Well... I really do NOT know what to tell you!

(Uhm, maybe @ the risk of not insulting you, I'd say perhaps man... you really don't have the know-how for this test, if you can't manage THAT much, honestly!)

IMO:

Either this person doesn't have the know-how here, OR, is just evading taking as simple test that is the measure of his system's online security, created by "THE CENTER FOR INTERNET SECURITY"!

(... & maybe, I am guessing, he DID try it, & gets a poor score, & is just evading it. There's no shame in posting a score far lower than mine!)

"Next...!!!"

(Please- somebody reply here, who is competent enough to figure out how to do a download, install a program, & perhaps have the courage to post a score on a *NIX rig, please (no "excuse makers" allowed - those with courage or honesty need only apply, not evaders)).

Typically though, iirc? Windows 2000 &/or XP systems, non-hardened, scored between 10,000-24,000, iirc... but, a *NIX score here, with photo proof, would be nice!

APK

P.S.=> "Oh, and get yourself a Slashdot account. Many people don't even bother to reply to Anonymous Cowards." - by SanityInAnarchy (655584) on Wednesday August 08, @08:51PM (#20164507)

First of all - Why?

(... so I can be "tracked around here", just like you? No thanks... 'peer pressure tactics' mean little to mean, like in this case: What does, is the score your *NIX running rig can get on this test... )

Secondly - I actually get quite a lot of replies, & have been modded up around 50 times or so here, that I know of (& each post was done as A/C)... would you like the links?

Here's just one, since it's "DEFCON" again - CODING FOR DEFCON (from last year here iirc):

http://it.slashdot.org/comments.pl?sid=158231&thre shold=1&commentsort=0&mode=thread&cid=13257227 [slashdot.org]

apk

Either you're trolling or astroturfing, or you're sadly misinformed. I suspect the former:

you truly CAN secure Windows, & to such a level, even *NIX folks I challenged could not beat it)...
And, no - benchmarks are "not everything", only gauges (what else do we have?

So, if benchmarks are not everything, then be more specific -- say that your Windows is secured relative to one benchmark to where no one else can beat it. Don't say that we can't beat your security -- that's pure bullshit. If I'm insecure, root me. Go on -- you can start with my mailserver. Shouldn't be too hard to find. If you're smart, you can even jump from there to my desktop -- they're connected via a gigabit crossover cable.

Oh, and get yourself a Slashdot account. Many people don't even bother to reply to Anonymous Cowards.

But let me try to take you seriously for a moment...

You posted a screenshot, which as we all know, should not be accepted as "proof" of anything. Your screenshot is bullshit unless I can get the tool and verify it myself. So try providing a link, at least.

Oh, is this what you were talking about? First, there's no tool for the most popular Linux variant today: Ubuntu. (My desktop is Kubuntu, but that shouldn't be a major obstacle, when you can "upgrade" from one to the other and back.)

But let's suppose I had RedHat or Suse or some such. It's still a huge, annoying hassle to even get to the file -- I'm very skeptical of anything that makes me FILL OUT A SURVEY, not to mention agree to some legalese, before I can even download the file. Included in that legalese is the requirement that I can't redistribute -- doesn't sound particularly open to me.

Once downloaded, I have a big tarball. Unpacking it, I find a jar file and a readme. Which means, the entire tool is proprietary. I'm not sure if it can be run as a normal user, however, I am running Linux partly because I do not trust proprietary software. And now you're asking me to run one from this random website as root?

(I suppose I could setup a separate account to test it under, but I'm too lazy, especially when... but read on.)

Even if I had source code, where's the md5sum? The PHP signature? Where's my guarantee that the file I downloaded actually did originate from this server, and hasn't been modified in transit?

Never mind all that -- the readme file itself admits that the installation of the tool is not secure:

The NG Scoring Tool installation may make some or all of the Tool files world writable during installation. This is a known issue and we are working very hard to correct this installation issue.

I'm sorry, no. Absolutely not. I will not take a benchmark intended to measure my security when the tool itself is that fucking insecure, and you shouldn't either. Not even on Windows.

However, you're welcome to point me to any tool which attempts penetration testing from the Internet -- in other words, a website where I can click a "hack me" button to test my browser, or to have their server attempt to exploit me over the network. I imagine it would be inconclusive -- it would probably find absolutely nothing to exploit on either of our machines. It might find something wrong with some conscious decisions I've made -- for instance, responding to a ping -- but then it becomes a difference of opinion, rather than "proof" of anything. (Unless we're both wrong, and it's able to root one of us...)

NOT A SINGLE *NIX USER, on various flavors of *NIX (including the oft touted 'super-secure' BSD variants OR SELinux) COULD SURPASS THAT SCORE, because not a 1 posted a score

And, no - benchmarks are "not everything", only gauges (what else do we have? If you can find a better, more comprehensive gauge than this one that is also multiplatform?? I'll give it a shot too, but to date? I have NOT been able to find a better one, than CIS Tool!

Deciding that you have an unbelievably safe system based on lack of challenge and an arbitrarily defined scale is...stupid.

You don't even understand what we're talking about when we say "Administrator." Yes, we're all aware that there's a (semi-)hidden account called "Administrator." No, that's not what we're talking about.

The obvious issue here is that this test is not "multiplatform" in the way you think it is. A score on your system is as comparable to a Linux system as the SAT is to the ACT. For crying out loud, there's even a MySQL benchmark; it's not even an OS.

they "ran", or evaded the test with b.s. (why not take it? I am fairly CERTAIN many did but did NOT like the results they saw, & that their systems were not as "(insert *NIX variant here) is more secure than Windows" was proven WRONG)

I believe I am feeding a troll here...... However using that tool cannot give you an apples to apples comparison of windows to any other OS. Your photo evidence shows a score for "Registry Permissions".... This is therefore a weighted mark, because some OS's do not include a registry, and thus cannot be scored on this basis.
...
This sort of test, can *only* score known vulnerabilities. The problem with security is the unknown vulnerabilities. Even if you have addressed 100% of known vulnerabilities, it only takes 1 to get cracked.

By the way, I noticed that, for the first two items, you passed 0/1 major service pack and hotfix requirements and passed 1/1 minor ones, earning you a score of 12.5/25.

And finally, it failed to run on my system. After pointing it to the location of my java.exe, it gave a NoClassDefFoundError. Besides, I'm running XP Home. http://members.cisecurity.org/kb/article.php?id=01 3

NOT A SINGLE *NIX USER, on various flavors of *NIX (including the oft touted 'super-secure' BSD variants OR SELinux) COULD SURPASS THAT SCORE, because not a 1 posted a score

And, no - benchmarks are "not everything", only gauges (what else do we have? If you can find a better, more comprehensive gauge than this one that is also multiplatform?? I'll give it a shot too, but to date? I have NOT been able to find a better one, than CIS Tool!

Deciding that you have an unbelievably safe system based on lack of challenge and an arbitrarily defined scale is...stupid.

You don't even understand what we're talking about when we say "Administrator." Yes, we're all aware that there's a (semi-)hidden account called "Administrator." No, that's not what we're talking about.

The obvious issue here is that this test is not "multiplatform" in the way you think it is. A score on your system is as comparable to a Linux system as the SAT is to the ACT. For crying out loud, there's even a MySQL benchmark; it's not even an OS.

they "ran", or evaded the test with b.s. (why not take it? I am fairly CERTAIN many did but did NOT like the results they saw, & that their systems were not as "(insert *NIX variant here) is more secure than Windows" was proven WRONG)

I believe I am feeding a troll here...... However using that tool cannot give you an apples to apples comparison of windows to any other OS. Your photo evidence shows a score for "Registry Permissions".... This is therefore a weighted mark, because some OS's do not include a registry, and thus cannot be scored on this basis.
...
This sort of test, can *only* score known vulnerabilities. The problem with security is the unknown vulnerabilities. Even if you have addressed 100% of known vulnerabilities, it only takes 1 to get cracked.

By the way, I noticed that, for the first two items, you passed 0/1 major service pack and hotfix requirements and passed 1/1 minor ones, earning you a score of 12.5/25.

And finally, it failed to run on my system. After pointing it to the location of my java.exe, it gave a NoClassDefFoundError. Besides, I'm running XP Home. http://members.cisecurity.org/kb/article.php?id=01 3

LOL... more *NIX "big talk" about being "so secure"...

"You also forget the target demographic for OpenBSD: this is not for your Desktop, nor even for your high-load server. You can use it for that, but the niche in which it lives is firewall, NAT, transparent bridging. Places where security matters more than anything else. Sure, a bit more complex to set up, you need to work more, but this is not your moms OS." - by Corporate Troll (537873) on Thursday July 26, @04:51AM (#19993919)

Well, ok then: Take that OpenBSD setup of yours, & run this test on it:

http://www.cisecurity.org/bench.html

And see if you can beat this score on it (which was gained on Windows Server 2003 SP #2):

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

Via this "12 step program" (methods used to obtain that score on a modern Windows NT-based OS (2000/XP/Server 2003 & yes, it works on VISTA too):

http://forums.techpowerup.com/showthread.php?s=fe3 a450dc9f3055920edd0fcea17b27b&p=375355#post375355

I have repeatedly challenged *NIX people to this test, 17 times now (this will be the 18th in fact) here @ /. & other sites (Linux oriented ones) & to date:

http://slashdot.org/comments.pl?sid=254685&cid=199 85487
http://it.slashdot.org/comments.pl?sid=240571&cid= 19630923
http://slashdot.org/comments.pl?sid=240283&cid=196 31141
http://linux.slashdot.org/comments.pl?sid=240501&c id=19630965
http://it.slashdot.org/comments.pl?sid=241957&cid= 19662703
http://it.slashdot.org/comments.pl?sid=241913&cid= 19662485
http://bsd.slashdot.org/comments.pl?sid=238993&cid =19578849
http://it.slashdot.org/comments.pl?sid=243071&cid= 19690705
http://it.slashdot.org/comments.pl?sid=243071&cid= 19691091
http://slashdot.org/comments.pl?sid=240283&cid=196 22485
http://it.slashdot.org/comments.pl?sid=244821&cid= 19736881
http://it.slashdot.org/comments.pl?sid=245695&cid= 19761821
http://linux.slashdot.org/comments.pl?sid=246583&c id=19779437
http://linux.slashdot.org/comments.pl?sid=252367&c id=19946243
http://linux.sys-con.com/read/382946_f.htm

Not a SINGLE *NIX user has surpassed the score I obtain using a custom-hardened setup of Windows Server 2003 SP #2 fully hotfix patched... not a one

"The viruses are intelligently designed. I'm not vouching for Microsoft Windows." - by geoffrobinson (109879) on Tuesday July 03, @12:12PM (#19731855)

Well, I will vouch for Windows, but I will let the "center for internet security's" CIS Tool 1.x, do it for me, as far as how intelligently designed Windows IS, and how solid it can be, from an internet security standpoint - so much so, that 11x now overall, no SELinux, OR BSD users cannot beat the score I obtain on the multiplatform tool for testing securit online!"

I am vouching for Windows Server 2003 SP #2 fully hotfix patched as of this date vs. *NIX systems, & why?

Because I have posted this 10x on slashdot, & 1 other LINUX oriented site (especially directed @ SeLinux kernel hook addons for a Windows ACL-like level of security control, because Linux does NOT have that by itself, w/ out SELinux afaik):

Here goes, evidence below:

A challenge to take a multiplatform security test that runs on many a *NIX and Windows NT-based OS of modern variety (2000/XP/Server 2003) & how to get the score I did with an easy as possible roadmap in a URL below for doing so!

Run the CIS Tool 1.x, on your BSD/Linux (prefereably SELinux)/Solaris rigs, it is downloadable here:

http://www.cisecurity.org/bench.html [cisecurity.org]

And, takes minute to haul in, install, & run it in an attempt to beat my 84.735 of 100 on it (from a reputable organization, The Center for Internet Security)...

Go for it, & see if you can beat my score of 84.735 on a FULLY custom security hardened Windows Server 2003 SP #2 fully patched as of the date of this posting.

Photo evidence of my score is here:

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg [techpowerup.org]

And, the same score I obtained, literally, yesterday, as well!

(After putting on the latest patches for Windows Update to my OS which I download & store here - but, nice part is? I'll never need them, because I GHOST this image once it is patched & scanned for malware/virus/trojans/rootkits etc. with the latest/greatest up to date tools for that purpose, & practice safe email practices & more like disabling potentially "deadly" things that can be exploited in browsers like ActiveX/Java &/or scripting (for sites that do NOT need it))

For Windows users' reference, all noted here & how to GET THAT SCORE:

http://forums.techpowerup.com/showthread.php?s=2aa c2d3ff16e9b8448875ee96e27d1ec&p=375355#post375355 [techpowerup.com]

(That's for the Windows users here to gain by).

Thing is - I'd like to see the *NIX users of all kinds beat that security test evaluation score for safety online & how well their systems are secured, as a more "concrete evidenece thereof" in fact, since the poster I am replying to is a "SHOW ME PERSON" (as am I)...

HOWEVER - here @ slashdot, where slogans & b.s. of ALL kinds are stated vs. Windows & Microsoft?

Well - I have challenged you ALL here repeatedly on this note 7 times now, this is the 8th here! ... & there is one @ another Linux oriented site as well (UBUNTU discussion, where BSD was suggested instead of Linux OR even SELinux, & I posted here in a PC-BSD post with an arstechnica article base behind it, on the note of security in the reply I posted this challenge to):

http://it.slashdot.org/comments.pl?sid=240571&cid= 19630923 [slashdot.org]

&

http://slashdot.org/comments.pl?sid=240283&cid=196 31141 [slashdot.org]

&

"This is a great disservice to the whole computer industry" - by EmbeddedJanitor (597831) on Thursday June 28, @09:40PM (#19684441)

Well, ok... this isn't then - a challenge to take a multiplatform security test that runs on many a *NIX and Windows NT-based OS of modern variety (2000/XP/Server 2003) & how to get the score I did with an easy as possible roadmap in a URL below for doing so!

Run the CIS Tool 1.x, on your BSD/Linux (prefereably SELinux)/Solaris rigs, it is downloadable here:

http://www.cisecurity.org/bench.html

And, takes minute to haul in, install, & run it in an attempt to beat my 84.735 of 100 on it (from a reputable organization, The Center for Internet Security)...

Go for it, & see if you can beat my score of 84.735 on a FULLY custom security hardened Windows Server 2003 SP #2 fully patched as of the date of this posting.

Photo evidence of my score is here:

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

And, the same score I obtained, literally, yesterday, as well!

(After putting on the latest patches for Windows Update to my OS which I download & store here - but, nice part is? I'll never need them, because I GHOST this image once it is patched & scanned for malware/virus/trojans/rootkits etc. with the latest/greatest up to date tools for that purpose, & practice safe email practices & more like disabling potentially "deadly" things that can be exploited in browsers like ActiveX/Java &/or scripting (for sites that do NOT need it))

For Windows users' reference, all noted here & how to GET THAT SCORE:

http://forums.techpowerup.com/showthread.php?s=2aa c2d3ff16e9b8448875ee96e27d1ec&p=375355#post375355

(That's for the Windows users here to gain by).

Thing is - I'd like to see the *NIX users of all kinds beat that security test evaluation score for safety online & how well their systems are secured, as a more "concrete evidenece thereof" in fact, since the poster I am replying to is a "SHOW ME PERSON" (as am I)...

HOWEVER - here @ slashdot, where slogans & b.s. of ALL kinds are stated vs. Windows & Microsoft?

Well - I have challenged you ALL here repeatedly on this note 7 times now, this is the 8th here! ... & there is one @ another Linux oriented site as well (UBUNTU discussion, where BSD was suggested instead of Linux OR even SELinux, & I posted here in a PC-BSD post with an arstechnica article base behind it, on the note of security in the reply I posted this challenge to):

http://it.slashdot.org/comments.pl?sid=240571&cid= 19630923

&

http://slashdot.org/comments.pl?sid=240283&cid=196 31141

&

http://linux.slashdot.org/comments.pl?sid=240501&c id=19630965

&

http://it.slashdot.org/comments.pl?sid=241957&cid= 19662703

&

http://it.slashdot.org/comments.pl?sid=241913&cid= 19662485

&

http://it.slashdot.org/comments.pl?sid=241913&cid= 19662485

& (BSD one below, no takers there either, from the "vaunted BSD most secure

"MY absolute favourite security falsehoods are the various ways "researches" compare one system security to anothers Such straight forward conclusions are impossible to make" - by catwh0re (540371) on Thursday June 28, @11:39PM (#19685369)

Well, ok... you have a point. Here is mine:

Run the CIS Tool 1.x, on your BSD/Linux (prefereably SELinux)/Solaris rigs, it is downloadable here:

http://www.cisecurity.org/bench.html

And, takes minute to haul in, install, & run it in an attempt to beat my 84.735 of 100 on it (from a reputable organization, The Center for Internet Security)...

Go for it, & see if you can beat my score of 84.735 on a FULLY custom security hardened Windows Server 2003 SP #2 fully patched as of the date of this posting.

Photo evidence of my score is here:

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

And, the same score I obtained, literally, yesterday, as well!

(After putting on the latest patches for Windows Update to my OS which I download & store here - but, nice part is? I'll never need them, because I GHOST this image once it is patched & scanned for malware/virus/trojans/rootkits etc. with the latest/greatest up to date tools for that purpose, & practice safe email practices & more like disabling potentially "deadly" things that can be exploited in browsers like ActiveX/Java &/or scripting (for sites that do NOT need it))

For Windows users' reference, all noted here & how to GET THAT SCORE:

http://forums.techpowerup.com/showthread.php?s=2aa c2d3ff16e9b8448875ee96e27d1ec&p=375355#post375355

(That's for the Windows users here to gain by).

Thing is - I'd like to see the *NIX users of all kinds beat that security test evaluation score for safety online & how well their systems are secured, as a more "concrete evidenece thereof" in fact, since the poster I am replying to is a "SHOW ME PERSON" (as am I)...

HOWEVER - here @ slashdot, where slogans & b.s. of ALL kinds are stated vs. Windows & Microsoft?

Well - I have challenged you ALL here repeatedly on this note 7 times now, this is the 8th here! ... & there is one @ another Linux oriented site as well (UBUNTU discussion, where BSD was suggested instead of Linux OR even SELinux, & I posted here in a PC-BSD post with an arstehnica article base behind it, on the note of security in the reply I posted this challenge to):

http://it.slashdot.org/comments.pl?sid=240571&cid= 19630923

&

http://slashdot.org/comments.pl?sid=240283&cid=196 31141

&

http://linux.slashdot.org/comments.pl?sid=240501&c id=19630965

&

http://it.slashdot.org/comments.pl?sid=241957&cid= 19662703

&

http://it.slashdot.org/comments.pl?sid=241913&cid= 19662485

&

http://it.slashdot.org/comments.pl?sid=241913&cid= 19662485

& (BSD one below, no takers there either, from the "vaunted BSD most secure allegedly NIX there is upon suggestion by Linux users in the URL below it)

As per usual, nobody from the *NIX world is exceeding the CIS Tool 1.x (by the center for internet security) score I had in my posts above here about how to secure Windows 2000/XP/Server 2003/VISTA (how-to, here):

http://forums.techpowerup.com/showthread.php?s=378 52b3b0b2148fe282a73c1e688efc1&p=375355#post375355

And the photo evidence of said score:

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

Why is that? The CIS Tool 1.x test only takes like 1 minute to download AND run... no, I think for all the b.s. here I see about "Linux/BSD > Windows" in most all things, is just that: B.S.!

All anyone ever hears @ slashdot is things along the lines of"

"Windows is less secure than (insert *NIX variant here)"

HOWEVER, when it comes to the chips being on the table, and putting your money where your mouth is, and in this case, on a test of your online security developed by a reputable organization?

No takers!

(OR most likely rather, there are takers, but nobody beating that security level score of 84.735 on The Center for Internet Security's CIS Tool 1.x, downloadable here for Solaris, BSD, Linux, & Windows -> http://www.cisecurity.org/bench.html )

"My point is this: my coworker had her brand new vista laptop owned to the point of explorer repeatedly crashing on bootup after just two days of websurfing!" - by DocSavage64109 (799754) on Wednesday June 27, @10:46AM (#19662985)

Hey, Doc... 1 last thing about that point of yours though: Do you honestly think that a user that does not know what they are doing is limited STRICTLY to Windows based OS'? Do you HONESTLY think it could not be done to a Linux or BSD user as well??

Come on!

(I.E.-> That something like that, or like it, cannot happen on Linux/BSD/Solaris, etc. et al?)

Beg to differ, if you do...

APK

P.S.=> Thanks for the 6th or 7th time now of you *NIX guys, for ALL of your big talk, not showing me your systems score as more secure than Windows can be online... most people are "show me" people, and you are not satisfying that requirement from they... nuff said! apk

"I am not convinced, next please Mr Jones." - by b1ufox (987621) on Wednesday June 27, @08:44AM (#19661667)

I don't work for Microsoft (though I have been interviewed by they, & they came to me, not I to they):

Will a test, head-to-head, *NIX vs. Windows Server 2003 SP #2 fully patched, convince you? Try this, the CIS Tool 1.x, & see if you can beat my score of 84.735 on it (with you guys using SELinux or BSD variants even vs. my setup, since this test is "multi-platform" & runs across BSD variants, Solaris, Linux variants, & yes, Windows variants)):

http://www.cisecurity.org/bench.html

I think for all the *NIX 'braggadocio' of "Windows is less secure than (insert *NIX variant here)" I see/hear online? No one is willing to put their money where their mouth is, and I have made challenge, but with reason - so we ALL learn by it.

(In essence, in a Windows-based OS, like any other? To get security, you have to work @ it. In Windows 2000/XP/Server 2003/VISTA, you have to do these "12 steps", about 1 hour of an experienced user's time):

http://forums.techpowerup.com/showthread.php?s=378 52b3b0b2148fe282a73c1e688efc1&p=375355#post375355

To get this score (on the multi-platform CIS Tool 1.x test, by the "center for internet security"):

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

An 84.735 score on it...

Secured operations online, on Windows no less, is quite easily doable (& to levels that FAR EXCEED VISTA, with just a wee bit of work, and plenty to gain/learn!)

I wish some folks from the *NIX world would take this challenge, & possibly exceed my score (since the "control method" in the test? IS THE CIS TOOL 1.x TEST ITSELF, & download url's links for it are inside the 1st url noted above!)

If they could do that? I would ask how & where they did not fail things on that test, & attempt to emulate them on Windows, getting an even HIGHER score (and, still be able to go online & do things of course).

We'd ALL gain & grow by it, but, unfortunately/again - no takers to my challenge! Perhaps the Linux mascot ought to be a chicken, instead of a penguin, eh?

LOL! Take that as a "good natured rib", because I really WISH we had Os' like today, 10-15 years ago, & I respect what Linux REALLY is: A 'socio-cultural technological phenomenon' that is a decent OS, created mostly by freely donated time, from a lot of talented people!

(The nice part is, it IS possible you guys CAN beat my score on this tool, because it literally HELPS YOU TO DO SO, but it is NOT "perfect" & definitely makes some errors imo & yes, I can prove it, & it does not account for things like hardware "NAT" (or true stateful inspection type) firewalling routers for instance, but it IS the BEST overall multiplatform test I could find @ least, from a reputable organization!)

APK

P.S.=> I wonder if anyone from the Linux (especially SELinux bearing distros), or BSD variants camps can get a better score on that test, than that...

In fact, I have repeatedly challenged anyone who uses those OS' to do so, here @ this site:

http://it.slashdot.org/comments.pl?sid=237507&thre shold=-1&commentsort=0&mode=thread&cid=19408273

&

http://it.slashdot.org/comments.pl?sid=240571&cid= 19630923

&

http://slashdot

"Vista is not considered suitable, the cost is huge per seat, and they figure that as long as they are retraining the workforce to use something, it might as well be something that is cheaper, more secure, and more reliable." - by NeverVotedBush (1041088) on Sunday June 24, @12:24AM (#19625447)

For reliability?

See my subject line, and some data about Windows Server 2003 & SQLServer 2005 (history of 0 vulnerabilities so far @ SECUNIA.COM for its ENTIRE lifetime now) & they run NASDAQ 24x7, 365 days a year, stable as titanium steel/solid as a rock (with the fabled "5 9's" of reliability 99.999 uptime).

For security??

See this data (it takes some doing, 1 hour of work tops for experienced users & a bit more for those less experienced, but an excuse to be MORE experienced in the doing of it, if they want to learn: Want to get a job done RIGHT? Do it, yourself, in other words), & it can be applied to ANY Windows OS of modern variety (2000 even, & XP too, in the majority of its points):

http://forums.techpowerup.com/showthread.php?p=365 996#post365996

& the score it gains on CIS Tool 1.x:

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

It can & DOES far surpass VISTA's score "oem/out-of-the-box-stock" as it is setup by MS, & yes, even patched... with about 1 hour's worth of work on an experienced user's part!

Even Linux folks agreed with me (god forbid, lol), that my 14 points for securing Windows (has one small omission, the use of regedit.exe, part of CIS Tool's suggestions) works, here:

http://linux.sys-con.com/read/382946_f.htm

And, when I challenged ANYONE there to exceed my score using CIS Tool 1.x (84.735)!

It appears that nobody tried to (or possibly they did, but could not. I say that, because many suggested BSD instead. So, that said? I posted in the BSD post there the other day (PC-BSD related, here @ slashdot, by arstechnica news reporters)!

Yet again, the same challenge to slashdotters - NO takers, again! Evasions? POSSIBLY!

- or, possibly they don't care about security online!

(OR, that my post was buried in the deluge of posts here @ slashdot (imo @ least, the boards here are difficult to see all users points/posts imo, the only weakness here: The posters that come here though, like Bruce Perens, John Carmack (& others I RESPECT IMMENSELY for their accomplishments though)))

Anyhow/anyways - nobody taking my challenge or beating my score from the *NIX world on a test that runs on ALL platforms (thus, it is the "scientific method of control", the same test on all systems OS types this tool runs on)?

This only shows myself, & the planet, that all this "Windows is less secure than *NIX" is pure b.s., & all of them (yes, even BSD derivants like MacOS X etc. et al) out of the box stock, have holes or room for improvements (especially in terms of security & holes/vulnerabilities).

Still, anyone care to download & try CIS Tool 1.x (from the CENTER FOR INTERNET SECURITY), & exceed my score in the graphic above (84.735) from the *NIX world?

Here is its download (it is MULTI-PLATFORM, & runs on BSD (no MacOS X version though sorry), Linux, Solaris, & Windows):

http://www.cisecurity.org/index.html

Go for it, & good luck!

(I hope you *NIX (or windows guys too) CAN exceed my score, because I will ask how, & attempt to emulate this on Windows Server 2003 SP #2 fully patched, to get even stronger IF it is doable... &, we ALL can learn/grow & GAIN by such a test!)

Thanks!

APK

P.S.=> I can be reached @ apk4776239@hotmai

Check this out:

http://forums.techpowerup.com/showthread.php?p=365 996#post365996

& the score it gains on CIS Tool 1.x:

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

It can & DOES far surpass VISTA's score "oem/out-of-the-box-stock" as it is setup by MS, & yes, even patched... with about 1 hour's worth of work on an experienced user's part!

Even Linux folks agreed with me (god forbid, lol), that my 14 points for securing Windows (has one small omission, the use of regedit.exe, part of CIS Tool's suggestions) works, here:

http://linux.sys-con.com/read/382946_f.htm

And, when I challenged ANYONE there to exceed my score using CIS Tool 1.x (84.735)!

It appears that nobody tried to (or possibly they did, but could not. I say that, because many suggested BSD instead. So, that said? I posted in the BSD post there the other day (PC-BSD related, here @ slashdot, by arstechnica news reporters)!

Yet again, the same challenge to slashdotters - NO takers, again! Evasions? POSSIBLY!

- or, possibly they don't care about security online!

(OR, that my post was buried in the deluge of posts here @ slashdot (imo @ least, the boards here are difficult to see all users points/posts imo, the only weakness here: The posters that come here though, like Bruce Perens, John Carmack (& others I RESPECT IMMENSELY for their accomplishments though)))

Anyhow/anyways - nobody taking my challenge or beating my score from the *NIX world on a test that runs on ALL platforms (thus, it is the "scientific method of control", the same test on all systems OS types this tool runs on)?

This only shows myself, & the planet, that all this "Windows is less secure than *NIX" is pure b.s., & all of them (yes, even BSD derivants like MacOS X etc. et al) out of the box stock, have holes or room for improvements (especially in terms of security & holes/vulnerabilities).

Still, anyone care to download & try CIS Tool 1.x (from the CENTER FOR INTERNET SECURITY), & exceed my score in the graphic above (84.735) from the *NIX world?

Here is its download (it is MULTI-PLATFORM, & runs on BSD (no MacOS X version though sorry), Linux, Solaris, & Windows):

http://www.cisecurity.org/index.html

Go for it, & good luck!

(I hope you *NIX (or windows guys too) CAN exceed my score, because I will ask how, & attempt to emulate this on Windows Server 2003 SP #2 fully patched, to get even stronger IF it is doable... &, we ALL can learn/grow & GAIN by such a test!)

Thanks!

APK

P.S.=> I can be reached @ apk4776239@hotmail.com in regards to your scores, if you do not have the ability to post your CIS Tool 1.x score on the web, & we can discuss your scores... everyone gains this way! apk

"The security aspect of things really hasn't changed much" - by Runefox (905204) on Saturday June 23, @11:36AM (#19620095)

Check this out:

http://forums.techpowerup.com/showthread.php?p=365 996#post365996

& the score it gains on CIS Tool 1.x:

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

It can & DOES far surpass VISTA's score "oem/out-of-the-box-stock" as it is setup by MS, & yes, even patched... with about 1 hour's worth of work on an experienced user's part!

Even Linux folks agreed with me (god forbid, lol), that my 14 points for securing Windows (has one small omission, the use of regedit.exe, part of CIS Tool's suggestions) works, here:

http://linux.sys-con.com/read/382946_f.htm

And, when I challenged ANYONE there to exceed my score using CIS Tool 1.x (84.735)!

It appears that nobody tried to (or possibly they did, but could not. I say that, because many suggested BSD instead. So, that said? I posted in the BSD post there the other day (PC-BSD related, here @ slashdot, by arstechnica news reporters)!

Yet again, the same challenge to slashdotters - NO takers, again! Evasions? POSSIBLY!

- or, possibly they don't care about security online!

(OR, that my post was buried in the deluge of posts here @ slashdot (imo @ least, the boards here are difficult to see all users points/posts imo, the only weakness here: The posters that come here though, like Bruce Perens, John Carmack (& others I RESPECT IMMENSELY for their accomplishments though)))

Anyhow/anyways - nobody taking my challenge or beating my score from the *NIX world on a test that runs on ALL platforms (thus, it is the "scientific method of control", the same test on all systems OS types this tool runs on)?

This only shows myself, & the planet, that all this "Windows is less secure than *NIX" is pure b.s., & all of them (yes, even BSD derivants like MacOS X etc. et al) out of the box stock, have holes or room for improvements (especially in terms of security & holes/vulnerabilities).

Still, anyone care to download & try CIS Tool 1.x (from the CENTER FOR INTERNET SECURITY), & exceed my score in the graphic above (84.735) from the *NIX world?

Here is its download (it is MULTI-PLATFORM, & runs on BSD (no MacOS X version though sorry), Linux, Solaris, & Windows):

http://www.cisecurity.org/index.html

Go for it, & good luck!

(I hope you *NIX (or windows guys too) CAN exceed my score, because I will ask how, & attempt to emulate this on Windows Server 2003 SP #2 fully patched, to get even stronger IF it is doable... &, we ALL can learn/grow & GAIN by such a test!)

Thanks!

APK

P.S.=> I can be reached @ apk4776239@hotmail.com in regards to your scores, if you do not have the ability to post your CIS Tool 1.x score & we can discuss your scores... everyone gains this way! apk

http://forums.techpowerup.com/showthread.php?s=e4d 36eb2396773f558df8271fadcadf5&p=365996#post365996

That's a post showing an 84.735 score, using CIS Tool 1.x (highest I can get as of today) & methods I outline to achieve it, for Windows 2000/XP/Server 2003/VISTA users:

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg

That result was done using a tool I know of that runs across multiple platforms for a test of security online in CIS Tool 1.x (center for internet security)!

CIS Tool:

http://www.cisecurity.org/index.html

(& this test is the "scientific control method" in that it is the SAME test used across diff. OS/hardware platforms here)

CIS Tool runs on Linux, BSD (no MacOS X though), Solaris etc. et al (various *NIX variants), & Windows. Java runtimes are required (they were recently updated mind you, by SUN Microsystems).

Thing is, I have freely challenged Linux folks to run that test here & beat the score I had, shown above, here:

http://linux.sys-con.com/read/382946_f.htm

No takers, or rather, no respondents with scores exceeding mine on Windows Server 2003 SP #2 fully patched as of the date of the test I took it & yes, today.

They did suggest BSD - so I posted in regards to testing BSD vs. my score here, at slashdot:

http://bsd.slashdot.org/comments.pl?sid=238993&cid =19578849

Again, no takers (could be here though, it was buried too deep, slashdot's replies/forums system is way odd imo, by comparison to boards like this one imo, not as clean/easy to use/etc.).

Still, even from the "BSD" family (which is often noted to be the MOST SECURE UNIX etc., even by Linux folks (see the LINUX.SYS-CON.COM url above)), no takers.

All I know is this - I hear a lot of "Windows is insecure & (insert UNIX variant here) is more secure" etc. ... & yet, when it comes time to "put your money where your mouth is", on a test that runs across multiple OS platforms?

Nobody from the *NIX world has ever done so when I have asked them to try it @ least!

(& the test is sort of nerdy fun, you learn from it too, because it aids in securing yourself online).

And, the 14 points in the 1st URL above? For Windows NT-based OS like 2000/XP/Server 2003, & YES, VISTA??

They work!

(... & even *NIX folks agree many times they do)

I would like to see your scores here in fact, & IF you can exceed my score? We can all learn by it, & grow, as well as have a healthy competition in doing so!

Thanks! Any takers??

APK

http://forums.techpowerup.com/showthread.php?s=6c9 40230061cf2255e2a54b64250e66f&p=365996#post365996

That is something you MAY find useful... because it outlines HOW to get the 84.735 score (of 100% perfect, impossible imo, & to be online OR do anything you may need to, servers-wise, online) on CIS Tool 1.x.

Download for CIS Tool 1.x (for Solaris, BSD, Linux, & Windows) is here:

http://www.cisecurity.org/index.html

For YOUR reference, & HOPEFULLY? Usage... see my P.S. below!

My photo verifying my score is here:

http://forums.techpowerup.com/showthread.php?s=6c9 40230061cf2255e2a54b64250e66f&p=366342#post366342

* Sorry about the Messiness of that last post, since you stated it was difficult to decipher the link url & the pertinent data within... & I hope you find this useful information (because of your stating you steer clear of Windows workstations).

APK

P.S.=> That all said & aside? Would you care to TRY the CIS Tool 1.x for you *NIX platform, here @ slashdot, & compare it to my score??

I posted a challenge for that here, today, @ slashdot:

http://bsd.slashdot.org/comments.pl?sid=238993&cid =19578849

It would be GOOD to see you there, and get your feedback on YOUR *NIX (Linux, Solaris, or BSD (NO MacOS X though)) version you use!

The test is ACTUALLY FUN, in a 'nerdy/geeky' way (and a good thing to do, because I think/feel you will find it VERY comprehensive, many things may be "old hat" to you, but I think/feel you may learn something from it also... I know I did!)...

LOL - put it this way: This challenge? It's about "putting your money where your mouth is", lol (good natured laff, not ribbing here), AND for myself/most importantly?

That is so I can see IF Linux/Solaris/BSD guys CAN actually do better than I have @ present, on this system (Windows Server 2003 SP #2 fully hotfix patched)... apk

ON SECURITY:

I have asked folks from the LINUX world to try the CIS Tool on their machines, vs. a fully secured Windows Server 2003 SP #2 system I have here, & they would NOT "take" on this freely offered comparison here:

http://linux.sys-con.com/read/382946_f.htm

Now, I suspect more than a few TRIED to exceed my score of 84.735 on this test (my using the OS setup above) vs. theirs, & they could NOT exceed my score.

Many said "if you want security, go BSD"... that said?

Will any of you BSD users (this one, or variants) take the challenge?

(MacOS X users are going to be "let down" though, because there isn't a version of CIS Tool for them yet... this is a case of "more softwares are available for Windows vs. MacOS X" though, a clearly cut one in fact!)

CIS (center for internet security) Tool 1.x downloads for BSD, Linux, Windows etc. et al users are here:

http://www.cisecurity.org/index.html

(Amongst all others they have)

Good luck, I would like to do such a comparison, & I would like any photos of results sent my way, here:

apk4776239@hotmail.com

And, I, in turn? Will send the photo result of my CIS Tool 1.x score back to you in return.

NOTE: The program requires Java runtimes!

APK

P.S.=> I am out to see which OS can be secured the BEST online is why. I get no takers from the Linux world, & suggestions to "GO BSD", so... put your monies where your mouths are I guess! I am willing to do so, how about you? apk

(THIS IS AN AMENDED & IMPROVED MODEL OF MY ORIGINAL PARENT POST FROM HERE -> http://it.slashdot.org/comments.pl?sid=237507&cid= 19408273 )

INTRODUCTION:

Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - see what I stated last paragraph of mine above).

BACKGROUND & INFORMATION + TOOLS YOU CAN USE TO HELP YOU SECURE YOUR SYSTEM:

Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

http://www.microsoft.com/downloads/Results.aspx?Di splayLang=en&nr=50&sortCriteria=date

It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

I score an 84.735 on the CIS Tool 1.x currently as of 06/01/2007!

(For CIS Tool - There are Linux, MacOS X, Solaris, & other OS models ports of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:

http://www.cisecurity.org/bench.html

(IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)

APK 14 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):

1.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

Directions for its installation are as follows:

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

DONE! Now, run it... it is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

Then, @ that point? I pull ANY Networking clients &/or Protocols in the Local Area Connection, other than Tcp/IP typically (& disable NetBIOS as well, because I don't need it here), on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN. I also disable that too!

2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!

3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:

http://www.analogx.com/contents/articles/ipsec.htm

(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

NOTE: This can be 'troublesome' though, for folks that run filesharing clients though. An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT

"Remember: the next time someone says Linux is more secure than Windows, remember that things like SELinux and AppArmor really are what make it better, not just because it has a mean looking penguin!" - by CajunArson (465943) on Tuesday June 05, @09:30PM (#19405809)

Agreed, 110%... & the "100% secure" the initial thread post here states that somebody from RedHat stated is possible? ISN'T, no way (what one person can lock, another WILL eventually, unlock - more OR less + new threat types emerge constantly).

Windows CAN be secured very well, but, you have to go thru some "GYRATIONS/EFFORT" to do it, but, it IS doable (but not to any 100% levels, because again - see what I stated last paragraph of mine above).

Here I am running Windows Server 2003 SP #2, fully current patched by MS update pages, here (I check it every 2nd Tuesday of the month of course, on "Patch Tuesday's"):

It is a personally 'security-hardened' model I have been working on for many years, using principals I learned & used since the NT 3.5x days onward to this version of the OS: As is now?

I score an 84.735 on the CIS Tool 1.x currently as of 06/01/2007!

(For CIS Tool - There are Linux, MacOS X, Solaris, & other OS models ports of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run)

DOWNLOAD URL FOR CIS TOOL (for multiple platforms), from "The Center for Internet Security" here:

http://www.cisecurity.org/bench.html

(IMPORTANT: This tool IS invaluable in guiding you to a more secure OS, on any OS platform really!)

APK 14 STEPS TO FOLLOW TO SECURE YOUR WINDOWS NT-BASED SYSTEM (2000/XP/SERVER 2003/VISTA):

1.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, @ least, as as starting point))...

Directions for its installation are as follows:

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

DONE!

(Then, @ that point? I pull ANY Networking clients &/or Protocols in the Local Area Connection, other than Tcp/IP typically, on a stand-alone machine that is not dependent on Microsoft's File Sharing etc. on a LAN/WAN. I also disable that too!)

2.) Disable Microsoft "File & Print Sharing" as well as "Client for Microsoft Networks" in your LOCAL AREA CONNECTION (if you do not need them that is for say, running your home LAN)!

3.) Use IP security policies (modded AnalogX one, very good for starters, you can edit & add/remove from it as needed) - Download url link is here for that:

http://www.analogx.com/contents/articles/ipsec.htm

(Search "AnalogX Public Server IPSec Configuration v1.00 (29k zip file)" on that page & follow the directions on the page!)

NOTE: This can be 'troublesome' though, for folks that run filesharing clients though. An alternative to this is using IP Ports Filtrations, in combination with a GOOD software firewall &/or NAT 'firewalling' (or true stateful inspection type) router. All of these work in combination w/ one another perfectly.

(HOWEVER - Should you choose to use it, and do filesharing programs? No problem really, because you can turn them on/off @ will using secpol.msc & the IP stack in Windows 2000/XP/Server 2003/VISTA is of "plug-N-play" design largely, & will allow it).

4.) USE General security

First off, thanks for replying & sorry for my late reply (busy & it's late now, here goes):

I tried it, & didn't see it! NO PROBLEMO here, & I checked for "error #3" you mentioned, on Mr. Zalewski's actual referring page...

SOME BACKGROUND INFO. HERE (I assumed you were on Win32 yourself by the by, like I am) FOR ANYONE WHO TRIES THIS TEST ON A WIN32 RIG & OPERA:

Here I am running Windows Server 2003 SP #2!

(A personally 'security-hardened' model I have been working on for many years since the NT 3.5x days onward to this version of the OS)

It has been way, WAY hacked up for security via things like:

1.) IP security policies (modded AnalogX one, very good)

2.) SCW was run over it first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, @ least, as as starting point)

3.) PLUS, this version of the OS has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting of all types by default)

4.) General security policies in gpedit.msc/secpol.msc

5.) Tons of security & speed oriented registry hacks (reconfiging the OS basically - stuff like you might do in etc in UNIX/LINUX I suppose)

6.) AND std. stuff like AntiVirus (NOD32 latest) + SpyBot as my resident antispyware tool running in the background!

7.) Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE), see this URL where I did a lot of research for a prebuilt list for another forums, to see how/why this works:

http://forums.techpowerup.com/showthread.php?s=518 74ee73e9a212bfbabbaba41cf36e3&t=16097

(And, of course, the user feedback on its effectiveness, as well as MacOS X, which uses the same general principals)

8.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person (still gets email scanned though)))

As is now? I score an 84.735 on the CIS Tool 1.x (Linux, MacOS X, Solaris, & other OS models ports of this are available too by the way - not really "ports" strictly speaking, they require JAVA to run), from "The Center for Internet Security" here:

http://www.cisecurity.org/bench.html

Ah man... There's SO MUCH MORE I do to secure this, but too much to list really!

(I am sure I am overlooking some stuff, details & such - things like the fact I use a LinkSys/CISCO BEFSX41 "NAT" true firewalling router with cookie & scripting filtering built-in @ the hardware level), but that IS the bulk of it!)

ALL for security... & this post is especially for background to anyone on Win32 that DOES show an error in this test, as giorgosts on Linux did (to whom I am responding).

So, based on my test?

This has to be script related, because I did not see it @ all (no action from err #3 reported on Mr. Zalewski's page (and I did not think I would, because I keep scriptings of ALL kinds generally turned off 99.999% of the time in my webbrowsers on the public internet @ least)).

Good news!

(Above all - Thanks for your response & data)...

I would write more, but it is VERY late here, & time for shuteye!

APK

"Most people moved from Windows 98 to XP. They gained a much more secure system in that move and moved to the proven NT kernel from the 95/98/ME codebase. The move to Vista? I see little gain but eye candy" - by LWATCDR (28044) on Wednesday May 16, @11:45AM (#19146299)

Ok, then quantify it, for yourself, by running these tests: Run the CIS Tool 1.0, OR, Belarc Advisor (both are security benchmarks, the former moreso than the latter) from here:

CIS Tool 1.0

http://www.cisecurity.org/bench_windows.html

&/or

Belarc Advisor

http://www.belarc.com/

Over Windows 2000 or Windows XP first (in their stock configuration), and then Windows Server 2003. Then, fully patch them even, and see your results. Mind you, you CAN score higher if you take the time to hand-harden them, ALL of them, for better security (via various settings and registry hacks).

Windows 2000 and Windows XP (and yes, even Windows Server 2003) won't score as secure as does VISTA out of the box on that test, no questions asked.

(I know this, because I ran such a test @ techpowerup.com forums using a FULLY CUSTOM HAND-TUNED/TWEAKED SECURED Windows Server 2003 SP #1 & SP #2 vs. VISTA (yes, I did better than VISTA did "out-of-the-box" using its predecessor and direct ancestor in Windows Server 2003 SP #1 & SP #2 than VISTA did, but NOT OUT OF THE BOX!))

See these URL's for my test results prior to you running your own tests using these tools for security analysis:

http://forums.techpowerup.com/showthread.php?s=74b 140c83efbebf0895ce198e8d33125&t=25428&highlight=CI S+Tool

and

http://forums.techpowerup.com/showthread.php?t=268 18

VISTA was far more secure, as-is/out of the box, than any of them (Windows 2000/XP/Server 2003) did initially (w/ out hand tweaking via registry hacks & more) for security.

APK

P.S.=> My current score using a hand-tuned/tweaked hardened build of Windows Server 2003 SP #2 scores an 84.735 on CIS Tool 1.0... apk

Well, in a 1/2 hour's worth of time? You can make Windows as secure as ANY OS out there, period!

In fact, so you can verify it yourselves?

The CIS Tool 1.0 (center for internet security) which even has a Linux, & BSD (and other UNIX variants) versions as well, which you can test your non-Win32 OS against if you wish, here is its download linkage:

http://www.cisecurity.org/bench.html#bench_tools

I have scored an 84.735 score on this test currently after custom hardening my machine & looking for decent analysis tools that are NOT Microsoft ones!

I am pursuing a higher score via discussions with a Mr. Dave Shackleford of the center for internet security (as well as having discussions in this regard with the author of BELARC ADVISOR, which also offers a similar set of security analysis features), currently.

BOTTOM-LINE:

This has helped or will help either identify possible "bugs" or potential needed improvements in their wares for the analysis of securing ANY OS (in the case of CIS tool, not BELARC ADVISOR (Win32 only, afaik)).

NMap is another tool one can use to analyse your system via this commandline for it:

%windir%\system32\nmap.exe -P0 -sT -F -O -A (insert your IP address here)

At least on Win32 OS' that is the commandline for it (NMap ported to Win32 from UNIX).

The main point here being that Windows security IS improveable, with a tiny amount of effort for personal users, and yes, for those in networked corporate environs (via policies or logon script .reg file merges for example).

Microsoft tends to ship their OS in a VERY 'wide open' configuration (security-wise) prior to VISTA (and this falls far short of what IS possible) because of fear that their systems IF setup securely, would make certain applications not function properly in secured situations (e.g.-> Turning off javascript or active scripting in browsers, as well as activeX control usage (IE) by default for example OR, limiting ports that are remote in nature off the bat, as BSD's do, leaving opening them up to the users, or admins).

You have to "reach into the guts" sometimes, if you want more security, even on UNIXES (why is there an SELinux for example if Linux is "so secure", and why do BSD's cut off ports by default)...

In the case of MS above? They leave it open intentionally, and up to the end users to secure them as they see fit based on the needs of the application mix they use. This is possibly quite necessary, but I know for a fact, MS can ship it even MORE SECURE, via some very simple .reg file hacks, or, using IP filtering (or even IPSec & security policies).

There is also the widely accepted fact that Microsoft's OS' run on more OS, with more peripheral softwares for it for various purposes (with holes in said apps themselves at times no less) than any other, presenting a 'wider target' for those involved in illegal activity in cracking OS & such as well.

APK

P.S.=> I can tell you 1 thing though, & based on tests/research: VISTA is far more secure than XP is out of the box, per tests myself and users ran here (along with the developer of BELARC ADVISOR in our discussions with myself & he here):

http://forums.techpowerup.com/showthread.php?p=277 810#post277810

VISTA is an improvement, but security is often based on your app mix and those app's needs, so being "perfect out of the box" in all situations & software mixes? Impossible, at least w/ out custom tuning-tweaking for better security... From the example above? One can see just how much so even VISTA falls short of a Windows Server 2003 SP #2 custom security hardened build, that only took myself 1/2 hour's worth of work merging .reg files, using security policies, and port restrictions (above & beyond std. firewall/antivirus/antispyware tools)... apk

"Depends on use" - by Anonymous Coward on Wednesday May 02, @12:05PM (#18957955)

Always does, I never stated otherwise. Windows, Unix Variants, what-have-you, have their niches areas they are superior to one another in.

http://bsd.slashdot.org/comments.pl?sid=233061&thr eshold=-1&commentsort=0&mode=thread&cid=18954433

(In fact, iirc, in the URL noted above (also in this thread/topic)? I freely conceded that Microsoft concentrates SOLELY on x86 really, dropping support for lesser used hardware/cpu platforms such as MIPS RISC, PowerPC, and such - it used to be that way, prior to NT 4.0, iirc, in NT 3.x - 3.5x, but MS changed policy on it).

Your statement, based on mine earlier to which you replied? A non-issue, as I never argued it here and won't!

In fact, if you see that URL here above, I commended (in a way), the fact Linux and other UNIX variants, are SO portable (albeit, portable to far lesser used platforms all the way from home usage, thru departmental servers, up to ENTERPRISE CLASS 24x7 SYSTEMS, such as NASDAQ RUNS, SUCCESSFULLY!)

Hey, now though, on another note I made to you? Consider running this (for your hardware platform, especially LINUX, which you claimed to use):

http://www.cisecurity.org/bench.html

CIS Tool 1.0

(And get back to me with your score, and where it "failed you" on any points it does so on. On Windows Server 2003 SP #2, for your reference, I am able to get an 84.735 score!)

Thanks, if you have the time!