Security Issues with Windows 2000 Datacenter?

alen asks: "The recent IIS security incidents got me thinking. Code Red and Nimda hit servers that weren't patched by their sys admins. If you get infected, you patch your server and end of story. But what if you're running Windows 2000 Datacenter Server? It's a customized solution that you can't change. All your service packs are customized by your vendor. What happens if you have a web or database server that needs to be patched immediately? Are you left out in the cold running unsecure software that you can't patch while you wait in line for your vendor to issue you a service pack or hotfix?" In a situation like this, the whole ball-o-wax resides with the vendor. If you have a good vendor who actually cares about customer satisfaction, these hotfixes will be available quickly. Would anyone out there actually recommend Datacenter for corporate environments?

"My company is currently looking to cluster our SQL 7 servers. We're considering Win2000 advanced server or datacenter. Around a month ago I sat in a meeting with our VP of IT, and the rest of the network admins I work with. Compaq tried to pitch their Windows 2000 Datacenter or Advanced Server solution. Here is the way the compaq people explained it:

You get datacenter only from an OEM. They look at the apps you're running and customize a solution for you in their lab. Every datacenter implementation is different, and every datacenter CD is different. Since we would be using an EMC SAN as our clustered storage system they said our implementation would take special customization. They would have to contact EMC engineers and work together. Once you deploy it, the OEM monitors it. And you can't install any service packs or anything without getting an OK from your OEM. Any service packs are customized for your enviroment. The SLA guarantees a 99.999% uptime or your money back. Part of your money at least. Datacenter isn't an OS, but a program in their words.

Now here is the problem. With Code Red and Nimda, how do you patch IIS running on datacenter in a timely manner? The reason IIS servers became infected was because the admins didn't patch them in the first place. So say a new worm comes out in a few months and it takes a few days for MS to create a hotfix. Datacenter admins can't install it until they get their customized copy from their OEM. And almost every 2000 server runs IIS for terminal server. It can take a few days and in the meantime your servers could be down. And I don't see the SLA covering a situation like this. Meanwhile you're explaining to your CEO how this $500K supposedly guaranteed solution is sitting dead in the water and you can't do a thing about.

Is there something I'm missing, or did Microsoft look over something like this? Especially when they are trying to push Datacenter as 'Big Iron'."

Whats it needed for?

[Izeickl]

Erm, what are the big advantages of Datacentre over Advanced server etc?

Re:Whats it needed for?

[Osty]

Erm, what are the big advantages of Datacentre over Advanced server etc?

Straight from http://www.microsoft.com/windows2000/datacenter/ev aluation/business/overview/default.asp:

Microsoft® Windows® 2000 Datacenter Server is the most powerful and functional server operating system ever offered by Microsoft. It supports up to 32-way symmetric multiprocessing (SMP) and up to 64 gigabytes (GB) of physical memory. It provides both 4-node clustering and load balancing services as standard features. It also provides the rich Internet and network operating system (NOS) services of all the versions of Windows 2000 Server. It is optimized for large data warehouses, econometric analysis, large-scale simulations in science and engineering, online transaction processing (OLTP), and server consolidation.

From http://www.microsoft.com/windows2000/advancedserve r/evaluation/business/overview/advanced.asp:

The Windows® 2000 Advanced Server operating system contains all the functionality and reliability of the standard version of Windows 2000 Server, plus additional features for applications that require higher levels of scalability and availability. This makes Advanced Server the right operating system for essential business and e-commerce applications that handle heavier workloads and high-priority processes.

Other pieces of information not listed in that blurb about AS: supports up to 8-way SMP and 8 GB of RAM (compared to DC's 32-way and 64GB).

You're obviously not going to have a DataCenter machine sitting underneath your desk at work, but it's quite possible to do so with Advanced Server.

Re:Whats it needed for?

The thing to understand is that Datacenter is more of a program than a product. It's Microsoft's attempt to sell into Sun and IBM's market (where service and support are as much of the total package as the actual hardware).

There's really no reason to buy datacenter unless you need a super high-end Windows box, OR you just want to put your OEM on the hook for support.

The upshot is that you probably get your patch advice from the OEM and not Ask Slashdot.

Re:Whats it needed for?

[Waffle+Iron]

In other words, Datacenter changes the following two lines of code in the kernel header:

#define MAX_CPUS 32
#define MAX_MEM_GB 64

You pay only a few dollars for that mod. The remainder of the huge expense goes to pay for a special team of engineers whose purpose in life is to try to keep your systems up and running.

Re:Whats it needed for?

[ostiguy]

Datacenter can do 4 way active clusters- AS can only go 2 way.

ostiguy

Re:Whats it needed for?

[Density_Altitude]

AS: supports up to 8-way SMP and 8 GB of RAM (compared to DC's 32-way and 64GB)

Isn't those limitations just about which license you have? Like they do with MSSQL Server and the per-CPU licensing scheme?

Re:Whats it needed for?

[Osty]

Isn't those limitations just about which license you have? Like they do with MSSQL Server and the per-CPU licensing scheme?

Do you seriously think there's no technical difference between a OS that allows you to run uniprocessor up to 8-way SMP, and an OS that runs 8-way SMP at minimum (the minimum requirement for fault tolerance) up to 32-way SMP? It's more than just changing a license. You have to properly tune the system for such high concurrency. There's a reason DataCenter didn't ship at the same time Win2k Pro/Server/Advanced Server all shipped.

Re:Whats it needed for?

The remainder of the huge expense goes to pay for a special team of engineers whose purpose in life is to try to keep your systems up and running.


He was talking about Microsoft stuff, not RedHat stuff...keep the posts on topic, please.

Re:Whats it needed for?

[joedoe]

It is optimized for large data warehouses, econometric analysis, large-scale simulations in science and engineering, online transaction processing (OLTP), and server consolidation.

My question is, just how good is it for econometric analysis and large-scale simulations? That would seem to be an area in which nobody really uses Windows, but I'm curious as to whether this could actually be competitive with the traditional usage of Unix boxes. Any thoughts?

--joedoe

Re:Whats it needed for?

I'm not a fan of MS at all, and I don't run
their "os"s, but coming from a systems background,
I have to say that you are an idiot.

It's very hard to get smp to scale well with the number of cpus. It's also some work to be able to map 64G into processes which use 32 bit (4G spanning) pointers.

Just because you don't understand this, it doesn't mean that it's trivial.

Re:Whats it needed for?

[addaon]

Windows 2k AS can also use more than 4GB of ram... I've tested it with 12GB, and it worked fine with that. An 8GB limit would be mildly bizarre... 33 bit addressing? (Recent) Pentiums use 36 bit addressing, giving the 64GB limit which is inherent to well-designed OS's stuck on an Intel platform.

Re:Whats it needed for?

[BitwizeGHC]

In that case doesn't it make more sense to use a 64-bit arch that was built to scale to this sort of application, like, I don't know, say, SPARC? Trying to shoehorn Wintel boxen (aimed squarely at the desktop market) into such a role seems a bit silly, though Beowulf managed to get a few things right.

That's one of the things that bug me about Microsoft: they try so hard to be All Things to All People. Gee, it's like they want to conquer the world or something.

Re:Whats it needed for?

[the+eric+conspiracy]

I follow Linux Kernel development. Current kernels handle at least 8 way without much degradation.

If you want to address large amounts of RAM (> GB), you are better off with a 64 bit architecture.

Which you can download from RedHat today.

Re:Whats it needed for?

[foobar104]

If you follow the Linux kernel development, and read around, you'd notice that scaling to a 2-way or 4-way machine is a big leap in performance. Throw Linux or any other OS on a 6-way or 8-way machine and you will watch that increase in performance degrade (ie a 2-way machine isnt x 2 the performance of a single CPU machine, and an 8-way system isnt x 2 the performance of a 4-way machine).

This, of course, is crap. To say that "any other OS" has the same scalability problem that Linux has is simply not true.

Take IRIX, for instance. I wrote some image processing code that runs on Origin servers. The 8-processor server in my lab runs my code about four times faster than my 2-p servers. And, surprise, the 32-p server in my friend's lab runs my code about four times faster than my 8-p machine.

To generalize the problems you see on Linux and Windows to "any other" operating system is simply hogwash. Your point about Windows scalability is well taken, though.

Re:Whats it needed for?

Well, if you have an existing MS-SQL app that you need to scale now, it makes sense to buy the hardware instead of rewriting the software.

But, consider the current Datacenter stuff a warmup for the real game next year (Itanium).

Re:Whats it needed for?

[innocent_white_lamb]

In that case doesn't it make more sense to use a 64-bit arch that was built to scale to this sort of application, like, I don't know, say, SPARC? Trying to shoehorn Wintel boxen (aimed squarely at the desktop market) into such a role seems a bit silly,

You're right, from an "outside" point of view. However, when you're Microsoft then what you have to sell is Windows. Therefore, if you ask Microsoft the answer to your needs (whatever they are) is a Windows solution.

Remember the old jokes about the peddlars? "Special deal just for you today -- What do you mean, those shoes are too tight? They fit you fine! You just have to wear them for a few days to get used to them! Look at the lovely beadwork on the side! Isn't it lovely beadwork? Step right up folks! Sale on today! Special deals! Come on! Come in! Step up! Step up! Curse you, guy, I've sold you thos shoes already! No refunds, sorry! (bugger off, before I have to swat you) Step up folks, shoes for sale today! Step up! Nice shoes! Special deals! Step up!"

See? The "only reasonable solution" to any problem is, of course, the one that you're selling! And, like I said, MS has Windows. Therefore, the rest follows naturally.

Re:Whats it needed for?

[Cramer]

And you weren't running on a PC either.

There are scalability limits beyond 4 and 8 processors. Part of it is hardware and a lot of it is software. SGI/IRIX does both very well (hello, they make/made the CRAY!) The scheduler used for small SMP systems does not work well with large SMP systems. And PXE, the 36-bit address extensions, is a significant performance hit for machines not acutally requiring it.

Performance does not scale linearly -- on any system. "About 2x" is not "2x". IRIX scales better than most, but it still isn't perfect. And, surprise, Windows scales better than Linux (or used to.) BeOS is about the best thing I've seen for standard PC hardware -- too bad it never caught on.

Datacenter is a great deal different from the other windows'. Unlike the difference between NT Workstation and Server (two registry keys), Datacenter is very different.

Re:Whats it needed for?

[fams]

wrong, kernel 2.4 scales better than windows...
and the best system to use SMP that i know is OS/390

Re:Whats it needed for?

Sorry to ruin your fun, but all it does is squash your comment up on the right half of the screen, no scrolling at all.

How about this for a new challenge: keep replying to yourself again and again until you're so squashed up you can only fit one letter on a line. Then you can send a cryptic message like this:

L
I
N
U
X

I
S

F
O
R

G
O
A
T

C
O
C
K

S
U
C
K
E
R
S
!
!
!

...or something equally pointless.

Re:Whats it needed for?

[Fnord]

I hate to tell you this but SGI didn't "make the Cray". SGI bought Cray along with their product line and then proceeded to slowly kill off their product line (while gradually trying to transition their customers to Origins). Thing is conventional systems like Origins (conventional relative to Crays at least) just really can't do what a true vector supercomputer can. And anyways, making a multiprocessor system is nothing like making a vector machine.

Re:Whats it needed for?

[mentin]

You got the point: IRIX runs on a special hardware, that allows it to scale. If you want to scale that good on PC, you need special hardware support beyond standard chipsets. If you have specialized hardware, you get specialized code in Windows (or Linux, or whatever) that knows about that hardware and can utilize it. So you get a customized version of Windows.
IRIX runs on a single hardware design, so it is always customized for it.

Re:Whats it needed for?

[mentin]

That is idiotic idea, written by somebody who does not understand how SMP works. Compare datacenter with IBM's mods of Linux kernel that allows it to scale up better (as a result Linux with IBM's mods scales down bad). If you think all IBM did is changing couple of defines - go for it.
Datacenter goes beyond IBM's mods in that it customizes Windows for particular hardware. This does gives good performance, but has its disadvantages (see the original post)

Re:Whats it needed for?

It's bullshit like this that makes people actively hate fucking sporks. You mindless idiots aren't content to just crapflood, and never add anything worthwhile to the conversation... you have to try and fuck things up for everyone. I'm running at 1280x1024, however, so at least you missed one of us.

Take a page from spiralx and osm... even *syringe was more clever than you fucking assholes. I mean, where do you assholes hang out? Vlad's site? That should tell you everything you need to know. Vlad was a fucking laughing stock, until he made all of you sporks into his bitches.

Now he's a laughing stock with bitches.

- The AC Avenger

Re:Whats it needed for?

[King+Of+Chat]

You'll notice though that pretty much nobody actually runs it as flat 32 way SMP. The Unisys 32 CPU boxes are normally configured as a 4 x 8 way CMP machine (basically a cluster in a box). In fact, the 16/32 processor Compaq machines are rebadged Unisys ES7000s.

Back to the topic, as mentioned by other posters, you don't need IIS if you're just using the DC box a a big f*ck-off database server. In fact, you're better off not having IIS on there - especially if you're open to RDS (the s'kiddies favourite) as they can cause untold havoc using SQL server. Personally, if I had to use IIS for something public, I'd have a second firewall between the IIS box and the data box with no data at all on the IIS box.

Oh, and another point, if you are using SQL 7, then forget clusters/CMP. It just about works with SQL 2000, but has no load balancing (you can do it manually by partitioning the database) and the failover time is 1 - 5 minutes.

From what I can gather, DC and AS are very similar (although MS will deny this). Both have address extensions allowing over 4GB to be used, > 4 way SMP etc., but DC comes with all the drivers etc. checked out on the specific hardware so - hopefully - not as many BSODs. I wouldn't be surprised if someone comes up with the reg settings to turn AS into DC (Max_Processors=32, Max_Cluster_Boxes = 4) - but you'd have to frig with a DC box first - if you can get your hands on one.

Re:Whats it needed for?

[foobar104]

IRIX runs on a single hardware design, so it is always customized for it.

Actually, that's not right, either. IRIX 6.2 scaled about the same on the Challenge-series architecture (up to 36 processors) as IRIX 6.5 does on the Origin (up to 512 processors), two radically different designs.

It really has more to do with operating system architecture and scheduler design than it does with hardware.

Re:Whats it needed for?

yeah, that microsoft server software... runs liek adream, sometimes for years. the only interruption is those upgrades, once every 5 years when it's truly time.

Re:Whats it needed for?

[ahde]

yeah...I'm going to go out and buy me a 32-way pentium. Its marketing hype. There is, in theory, and 8-way Xeon, but you can't find one. It's marketing hype, that in Microsoft's actual code isn't much more than a #define.

Something like this:

/* New and improved command line interface*/

char c[1024];
printf("(A)bort, (R)etry, or (F)ail?");
scanf("%c", &c[0]);

/* this will stop over a thousand times as many stack overruns, rendering windows virtually 100% secure */

Re:Whats it needed for?

Uhh, Actually, there are a lot of 8 way, 16 way, and 32 way pentiums. Look for machines made by Compaq, Sequent, and IBM. In fact, recent kernel revisions include support for them. Take a look at ebay - there's some nut selling 8way xeon's.

Corruption

[phpAbUser]

Another major fear is that the databases will become corrupted by patches. Transition from mysql 3.2.6 -> 3.2.10.

Re:Corruption

Should be mode'd to troll really ...

Re:Corruption

Why mod as troll? If you've got info to dispute that post, go ahead & say so - otherwise, you're the one who'se trolling.

Re:Corruption

OK then, how about no such version as either 3.2.6 or 3.2.10. Or if you followed mySQL development, you would know that most releases < 3.x.15 are designated alpha or beta. Thats when things do break.

Modify the SLA

[SwedishChef]

Ask the vendor to modify the SLA to specifically cover the contingency of exploits and how they will be dealt with. Your vendor might try to claim that the 99.9999 uptime would cover this, but I'd counter that a server which is up but exploited is useless.

Re:Modify the SLA

[Multispin]

Usually 'uptime' is defined by clients being able to access it. If the exploit denies clients access to the service then the server is down. Otherwise, you could get 99.999% by just booting up into the BIOS or firmware and let it sit there.

Re:Modify the SLA

[baptiste]

Usually 'uptime' is defined by clients being able to access it.

Which means being hit by nimda would be a good thing since it 'enhances' machine accessability :) :) Root access for everybody! :)

Re:Modify the SLA

[Multispin]

LOL

Problem of the vender

[Twisted+Mind]

I think this problem is smaller than it seems.

The vender probably has a fix quickly, although it are special computers, they're still i386 compatible (sort of) so the vender won't have to port.

Re:Problem of the vender

[ByTor-2112]

No you are wrong here. Microsoft has in the past releases a botched hotfix that caused problems. To maintain 99.999% uptime the vendor would have to do massive testing before approving your installation of such a fix. It could VERY easily end up taking you from 99.999% to 99% uptime.

Datacenter?

First of all if your company is wealthy enough to be using Datacenter as a web server I hope they are paying you a decent salary. :)

Its a waste to use Datacenter as a web server or front end machine for applications, its best use is for big honking SQL applications like MS SQL server. Datacenter is a waste for Oracle/NT because Oracle on NT is the worst implementation of Oracle in existence. If you want a big honking box to do oracle for gods sake get a Solaris/HPUX/AIX monster. Big ass database servers should never be directly exposed to the internet anyways, the connectivity should be happening thru a balls to the wall firewall.

Re:Datacenter?

[spongman]

yup, you shouldn't be running IIS and SQL Server one the same machine. Ideally, you'd run SQL Server alone on the big machine and have a cluster of load-balanced inexpensive boxes running stateless ASP/ISAPI pages connecting to the DB over the LAN. You'll be free to patch the IIS boxes as needed and you can put them in a DMZ for extra security.

Re:Datacenter?

[King_TJ]

Yeah, but despite Oracle for NT being a terrible implementation, my workplace still uses it (on a DEC Alphaserver running NT 4) because Oracle won't support their products as "tier 1 support" if they're running on a non-Intel processor and Linux.

What's with that policy? "Oh, sure - we'll take your Oracle installation seriously if you have it loaded on a generic PII or PIII server - but on an Alphaserver? Nope, sorry... must not really be important to your business."

Re:Datacenter?

[Zurk]

umm..load OSF/1 or Tru64 on to your alpha box and oracle for tru64 gets tier 1 support.,

Re:Datacenter?

Somebody actually bought NT4/Alpha for purposes other than generating benchmarks?

Re:Datacenter?

[spongman]

addendum: for extra security you should make your ASP scripts run as a domain user that only has access to the SQL server, specifically only has access to those tables/SPs on the server that are necessary to run the application. You should also disallow access to the SQL server by all other users except an admin group, none of which have access to log onto the IIS boxes. the reason for this is that even if security is breached on the IIS box, whatever user they run code as will still not have destructive access. it would also require a hacker to write a specific hack for your system in order to access the DB, which, while not being perfectly secure, will greatly reduce the possibilty of a 'script' attack and the likeliness that someone will bother to embark on such a hack will be diminished. of course, if you have really sensitive data then you should hire a security expert (which I am not).

hope this helps, though.

Time from Bug Found to Bug Exploited

[KingAdrock]

I think something that both Microsoft and the OEM's count on is the time it takes from the time a bug is found until the time the bug is exploited! In the case of Code Red and Nimda I think that time spanned months.

Is it not also true that only large OEMs offer Datacenter? I don't think you are going to have a huge problem with the likes of Compaq or Dell providing timely fixes. It may not be available the same day the Microsoft Fix is, but I would be guessing that MS provides enough info to the OEMs to get the fix applied within 3-5 days.

All in all I think the amount you need to worry shouldn't be more than the satisfaction you can get from a 99.999% guarentee

Re:Time from Bug Found to Bug Exploited

[Johnno74]

I think something that both Microsoft and the OEM's count on is the time it takes from the time a bug is found until the time the bug is exploited! In the case of Code Red and Nimda I think that time spanned months.

No, in code red's case the discoverer of the bug didn't go public until the patch was out, so the delay was effectively zero. Nimda used up to 7 different holes, but these were also patched very quickly.

It was months until the actual automated exploits and worms started appearing to exploit these well known holes, there was no excuse for being caught by Code Red or Nimda.

If there is one thing you can't accuse microsoft, its not being prompt to release patches for their holes... its just that their patches are requred far to frequently...

Where did you get your advice?!

[ssimpson]

"And almost every 2000 server runs IIS for terminal server"

Erm, I work for a Citrix Gold partner and I've never encountered this before. Installing Terminal Server does not require IIS.

In fact, according to M$ recommendations, you should minimise the services running on the TS box.....That means no IIS.

Also, the "smaller but more servers vs fewer 8 way servers" for TS debate has been done and dusted, and the recommendation certainly isn't for having fewer large servers. The "sweet spot" is a farm of dual processor servers with 1.5Gb of RAM, thus you wouldn't need Data Center anyway - normal W2k Server would be more than adequate.

Re:Where did you get your advice?!

[Kevinv]

WIth Windows 2000, when people talk about installing Terminal Services they are invariably talking about installing the administrative (2 connection only) version -- virtually everyone turns this on their servers, even IIS boxes and file servers.

I waiting for the first exploit of this.

Kevin

Re:Where did you get your advice?!

[murphj]

Installing Terminal Server does not require IIS.

If you want to use the IE active x control for TS you need to run IIS. Otherwise, you need to install the TS client.

Re:Where did you get your advice?!

I waiting for the first exploit of this.

Wait no longer. On Thursday, Microsoft released a patch/security bulletin about a denial-of-service attack on Terminal Services. Unfortunately, a few hours later they withdrew the patch (apparently they fucked up the packaging) and haven't re-issued it yet.

Re:Where did you get your advice?!

[glrotate]

An exploit is not a DOS.

Re:Where did you get your advice?!

[SectoidRandom]

Quote: "The "sweet spot" is a farm of dual processor servers with 1.5Gb of RAM, thus you wouldn't need Data Center anyway - normal W2k Server would be more than adequate."

The main advantage of Datacenter is not necessarily the greater memory / etc capability, its the vendor support, (think unix system?) being able to get a 99.999% uptime GUARANTEE is a very very good thing on a Windows server, not that its impossible to do similar work for any *very* experienced admin (even on Windows) but having it as a vendor solution means you dont necessarily have to have a *true* expert on your payroll, which especially in the Win2k market is not as easy as you may think!

The problem here is making certain that your vendor is keeping you upto-date, as I see it this whole patch issue is NOT an issue, actually for many companies it would be a great advantage! Remember that all the patches for Nimbda and Code Red were out long before those worms were made, meaning that as long as your contract with your vendor ensures timley updates code red and nimda would be a complete non-issue!

I believe the situation is very similar to that of most Unix systems, and that is really how Datacenter is targeted.

Re:Where did you get your advice?!

[wazza]

No, an exploit is a means; a DOS is an end.

Datacenter

[fazil]

Keep these SQL apps behind the firewall.. turn off all IIS features on the sql boxes.. and at least Nimda should not be able to get at it. Any web interface would hopefully not use Datacenter, and use standard Advanced Server, which is easily patchable. If sql was available on the front line, well, they almost deserve it.

Re:Datacenter

[SurfsUp]

Keep these SQL apps behind the firewall.. turn off all IIS features on the sql boxes.. and at least Nimda should not be able to get at it.

Your attacker could still use some other exploit that doesn't rely on IIS. I hope you don't think we've seen the last of these.

Note that an exploit like the above wouldn't turn into a Ro0t on a Linux/Unix box because the database server typically doesn't run with system privilege.

Re:Datacenter

[thogard]

Its locked down all right. Just like the cisco call manager. The week before I had to make a decision between their IP phones and everyone elses, code red hit. I had a script that would pull back web pages from machines that tried to infect my home box. I was hit by at least three different cisco call managers. Now I have a system from someone else that isn't running windows.

Re:Datacenter

Ummm, why did you have your CCM on a publicly accesible network???????

We have ours running on a private IP space (ie 10.x.x.x) and have never had a problem with Code Red, DoS, Nimda etc.

A little bit of planning is all that is needed to prevent such things from happening such as private IP's for the IP phone system, a different port for the web admin, a seperate physical network for the phones etc.

These things aren't hard to configure and integrate with your existing network and should be taken into account whenever you are looking at adding things like this to your system.

Re:Datacenter

Did you mean to link to some other page? The link you gave had no such exploit.

Re:Datacenter

As someone else pointed out, an employee who gets infected at home can bring their laptop in and plug into the internal network, or can VPN in and infect internal machines. It happened to us with some unpatched desktop machines of some web developer guys. Luckily it was fairly isolated, but if we had a CCM, I'm positive that it would have been infected also.

Even though we are a windows shop for the most part, one of the main reasons why we didn't go with Cisco IP phones was because the CM only ran on windows. We'd prefer just about any kind of Unix over windows (since we know how reliable windows is). You can run the call manager on a router, but you don't get nearly as much capacity or features.

Re:Datacenter

[SurfsUp]

Did you mean to link to some other page? The link you gave had no such exploit.

"Using extended stored procedures, the attacker could essentially gain complete control over the server itself."

Re:Datacenter

That's not an exploit. Someone has to gain access before they can use the extended stored procedures to begin with. What you're saying is exactly the same as "Using the rm command, the attacker could essentially delete all the files from the server itself."

Lets not forget..

[Phasedshift]

Lets not forget that the vulnerability code red, etc takes advantage of has had a patch out for several months, but quite a few people never bothered to patch their servers. Chances are the patch(s) will be available shortly after the mainstream ones are released if you have a good vendor.

Besides, say your running *NIX with a specially modified version of apache, and there is some remote exploit that is discovered. Obviously you can't just download the source, compile, and install, for fear of loosing those 'special features'.. You need to patch your source code, which may barf (and then you either have to modify the patch file or do it manually. Which could suck if you have no programming skills, and its heavily modified)...

While most of us would view using a patch trivial (patch, recompile, install), the point is that similar situations could happen.

Re:Lets not forget..

Dammit, I am tired of eveyone saying "Microsoft had the patches out month's in advance, but the lazy admins did not patch their machines."

Fact: Microsoft released a security patch on June 17th. Code red explited the security hole this patch fixed on July 4th. That is NOT a lot of time to patch evey IIS on your network.

Considering that most default IIS boxes took 34 patches to fix as of June 17th, and a reboot is required after every patch, this is a very bad place for an admin to be in.

A friend of mine started working for a company on June 2nd and started the first day patching the companies 12 IIS boxes. When code red hit, he still got infected on two boxes. One because a patch did not take, or human error and another box because it was not patchable because the patch would not work with a certain Compaq RAID controler.

MS has taken steps to help admins since the attacks by providing software that will scan you IIS box and let you know what problems you may have. But, this software was a month too late for most companies and all I have done since code red was charge companies $200/hr to move their IIS/ASP servers to Apache/PHP.

I code in both ASP and PHP and I made 2x more money on ASP because it takes 2x longer to write anything.

Re:Lets not forget..

[agallagh42]

"and a reboot is required after every patch"

Not if you know what you're doing. Using the qchain utility, you only have to reboot once after applying all the patches is one go (and can even be scripted). Then check if they all took by using the hfnetchk utility. This can easily be done (yes I've done it) on 12+ servers in less than an hour without ever getting up from your desk.

Re:Lets not forget..

[agallagh42]

...and in case anyone's wondering:

hfnetchk utility
qchain utility

Not only MS Datacenter

[ChazeFroy]

Datacenter servers are not the only ones: Many e-banking applications (see s1.com, for example) are rolled by vendors, and upgrades do not come out as fast as vanilla IIS upgrades because of this.

I don't know of one bank that uses a non-IIS platform. Kind of scary.

Re:Not only MS Datacenter

[ssimpson]

"I don't know of one bank that uses a non-IIS platform."

You need to look harder then. The first 5 banks I could be bothered to look at:

• www.smile.co.uk - Solaris
• www.hsbc.com - HP-UX
• www.barclays.com - AIX
• www.bankofamerica.com - Solaris
• www.bankofny.com - NT / Netscape Enterprise

Re:Not only MS Datacenter

[ecampbel]

There's a huge difference between a Bank's external web server and the internal systems it uses for handling transactions and other applications. While I can't vouch for the accuracy of the other poster's comment, checking netcraft really doesn't tell you if a bank uses Microsoft's technology for its mission critical applications.

Re:Not only MS Datacenter

[Florian+Weimer]

The server I use to access my bank account is running Apache. When the firewall settings were less tight, you could see that they were running a Linux kernel somewhere (at least for the firewalling), now I'm not sure.

To be honest, the bank is a "Genossenschaft", a concept which was invented back in the 19th century and is in some way similar to the free software movement. The bank itself uses OS/2 almost exclusively on desktops, which means that they were unaffected by the recent Microsoft worm craze, and they don't have a direct Internet connection. AFAIK, the computing center still issues IP addresses according to a scheme which is not compatible with the official IANA one, i.e. they use the whole IPv4 address space as if there was no public Internet.

Re:Not only MS Datacenter

Just to add a few more (Danish) banks :

www.jyskenetbank.dk - AS/400
www.almbrand.dk - AIX
www.al-bank.dk - Tru64
www.nordfynsbank.dk - AIX
www.sydbank.dk - Windows 2000
www.vestfynsbank.dk - AIX

Re:Not only MS Datacenter

Also, two largest banks in the US don't use IIS, Citibank and Chase...although Chase is working on something that has IIS on one banking transaction system.

Re:Not only MS Datacenter

Also more banks are running *nix servers vs NT/2k,
machines, due to scalabiltiy, etc...
Example.. Deutschebank.de (Solaris)
BMO.ca (Solaris)
and in the US.
Marril Lynch (AIX),
Goldman/Sachs (Solaris/True64)..
Just some of the firms that hire admins who are gong ho over Windows will run it.

Re:Not only MS Datacenter

[csbruce]

"I don't know of one bank that uses a non-IIS platform."

You need to look harder then. The first 5 banks I could be bothered to look at

There's no need to correct the previous poster. What he said is a tautology provided that he is ignorant.

Re:Not only MS Datacenter

[HR]

To get anal about it...
if it was a tautology there would be no "provided that", it would be true by definition.

Re:Not only MS Datacenter

I think barclays has a 100% *nix system, even the client (i.e bank clerk) systems are using nix of some sort (although with a really horible window manger)

It's what they call lock-in

[91degrees]

When I was studying, I was taught that one of the reasons to write maintainable code was to prevent lock-in. Good coders don't need to force companies to keep using them, they should produce good enough work that the comapny sees no need to rplace them.

Microsoft of course, do not write good maintainable code. They don't supply commented source, and they don't give the customer any long term rights to use the code as they see fit. Any goodprofessional should avoid microsoft products simply because they will immediately prevent themselves from having any choice at all. It becomes impossible to back out.

Re:It's what they call lock-in

I am unsure if you are an idiot, a simpleton, or just mentally handicapped. Keep on studying and try a spell-checker sometime.

Re:It's what they call lock-in

[jrothlis]

As opposed to the choice of backing out of any other platform decision, involving potentially hundreds of thousands of dollars worth of labour? Microsoft bashing as a sport needs a reality check.

IIS for Terminal Server?

[michael.creasy]

almost every 2000 server runs IIS for terminal server Errr, since when? Terminal Server doesn't require IIS to be installed.

Re:IIS for Terminal Server?

The Terminal Services Advanced Client (TSAC) requires IIS.

Re:IIS for Terminal Server?

[0xA]

The Terminal Services Advanced Client (TSAC) requires IIS.

Well yeah, seeing as though TSAC is the web plugin for TS. But jsut why the hell yould you use Datacenter server for an app server?

Even if you did, does the IIS server have to be the same machine as the app server. I don't think it does but I can't recall. I know that with Citrix NFuse it DOESN'T and probably SHOULDN'T.

This whole discussion is pretty academic isn't it? Nobody is going to use Datacenter server for IIS or Terminal Services. That is not what it's for, you use Datacenter server for big databases or transaction processing, in which case there is no reason it should be accessable from an untrusted network.

Keep in mind, untrusted includes your users as well as your DMZ. Never trust your own network!

Re:IIS for Terminal Server?

And it can run on any IIS machine, moron. Doesn't have to run on the terminal server itself. It's still just an RDP connection, the TSAC is a front end.

do it yourself

[vsync64]

I'm not an NT fan (run all UNIX stuff myself) but in general I've learned from bitter experience not to trust any sort of outsourcing solution. Learn to do it yourself, or hire someone who knows their stuff. But make sure you have direct control over your systems or they will spiral into ickiness.

Re:do it yourself

[11+platter+hard+driv]

YOU FOOL!

You need an OEM to even get the chance to touch a MS Datacenter Server. You can buy advanced server off the shelf, but datacenter server is where the big bucks are, so of course they made it so that you have to go buy it direct from manufacturer, with all extra features.

Please know what you are talking about before you post again.

Re:do it yourself

[innocent_white_lamb]

What's foolish about his comment. Read it again. He is saying "stay away from outsourced services." MS Datacenter Server is available "outsourced" only. Therefore, the logical conclusion is "stay away from MS Datacenter Server and find another solution." See? It doesn't sound terribly foolish to me....

Unpatched MS Data Center box + routable IP ==

[angry_android]

Worlds largest crack/xxx/iso/divx/pr0n server!
I've seen it happen to production servers b4 ">

Re:Unpatched MS Data Center box + routable IP ==

[markov_chain]

coke | nose > keyboard

Thanks for the laugh :)

~

When you can't secure it, hide it.

[haruharaharu]

If you aren't allowed to patch your server, then you should isolate it behind a firewall of some sort, so that the chances of infection are minimized. This may not work well for IIS (beyond simply not running it), but it will serve you well in the general case.

Re:When you can't secure it, hide it.

Yes, my employer also got hit 'behind' a Checkpoint firewall when Nimda came out. I don't think anyone here bothered to find out where it came from. They were too busy trying to remove it from servers that didn't have any AV running, as well as dekstops that had NT Option pack 4 running IIS for no reason.
It's a great scam that Microsoft has running... I didn't realize until recently that Symantec runs their web-presence on Linux. Ins't it ironic?

Re:When you can't secure it, hide it.

[SurfsUp]

If you aren't allowed to patch your server, then you should isolate it behind a firewall of some sort, so that the chances of infection are minimized. This may not work well for IIS (beyond simply not running it), but it will serve you well in the general case.

So, you're suggesting security by obscurity? Hmm, best of luck to you.

Some exploits work just fine through the firewall, so then you've got a compromised server insider your firewall and a false sense of security. There's no substitute for being secure in the first place. If it's not secure, don't connect it to your network.

Re:When you can't secure it, hide it.

[haruharaharu]

So, you're suggesting security by obscurity? Hmm, best of luck to you.

I would prefer to solve the problem, but if i can't patch, I'll do the next best thing: isolate the servers from the rest of the network. Good luck infecting with nimda when you can't even hit port 80 and all mail ports are blocked (in case some nimrod installs outlook on a datacenter.

Re:When you can't secure it, hide it.

[innocent_white_lamb]

Good luck infecting with nimda when you can't even hit port 80 and all mail ports are blocked

And what about the "next big thing" in cracks that can wander in and stomp all over your server from "causes unknown"? I didn't hear anybody screaming about the security holes that let Nimda in before Nimda actually got in. Perhaps the patch was available, but it wasn't the top-of-mind item for every IIS admin that there is. For evidence, see the spread of Nimda and Sircam.

You can firewall for this and you can firewall for that, but you might not be able to firewall for "exploit x" unless you know what it is. And you might not know what it is until you have been 0Wn3D.

Re:When you can't secure it, hide it.

[haruharaharu]

You can firewall for this and you can firewall for that

When you let 1, maybe 2 ports through, the next big thing tends to bounce off your firewall. If we don't explicitly need it, it ain't getting in!

Re:When you can't secure it, hide it.

[falstaff]

I work for a fairly large corporation, > 27k people. We had Nimda running loose inside our firewall. So did all the major firms in town that I work with. Someone gets a laptop infected at home, then brings it in to work. Poof, the corporation is infected. Best not to run IIS at all.

Re:When you can't secure it, hide it.

[haruharaharu]

what is needed is compartmentalization - sure, you run a firewall between the world and the corp, but you also run a firewall in front of anything sensitive. Internal firewalls of this sort have the advantage of being able to be more restrictive because they're protecting at most a few services. Corp level firewalls have to be more permissive in order to prevent open user revolt.

Re:When you can't secure it, hide it.

[Afrosheen]

Solution: don't put win2k on laptops.

Re:When you can't secure it, hide it.

Solution: don't put win2k on laptops.

You don't buy many laptops, do you?

(I do know that my Linux laptop is not the typical corporate laptop...it did have an MS OS when I unpacked it, although it didn't the next day)

Re:When you can't secure it, hide it.

[pmz]

If you aren't allowed to patch your server, then

you shouldn't have bought it in the first place. What's a system administrator good for if he/she can't administrate?

Re:When you can't secure it, hide it.

[Jburkholder]

>You can firewall for this and you can firewall for that, but you might not be able to firewall for "exploit x" unless you know what it is

Isn't that the reverse of how a firewall actually should be set up? My limited experience has been that you start by blocking everything, and then open holes for just the things that need to get through. If you leave it open, and then attempt to run around blocking things as you become aware of them, it almost defeats the purpose, doesn't it?

Re:When you can't secure it, hide it.

[innocent_white_lamb]

If you leave it open, and then attempt to run around blocking things as you become aware of them, it almost defeats the purpose, doesn't it?

Indeed. Perhaps I didn't make my point sufficiently clear. Lets try again:

There is a way to get through any firewall. There has to be, unless your box is disconnected from the net entirely, because that's the only way to have any functional use out of the thing. Therefore, by firewalling all of the functions that you are not using (or by firewalling all of the functions and then selectively opening up the ones that you are using, as you said) you are thereby opening a hole which could theoretically be exploited by the "next big thing" in massive Internet problems.

There, does that clarify what I'm trying to say?

The best solution...

[justletmeinnow]

...is when RedHat|Debian|Slackware comes out with their new RedHat|Debian|Slackware 2000 Datacenter Server!

Datacenter

[Nickodemus]

Is a locked down version of Windows. What happens when you lock it down? Well, intensive testing occurs first to determine what is being done with the box and what possible problems could arrise. Then those problems are solved. Also, only certain applications are certified to run on a datacenter box. The goal here is to achieve five nines. That is have this box up and running for 99.999% of the year. Without thorough testing of applications this level of availability would be impossible.

Part of what you get with a Datacenter purchase is a premier level of support. This includes a named engineer for support, and automatic escalation to the highest level for any support needs. It also includes any updates and or fixes on a priority basis - if you have a Datacenter server you get patches, updates, etc. before anyone else does.

customized solutions&patching

[nusuth]

It must be impossible to patch any linux installation if customized solutions are sooo hard to patch. Why would one wait for their OEM to move if they know a patch for one of the applications they are using is available? Download or apply only relevant parts of service packs, and you are done.

Re:customized solutions&patching

[mindstrm]

Because. if you do *anything* not certified by the vendor, the 99.999% agreement is void, and they are not responsible for downtime.

Datacenter is more of a custom solution package than a version of windows. Yes.. it's a version of windows 2000.. but it's really a whole package.

In other words, it's a version of windows used by vendors to create huge custom solutions, usually for databases.

Re:customized solutions&patching

[cymen]

Because this would void the 99.999% uptime deal and all the "sounds good on paper" but is really worthless crap when you do these deals. Is getting a refund on your fees worth more than your servers going down? So I agree with you to a degree but the pointy haired bosses would never agree with this... Least not until you gave them the "get hax0red right now or load an unapproved patch" rush case.

Get a guarantee within the contract

[Jeppe+Salvesen]

Get the vendor to patch your servers within 12 hours of Microsoft issuing a hotfix/patch. If they will not put that into the contract, tell them they're not professional enough. If they cannot do something as easy as that, would you really want them running truly business critical solutions for you?

Terminal Server but sort of OT

While we are discussing Terminal Server, can anyone perhaps shed some light on whether it is possible or not to increase the bitdepth of a Terminal session? We have an application that looks terrible in the default 256-color mode and I've been banging around in the registry/component interface looking for an option to increase it.

I mean, did MS flat out engineer it for minimum bandwidth requirements (dialups etc) or is there some way to use 15/16/24/32 bit color?

- JoeShmoe

Re:Terminal Server but sort of OT

[ssimpson]

Your out of luck I'm afraid buddy as this is a "feature" of TS.

Adding Citrix XPs with give you more colours, better management tools etc.

Re:Terminal Server but sort of OT

[dark+druid]

This is fixed with XP and .NET server. In W2K and NT 4 TSE there is no way to go above 256 colors.

Re:Terminal Server but sort of OT

[JoeShmoe]

Unfortunately, a small shop like this one cannot afford to fork out the money for the server hardware, Windows 2000 Server AND on top of that, Citrix licensing.

If I could have my wish I'd just X-server the whole thing but unfortunately this application is strictly closed-source Windows-only.

I can't believe Microsoft hardcoded this. I mean, they are basically using the same code for their remote administration tools yet it lacks this most basic option that pcAnywhere and VNC has had forever.

Unbelievable.

- JoeShmoe

Re:Terminal Server but sort of OT

[operagost]

Not true. You can do this with FR1 (feature release 1). We are running this on out TS4/MF 1.8 farm right now.

Re:Terminal Server but sort of OT

They licensed Terminal Services from Citrix. Windows Terminal Services is basically a cut-down version of Citrix... upgrading gets you more colors, clients for multiple OSes, etc. I think the limitations are basically just part of the licensing agreement with Citrix.

Similar to the way the disk defragmenter is a cut-down version of Executive Software Diskeeper, the CD burner in Windows XP is a cut-down version of Easy CD Creator, etc.

The single-user version of Terminal Services included in Windows XP ("Remote Desktop") allows full colour... however, in a Beta version of .NET Server I tested this summer, the colour limitation remained; so I'm not sure if .NET Server is going to eventually have that fixed or not.

Re:Terminal Server but sort of OT

[SectoidRandom]

The reason for the seeming lack of features is licenceing. Remember the whole TS backend (RDP protocol) is originally based on Citrix work, which was licenced with many restrictions for obvious reasons, although i am only guessing. Example NT4 Term Server was limited to 16 colours no auto-drive mapping etc, 2kTS 256 cols with auto-printer mapping but no drive mapping, XP will have full colour support and printer / drive mapping.

Obviously Citrix knew that it would be best to limit M$ 'innovation' as much as possible in the short-medium term when they licenced their code to them.

Re:Terminal Server but sort of OT

[OSgod]

Partially right:

NT4 TSE had 256 colors.

W2K TS supports auto printer and drive mapping (drive mapping is via a tool provided for free from MS in the resource kit...)

XP sounds like it makes Citrix that much more marginal....

Re:Terminal Server but sort of OT

[JoeShmoe]

If only Citrix wasn't so stupid they would realize that the best way to keep Microsoft out of the Terminal Server space would be to adopt more competitive pricing.

On the one hand you have Citrix at $5000 for 20 users. On the other hand you have Microsoft for $0 for unlimited users ($75 for any user not running Win2000).

That's utterly insane. Why do they make such an absurdly high barrier to entry? Microsoft begins Server and Small Business Server at the 5-client license level so why on earth is Citrix starting at 20? They are immediately discounting almost all of the small businesses out there.

Knowing now that I can't run 256 colors on Windows 2000 Terminal Services...I'm not about to recommend this mom and pop shop plunk down five grand for Citrix...i'm going to recommend they pay a few hundred and upgrade to Windows XP server.

One day, like Novell, Citrix will wake up and wonder where all their customers went. Only then will they realize that people aren't interested in paying a premium for a market leader when Microsoft has a "good enough" option available for free.

Feh! I was already upset I had to install Windows 2000 instead of Windows NT 4.0 Terminal Server...now I gotta install XP! Bleah!

- JoeShmoe

Re:Terminal Server but sort of OT

Except that Citrix gets a share of every copy of NT TS sold. Duh. MS pays Citrix for all their technology.

Re:Terminal Server but sort of OT

I'm highly dubious. Did Novell get paid for every copy of NT/2000 just because it included Gateway for NetWare?

How do we know that MS didn't just embrace and extend as always? They could have reverse-engineered the RDP protocol and then made their own clean room implementation?

- JoeShmoe

Re:Terminal Server but sort of OT

[Taurine]

Didn't Microsoft buy a very large, possibly controlling chunk of Citrix about three years ago? I remember reading at the time that the conditions of the investment were that MS got a director on the board and very easy terms for integrating TS into Win2k.

Re:Terminal Server but sort of OT

Do you like to play Quake on your TS?

WTF do you want with high color on a remote admin terminal?

I think this is probably a deal with Citrix that allows MS to do terminals at all.

Re:Terminal Server but sort of OT

[budgenator]

which features? like easy remote bruteforce hacking of user ID's/Passwords and almost trivial escalation to admin privalages?

Maybe Microsoft is starting to pull its head back out into the sunshine. Legacy support often purpetuates legacy bugs/exploits. Personaly, if someone is spending $500K on hardware/software system, the life-blood of the corp isn't have a competant admin on site pretty cheap insurance?

Would They?

[nexex]

"Would anyone out there actually recommend Datacenter for corporate environments?" -- Sure, Bill Gates, Paul Allen, etc... ;)

Re:Would They?

i would

It all boils down to trust

[DevTopics]

The real question is: can you trust your OEM?
Then you can negotiate all the details. And remember: 99.999% uptime does not mean that your server stay up that long, but that you have only an unscheduled downtime of 0.001% or less. Applying a patch is, in nearly every case, a scheduled downtime and does not count.
Now imagine you really, really need this patch: you can urge your OEM to install it and keep him free from all responsibility (e. g. a server crash after this does not count to the unscheduled downtime, because it was your decision to apply it). If you trust him to play fair, that's fair for both of you.If the OEM is trustworthy, he'll do what you order him to do, but in that case you will be responsible for the outcome as well.You can't burden someone with responsibility if he can't make the decision (unless you don't play fair).

Re:It all boils down to trust

[SectoidRandom]

I disagree, if i was such a vendor and someone asked for me to trust them to do a patch, hell even to click Start-Shutdown, i would only do so if two condition, first, i have known and worked with you for YEARS (so i know exactly what you know), and secondly if the contract allows it.

The second point i certainly hope would *never* allow it! The whole point of a vendor provided / supported solution like this is to keep every "computer expert" from goin in and "fixing" it! (Note emphasis, nothing personal of course)

Its all a non-issue i believe anyway, the whole point of such contracts and vendor sollutions is that they do the work, including all maintainance and patching. If its a money-back (or part of) guarantee, then they (the vendor) better be damn sure they keep things patched / running.

Re:It all boils down to trust

[SectoidRandom]

Sorry let me clarify my point there a little, especially in contex of what you said;

Quote: "Now imagine you really, really need this patch: you can urge your OEM to install it and keep him free from all responsibility"

That is especially bad from the vendors point of view, as one small patch could cause not only an immediate effect, but much much worse some minor, perhaps unknown problems later.

From my perspective as soon as such a server is (lets say) tainted by someone else its a lost cause! :)

Maybe im just a control freak tho? :)

Re:It all boils down to trust

[anticypher]

99.999% uptime does not mean that your server stay up that long

It depends on who writes the contract. I maintain servers with a 5x9's availability (not uptime, that is something different) guaranteed, the metric is taken at the end of every month for the previous 12 months of operation for a period of 6 years. The 5x9's include no scheduled downtime, we always switch in a fully tested duplicate system for the biannual hardware maintenance. If we ever have a crash that takes out the whole system for more than 7 minutes, we can write our bonuses goodbye for the next 13 months. The bonuses are the only form of profit built into the contract after all the engineering costs are covered.

The real question is: can you trust your OEM?

No, the real question is whether your management is stupid enough to believe a vendor offering a mythical 5x9's availability without a well developed plan for redundant hardware switchover, mirrored machines, raid storage, onsite spare hardware, experienced engineers who live within 30 minutes drive from your site with a goddamned pager surgically attached[end rantlet]. Did I forget to mention the motorcycles in case of large traffic jams :-) For the original poster's question, start googling for horror stories about the OEM and their failed installations, and complile a list for the next presentation. Then watch the sales slime start to sweat, mumble, and wave their hands to try warding off bad karma.

To offer 5x9's, the vendor must provide their own power (a battery room built by a qualified company), local stocks of spare hardware, and be able to supply a complete duplicate system within a few hours. At every one of our 5x9's sites, we have our own office space, with our own phones and our own internet connection.

As you can tell, a real 5x9's contract costs about 5 times as much as a regular installation. A real 5x9's contract always specifies the length of time to measure against, usually over a number of years, often as a moving average for the previous year or 24 months. A real 5x9's system isn't delivered on a custom burned CD-R so the client can fuck up the installation.

the AC

Re:It all boils down to trust

[HiThere]

The kinds of contract being discussed here seem to demand a control freak. Who else would be willing to honestly make that kind of a guarantee?

(There are answers, but those folk aren't honest.)

OEM's are required to give 24/7 support.

[Johnno74]

I can't find any info on MS's site right now, but I'm sure that OEMs that supply W2k datacenter are required to have a support team ONSITE at MS's campus 24/7.

This article raises a very good point, but Microsoft's idea behind datacenter was they hat total control over the hardware environment, and they made sure OEMs would stand behind it too, so I'd be very surprised (and dissapointed) if the OEM didn't contact their customers *immediately* with patches whenever there was a hole (and I'd guess they are pretty busy too ;)

Re:OEM's are required to give 24/7 support.

If the _custom_ patch has not been written, then there is no support to be given besides an apology (which does little good to recoup the $$ lost).

Remember the US battleship that was dead in the water for 4 hours because of a crashed NT computer? What is support going to do then? Support is not the magic solution, but more often than not, a place to point a finger.

(I am support.)

Re:OEM's are required to give 24/7 support.

Remember the US battleship that was dead in the water for 4 hours because of a crashed NT computer?

Nope, I sure don't, seeing as it didn't happen. I definitely remember a lot of anti-MS zealots spreading that little fantasy around, though.

Datacenter, advanced server and a firewall

[Daath]

Put datacenter behind a firewall, the webserver (advanced server or the like) on dmz and have a secure "pipe" to the datacenter server where you database resides - no need to use the datacenter server as your webserver too, if you can afford datacenter server, you can afford a separate machine acting as a webserver.
Just my opinion, buy hey, I'm a linux guy...

Re:Datacenter, advanced server and a firewall

[Bert64]

But, putting a possibly insecure webserver where it can both be accessed from the outside, AND gain access to the critical internal systems, is no better than putting the critical systems directly accessible. If a cracker or a worm infiltrates the webserver, it could be used as a stepping stone into the internal systems.

Re:Datacenter, advanced server and a firewall

[haruharaharu]

Not likely. In this configuration, the database runs SQL server and nothing else. There is a firewall between the web and data tier with one, maybe two ports turned on. Besides, you can patch the web server.

DUH! :)

[gnovos]

I can see you haven't worked with Microsoft software very much, so I'll give you the solution: Reinstall your machine.

It's *just that simple*, can you believe it? Every time Nimda hits your machine, just wipe out the system drives, reformat and re-install! Easy, right? Sure you may have to reinstall 40 or 50 times a day, but again, if you are familiar with M$ software, you'll know you need tons of backup machines that you can swap out as needed with your infected machines. Make an assembly line of it. Have one guy reformatting, another guy reinstalling and a third guy disconnecting the infected boxes and plugging the fresh machines into the network!

Now, where do you want to go today?

Re:DUH! :)

It's not just Microsoft that is anal about this. I was appalled at a recent conversation with an application support person where I work. She was trying to implement a new product was not going well, so the vendor told her to uninstall Windows so that they could check that the registry settings were correct.

Re:DUH! :)

A friend of mine's brother actually does this. He makes a lot of money.

Redundancy?

[Sase]

*Nod* all of these servers should be placed far behind a strict ruleset firewall.

But what about Redundancy? That's one thing I don't like about this "datacenter" why should there be only one? Or.. why should an application have to call for just "one" server? Wouldn't it be more wise to develop the application across a dual array of servers? Each one of these servers could be easily patched in a matter of minutes, at the same time. (Say windows2k advanced servers.

I'm personally not a fan of MS server products.. Although I have had to use them for quite a few applications.. but there has to be a way to get by the "necesity" for DataCenter Server.

Re:Redundancy?

Your question could just as easily be applied to Sun hardware. I would guess that the reason you want one big machine is because you need lots of memory, and you need lots of processors that need to access all that memory. Having a cluster of dual proc machines each with 64GB of memory is probably much more expensive than one big machine with 32 processors.

Re:Redundancy?

[Sase]

WAsn't there a linux project that pooled the resources of multiple servers to create one virtual server... or really.. isn't there one out there.

Hrm.

The good sides of Mainframe Mentality...

[mdb31]

Windows 2000 Datacenter installations are hard to patch for the very same reason that apply to IBM, Sun, HP, etc. installations of the same magnitude: you just don't touch them.

This is commonly refered to as the Mainframe Mentality: these systems are so critical to a business, you don't make any changes to them unless these changes are a. absolutely critical and b. have been tested extensively in the exact configuration you'll be running them.

Now, it may seem that this would cause every Windows 2000 Datacenter server to be instantly infected with Code Red and friends, but in reality this will not be the case, because:

1. You don't expose your Datacenter servers to the Internet -- never. No matter if you're running Microsoft, AIX, Solaris or Linux: only trusted systems should have strict "need to know" access to your server;

2. Datacenter-type servers typically don't run HTTP servers. You would scale out HTTPDs (more boxes), not scale them up (bigger boxes). Also see rule 1;

3. The config of your Datacenter server is the bare minimum. So, in the case of Windows 2000, you would not ever run IIS or Index Server (the true culprit in case Code Red et al...) on it, just your database server and perhaps your business logic (although that, again, tends to scale out better than it scales up).

In summary: security hotfixes and Datacenter-type environments tend to be mutually exclusive. If you need a patch to your Datacenter server, it pretty much needs to be custom-developed for you. Fortunately, since Datacenter setups are not typically designed by the clueless individuals that gave Code Red free reign, this tends not to be an issue in real life.

Re:The good sides of Mainframe Mentality...

MS Clustering for W2K REQUIRES IIS and the Index service!

Firewall don't stop users from bringing in infected laptops from home that start infecting production machines. I seen this so many times. Business thought that thier servers were protected behind the firewall, only too soon to find dozens of servers infected with Code-Red or Nimda because some developer with a laptop and a cable modem at home infected the servers. Firewalls are a false illusion of safety. Stupid users can always bypass security at any time.

What you have to do apply IP filtering to the cluster so that HTTP and other services are blocked from the Intranet.

Re:The good sides of Mainframe Mentality...

MS Clustering for W2K REQUIRES IIS and the Index service!

No, it does not. What the fuck gave you this idea?

Re:The good sides of Mainframe Mentality...

[Kevinv]

Well to counter point 1 - we had a user take windows 2000 laptop home, get infected with code red, then bring it back in the office and start infecting IIS that hadn't been patched because "they weren't exposed to the internet"

So that is no protection.

Kevin

Re:The good sides of Mainframe Mentality...

[mdb31]

Well to counter point 1 - we had a user take windows 2000 laptop home, get infected with code red, then bring it back in the office and start infecting IIS that hadn't been patched because "they weren't exposed to the internet"

May I suggest reading point 1? "Only trusted systems should have strict "need to know" access to your server" (emphasis mine). Now, user laptops != trusted systems -- they should not be anywhere on the same network. In some scenarios, the user could infect a trusted system, which would then get to the Datacenter server, but clueful system designers/admins would not let that happen either (by not installing IIS and/or Index Server on systems that don't require it, limiting outbound connections from the middleware servers to the Datacenter server to be SQL-only, etc. etc.)

Re:The good sides of Mainframe Mentality...

[mdb31]

MS Clustering for W2K REQUIRES IIS and the Index service!

Oh, wow, I guess I better go fix all my Windows 2000 AS clusters, then, since it's impossible that they have been running only SQL server for the past few years! Even if the cluster service install depends on IIS/Index Server (I don't remember and am too lazy to try, although I doubt it...), you can definitely disable the services afterwards.

Firewalls are a false illusion of safety

Yeah, in most cases I would tend to agree with you, especially since the term "firewall" has been overloaded into oblivion. Firewall-like tools (NAT, port/address ACLs, content screening, etc.) can be extremely valuable in building secure services, though.

The most common problem is that people equate a $100K Firewall-1 box with security. In reality, security requires a deep awareness of all related issues on all levels (hardware, software, people).

Re:The good sides of Mainframe Mentality...

I was once an IT idealist.

Re:The good sides of Mainframe Mentality...

Put an internal firewall array in front of
your servers. The servers should not trust
one another nor anything else on the network unless they have to!

Re:The good sides of Mainframe Mentality...

Okay,
So _trusted_ systems means your tech support teams Windows based computers, which are vulnerable to regular viruses? Or do you need to buy 'secure' terminals to maintain MS DCS? Or is the OEM the only one to maintain the 'DataCenter server'?
If I recall correctly, Nimda breached holes via e-mail, windows file-sharing, AND IIS. So are these services not available on DataCenter server?
If M$'s datacenter server were binary incompatible with _all_ other windows products, then I might trust it.

Re:The good sides of Mainframe Mentality...

[haruharaharu]

Firewall don't stop users from bringing in infected laptops from home that start infecting production machines. --- Firewalls are a false illusion of safety. Stupid users can always bypass security at any time.

I've seen you before. You were spewing the same tripe then as now

Firewalls do stop users when they lie between the server and everything else. If i were configuring a database server, it would have two ports accessible from the corp - ssh and the database. Nimda can't do much over that.

Also, if your users can get physical access to a datacenter style box, you're boned. That's just a given

Re:The good sides of Mainframe Mentality...

[Kevinv]

Maybe you should re-read your own point 1:

You don't expose your Datacenter servers to the Internet -- never.

The internal network is not the Internet. Now you're saying not to expose your data center to the internal network -- valid, but not your first point.

Kevin

Re:The good sides of Mainframe Mentality...

[evilphish]

or Linux: only trusted systems should have strict "need to know" access to your server;


finish reading his first point please

Re:The good sides of Mainframe Mentality...

[gentlemoose]

I run one datacenter server. 8-way intel hardware.

1: It got spanked by nimda. It's inside the corp. firewall, but the virus got into the network via email. Once inside, that particular region of the network is largely insecure. We're running it in a lab/demo environment, so security is not a huge concern.

2: The damned thing shipped with IIS installed and running. Since it's the only OEM OS we have in our lab, I didn't notice it there in the three days the box was plugged in.

3: see 2.

Called the vendor. Support was !ofclue about patches. The best I could do was apply all of the IIS-related patches, disable all MS internet services, and clean the hell out of the system. Love me some MS.

Re:The good sides of Mainframe Mentality...

[haruharaharu]

,i>So _trusted_ systems means your tech support teams Windows based computers

Of course not. Trusted means the other machines in the cluster and a port through the firewall to untruster SQL clients or whatever your Datacenter box does. And, if you run IIS on that thing, you had better not allow anything to talk to it. Do that and I will point and laugh.

Re:The good sides of Mainframe Mentality...

[Tony-A]

The internal network is not the Internet.
Only if no one on the internal network has ever received email or accessed a web page. Probably a few others I have forgotten.
How to get any work done without exposing your data center is an exercise left to the reader.

Re:The good sides of Mainframe Mentality...

[mmcgreal]

I'm gonna have to disagree with you here, as an administrator of many large installations of IBM and Sun systems, I can assure you that when we become aware of a root exploit, we assess the impact of the upgrade, and get it installed. The "mainframe mentality" you refer to is a copout. Any admin worth his salt should have his systems stable enough that he will not be afraid to change things on them (with due caution of course). Of course, I'm not an NT admin, so I can only conjecture how shady a patch from Microsoft can be.

And as for "You don't expose your Datacenter servers to the Internet" - you obviously are not keeping up with current security issues, since it's well know that 80% of breakins occur from the inside. Not to mention the fact that all large enterprises are internetworked, period. There is always a way in from somewhere, including the Internet, and thus there is no such thing as a "secure network".

And what's this about "Datacenter-type servers typically don't run HTTP servers"? There's plenty of services besides web servers that are potential points of attack. IIS just happens to be consistently faulty.

And what's this about "The config of your Datacenter server is the bare minimum"? I've never seen a bare minimum server running SAP, or Oracle.

The question is, what does Microsoft mean by Datacenter? They make it sound like you have every operation in the company riding on one Microsoft box. If you're doing that, you've got bigger problems than the occasional security patch.

Re:The good sides of Mainframe Mentality...

[posmon]

1. you shouldn't run iis on dc
2. you shouldn't share folders on dc
3. wtf? email?!? you wouldn't be installing outlook on it

Re:The good sides of Mainframe Mentality...

[Ioldanach]

Firewalls do stop users when they lie between the server and everything else. If i were configuring a database server, it would have two ports accessible from the corp - ssh and the database. Nimda can't do much over that.

Scratch ssh, too, if you have operators in your shop 24x7. And if you're looking for 5x9's, you probably do. If you need something done on the server, do it via console or via a special workstation (also running minimal services) inside that level of firewall and inside your secure server room.

Linux

[g_bit]

Would anyone actually recommend one of those Linux based "all-in-one" appliances that you guys love so much? You have to wait for your vendor to patch those too!! Do you hear anyone asking that question?? Nope.

Re:Linux

[C0vardeAn0nim0]

You don't have to wait for the "vendor" to patch anything.

It's open source. if the maintainer of that specific package don't come with a solution in less than 24h FIX IT YOURSELF. you have the code for G_d sake...

Re:Linux

Uhmm??

Linux is open-source...
if it doesn't work, FIX IT! (you have the source).

No waiting requried..

Re:Linux

[mickeyreznor]

Would anyone actually recommend one of those Linux based "all-in-one" appliances that you guys love so much? You have to wait for your vendor to patch those too!! Do you hear anyone asking that question?? Nope.

2 Things you can do if you find a security hole in a linux server:

1. You can ... fix it yourself(assuming you have someone who understands the code)!

2. You can hire anyone else to do it for you, not just the vendor.

Those are 2 things you can't do with things like win2000 datacenter.

Re:Linux

Ok,
I run an -all in one' Cobalt box, runs very well - talk about 99.999% ... well its close - havent done the sums but at 1K .. not bothered!
(got hit by the Linux Rollover bug ... not bad - equates to alot of uptime... thought the box had been rebooted .. had just been up long enough to rollover the uptime counter!!)
Anyways - patches yeah..
No Probs - sun are on the mark, did get hacked ages back but deserved it... now well used as a hosting env and love reading apache logs for nimda attempts - 40 per in recent times.
Other comments notwithstanding.
But there you go, maybe its a Sun experience, but the base is the same.
Its where you start from.
Regards
Fwisong

Re:Linux

[Afrosheen]

Please don't feed the trolls.

Re:Linux

A bug was found two days ago in my kernel. I read about it two hours later, fixed it, recompiled and rebooted. Problem gone.

Do you understand? If not, reread the above paragraph until you do. It's a true story.

Unanswered Question

[Phroggy]

If anyone out there is running Win2k Datacenter, I've got an important question I've been trying to find the answer to, with no luck so far. Can someone finally give me an answer? The question is this:

Does Windows 2000 Datacenter ship with 3-D Pinball installed by default? If so, is it in the Start menu?

That's all. Thanks.

Re:Unanswered Question

[alen]

If we do buy datacenter I'm planning on burning me a copy and install it on my home network. And maybe share it out to a few thousand of my closest friends.

Re:Unanswered Question

[thefogger]

Yea, and I'm gonna put it on my router. Since it's custom developed for me, it'll surely run on that AMD K5. And don't tell me that "it needs at least 8 CPUs" - I'll just fire up my hex editor and find that stupid "Number of CPUs: 0x01" byte in my BIOS and change it to 0x08... or the heck, I'll set it to 0xFF.

Re:Unanswered Question

Well, you're joking, but lots of the l33t warez dudes actually thing that running W2K Advanced Server makes them cool (even though it's tuned for 5+ CPUs and 1+ gig of RAM which makes it run slower on standard desktop stuff).

Re:Unanswered Question

[tino_sup]

I think Phroggy is onto something regarding Pinball. Hmmmmmmmm. Thanks for the laugh Phroggy!!

Re:Unanswered Question

It doesn't matter, I've seen way to many servers running the OpenGL screensavers. Mind you, servers aren't known for their hardware 3d, so its all done in software.

That alone will take up many times more hardware resources than a game of pinball.

Re:Unanswered Question

Actually no, they took all non-esesntials out. Even the "fade" effect in the start menu :-(

Re:Unanswered Question

[Patrick+Cable+II]

Yes, I've found 3-D Pinball to be an extremely useful database tool ;-)

Patrick

Re:Unanswered Question

[Noehre]

I wish I had one of those cool 5-way SMP boards.

Re:Unanswered Question

I do...

Re:Unanswered Question

[EvilStein]

It does?!?! Oh crap.. oh well, I guess that's what I get for grabbing the first CD I saw lying around the office.. arrrgh..

Good thing RAM is cheap. :)

In truth, it's running ok on a 700mhz Athlon, 256mb RAM. It doesn't do a whole lot but act as a DC, and "fun with IIS!" box. *shrug*

Comment removed

[account_deleted]

Comment removed based on user account deletion

Datacenter _is_ vulnerable

[dybdahl]

Nimda did go behind firewalls. It came in via e-mail or external consultants with laptops that attached to the LAN, and then attacked all intranet servers. As the story says, IIS is used for administering these servers, so they are indeed in a very vulnerable position and need to be patched.

Re:Datacenter _is_ vulnerable

[Score+Whore]

Err. In every clued in installation I've worked in, all the database servers were sitting in their own private DMZ. With tight ass firewall rules. Only specific hosts can connect to the database servers and then only on specific ports. And the firewalls are stateful and makes sure that the protocols being used are appropriate for talking to the database servers.

Any architect that will sign off on a $500k server installation that doesn't include at least $50k for an HA, stateful firewall spefically in place for that server is an idiot that deserves to be pink slipped.

Cool

Theres a secret message in this troll comment!

Clues: #@ + 1 ; Intriguing @#

I bet that it is a coded message from bin Laden
to Jon Katz asking to cease and desist from
posting his lame stories to this site.

Thank you and have an Afghan-opiun filled day.

I'm guessing

[loraksus]

Since you're paying microsoft a shitload of money, I'm sure that something can be worked out. All the friggin losers who were hitting my box with (a la Code Red) were on DSL / @home lines.

Incidentally, the iis vunerability was known since iis 4.0 was released. It was kept secret by MS because of the "If no one knows about it, no one will exploit it". I'm thinking the data center people get the patches that home users don't - sort of like netware's support, there is a $200 per support issue, but they will forward the problem all the way up to the guy who coded the section you are having a problem with.

The lame fuck of the day is 24.202.127.156

Re:I'm guessing

Incidentally, the iis vunerability was known since iis 4.0 was released. It was kept secret by MS because of the "If no one knows about it, no one will exploit it".

Could you post a URL for that? Are you referring to the default.ida vulnerability?

Re:I'm guessing

The lame fuck of the day is 24.202.127.156

Hehe, that's better than "To the owner of the white Honda Minivar with licence plate 9CHT097: Your lights are on."

Re:I'm guessing

Uh, hello, but this is BS.

MS, as well as _EVERY_ closed source vendor (that I'm aware of, at least) will send that support issue up to development if you can prove that the fault lies in their code. The problem with calling them for support on a per-incident-basis (ie, no formalised contract) makes it a little harder to get it pushed up that ladder without a fight. The problem is getting it past their generally clueless level 1 guys (or whatever it is they call them in Redmond).

This usually consists of providing them with a core dump and a way to reproduce the problem on a pristine install. If they can reproduce the problem in their labs, and a code re-write is warranted, you _WILL_ get that patch as a means of resolution for that support call. I've worked with them on and off for years, and _NOT_ONCE_ have I been told I'd have to wait for a patch to go public.

I've done kernel, app, and driver development on Windows, OS/2, and other platforms, and this is pretty much standard operating procedure across the industry. Netware is not unique in this point.

Re:I'm guessing

"Incidentally, the iis vunerability was known since iis 4.0 was released. It was kept secret by MS because of the "If no one knows about it, no one will exploit it"."

That's simply not true. Good job at spreading misinformation, though... keep it up, you moron.

SLA...

I searched e2, and found Symbionese Liberation Army, Sealed Lead Acid battery.

Still don't know what it is that you are referring to :/

Re:SLA...

[b0r1s]

try something more useful than e2....

it'll help. really. :

SLA : Service Level Agreement

SLA : Software License Agreement

Re:SLA...

[JoeShmoe]

Service Level Agreement.

Basically, what is and is not covered in your support contract. For big orders, you get to negotiate your own EULA not just take what they hand you.

For example, an SLA might cover finacial losses due to system failure, whereas every normal EULA under the sun absolves hardware vendors of liability for secondary losses.

- JoeShmoe

Re:SLA...

http://3640001799/cgi-bin/dict.pl?term= %67%75%6c%6c%69%62%6c%65

Pretty nice to see Mozilla replacing the space by %20.

Re:SLA...

I'm not sure if this is a "way to go Mozilla" pat on the back or a "nyeah nyeah Microsoft" dig so I think I should point out that IE also substitutes %20 for the space.

In fact, i'm kinda counting on it because of Slashdot's stupid URL chopper. If I make it a link, it translates the %'s into clear text and if I write the URL out it gets cut at the fourth letter. What's a trickster to do?

- JoeShmoe

Re:SLA...

[TheMidget]

In fact, i'm kinda counting on it because of Slashdot's stupid URL chopper. If I make it a link, it translates the %'s into clear text and if I write the URL out it gets cut at the fourth letter. What's a trickster to do?

Just use + to represent a space.

Sybase

[YuppieScum]

As a sort of related issue, we're going to see many more implementations of W2K/DC & MS-SQL, as Sybase have decided to "update" their licensing model and fuck their customers in the arse.

Originally, it was:
Is your Sybase database accessed outside your company? Yes? More money please!

Now its:
Is the data in your Sybase database accessed outside your company? Yes? More money please!

Nte the subtle difference. We've got many front end applications in a DMZ talking to Sybase in our datacentre - the users never see Sybase, nor even know where the data comes from - but now Sybsae want more money...

So our CIO has done a deal with the Great Satan of Software, and we're going to

1. Sell all our Sun kit we use for hosting Sybase
2. Buy shit-loads of cheap x86 servers
3. Have MS "consulting services" port all the DBs and integrate them with our existing applications.

Re:Sybase

MS SQL has the same licencing -- a web user (not a connection, a user) counts as a SQL user which needs a seat. Of course, their unlimited prices might be cheaper than Sybase's.

Re:Sybase

You need a Client Access License (CAL) only if the user is directly accessing the SQL Server. If you have 1,000 users hitting a webserver, but the one webserver is the only device hitting the SQL Server, then only the webserver needs a CAL, not the 1,000 users.

If 1,000 Internet users are directly accessing the SQL Server, then you need to get a per-processor license for the SQL Server.

If 1,000 corporate users are directly accessing the SQL Server over the WAN or LAN, then you need 1,000 CALs.

Re:Sybase

Didn't MS SQL come from sybase long ago?

Re:Sybase

[MadAndy]

You need a Client Access License (CAL) only if the user is directly accessing the SQL Server. If you have 1,000 users hitting a webserver, but the one webserver is the only device hitting the SQL Server, then only the webserver needs a CAL, not the 1,000 users.

That's not quite right. From the MS website ( http://www.microsoft.com/sql/howtobuy/pricing/defa ult.asp ):

Multiplexing is the use of hardware and/or software to reduce the number of devices that directly access or use the software on a particular server. An example of multiplexing is a server application that calls the Microsoft Transaction Server (MTS) component of Microsoft Windows 2000 Server on one server, which in turn pulls data from a SQL Server database on another server. The client computer has a direct connection to the server running MTS, but it also has an indirect connection to SQL Server because it is ultimately retrieving and using the SQL Server data through MTS.

Use of such multiplexing, pooling, or related hardware and/or software does not reduce the number of CALs required for SQL Server. Regardless of how many tiers of hardware or software exist between the SQL Server and the client devices that ultimately use its data, services, or functionality, a CAL is required for each distinct input to the multiplexing, pooling, or related software or the hardware front end. Processor licensing will likely be the appropriate licensing option in these situations, due to its simplicity and affordability.

The processor license changes are relatively new - in the past you used an 'internet connector' license for websites (which didn't cover internal users), but it looks like the processor license covers everybody now.

Re:Sybase

Right from the EULA beeoch:

3. "MULTIPLEXING." Hardware or software that reduces the number of Devices directly accessing or using the Server Software does not reduce the number of required CALs. The number you need is based on the number of distinct inputs to the hardware or software "front end."

Re:Sybase

[LegendLength]

But wouldn't this mean you could put a custom proxy in front of the SQL boxen and get all client to connect through that? It would only have a single link to the database then.

I'm just asking btw, not trying to be a smart ass.

Uptime is a poor metric

Specs are hard to write and all vendors have weasel clauses. Just look at insurance policies - damage due to acts of war are generally excluded. With cracking being described as a "terrorist act" you could end up with exploits not being covered.

A big common exclusion is "unscheduled" downtime. One of our vendors would see a router or firewall machine starting to act funny and then quickly "schedule" some emergency downtime that night to reboot it thus avoiding having to pay.

I have not had good experience with outsourcing - never forget that these are the same bunch of folks who are getting skewered for lousy tech support for poor end-users who have paid extra for support packages. Attitudes don't change much across corporations.

Before I would spend the bucks for any sort of "managed services" I would make sure that the vendor guaranteed 100% availibility without exception. Availibility must be defined as a maximum latency (ie. no end user will wait more than 750ms for a response or whatever is needed).

Rationale? Any app that requires this type of support must be available to the end user without fail. That's why you pay the bucks.

OS is "up" but web server is compromised or down? It's no good to the user. The downtime was scheduled? End user doesn't care.

Why 100%? Why not. They are already guaranteeing less than 316 seconds per year of downtime. Let them work their payments for that downtime into the contract cost. I don't want to have to total up downtime and argue over when the year started. I want the vendor to know that any downtime costs them bucks. No argument, no weasel clauses, no exceptions (better keep those machines maintained, protected and patched).

Been there - been burned. We moved our servers from a "managed solution provider" to a generic server farm and got far better service for one tenth the cost.

Re:Uptime is a poor metric

[SuiteSisterMary]

And at that point, you should have a cluster. Period. No one box will have full uptime. But wait, you say, what about a mainframe? Well, a mainframe is just a cluster in a box. At a really really low level. So when you hotswap a CPU, you're just knocking out a cluster node.

Re:Uptime is a poor metric

[SectoidRandom]

Quote: "One of our vendors would see a router or firewall machine starting to act funny and then quickly "schedule" some emergency downtime that night to reboot it thus avoiding having to pay."

Thats the whole point of the contract, they are paid to notice that, and then fix it at a convienient time, ie not a week later in the middle of your bussiest hour when that something 'funny' turns into something not so funny. :)

But it is hard i guess, finding a vendor who will actually be able to deliver what they claim..

Re:Uptime is a poor metric

[athmanb]

Yes, but during the reboot, end users will be sitting at their machines, pressing frantically on Reload and ask themselves why your fucking site doesn't work.

Thus, the explanation "But the downtime was scheduled!" doesn't really help.

Think firewall + watchdog functionality

[chabotc]

Put the datacenter server behind a firewall, preferably with some string matching functionality (ie watchdog).

the later iptables have a string-patch included, which allow you to target certain port/string combo's, with this it is easy to block worms from the webserver, as long as you know what request it makes.

exampple to block cmd.exe access (taken from my own internal firewall scripts, this will block nimda)

$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
-m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"

$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"

$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset

$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset

If you wanted to block codered, filter on /default.ida, filtering on global.asa is also a good idea ;-) etc ..

(see iptables docs for more info)

G'luck

Re:Think firewall + watchdog functionality

[haruharaharu]

Put the datacenter server behind a firewall

better yet, don't run a webserver on your datacenter

Re:Think firewall + watchdog functionality

[SumDeusExMachina]

Do you ever just wake up in the middle of the night thinking "God, my web site is just one big ripoff of other people's material!"? I mean, I assume it happens, but you can never tell with some people.

Re:Think firewall + watchdog functionality

[The+Intrepid+Travell]

Probably. With such an obvious, heinous offense, he must be quite cogniscent of it.

I think his (unfortunate) return to SlashDolt is probably a signal of his acceptance of his ripoff-status in life. What better site to frequent than slashdot, when all you can do is steal and repeat?

Re:Think firewall + watchdog functionality

You, sir, are a total fraud.

I hope you get what's coming to you.

Re:Think firewall + watchdog functionality

http://slashdot.org/comments.pl?sid=20721&cid=0&pi d=0&startat=&threshold=-1&mode=nested&commentsort= 1

They are after you.

Odd question

[md_doc]

This is an odd question because both code red and nimda were actually viruses that took advantage of things like directory traversal and admin tools on the system. In short most admins already knew about these issues and fixed them themseleves by disabling the dir traversing and removing the template site.

So in short to answer your question when it comes to code red or nimda you really should not have a problem if you are a good admin. The same is true in the linux world and newbie web programmers that do things like system calls without checking out what is going to be called. If you call something that the users passes to you then obviously they can do things like tracrt ip; rm -rf / and your code would let it. This is not perls fault or php's fault or any other languages fault it is the programmers fault.

As much as I dislike windows, mainly because I have been an asp programmer for a long time and I would rather use linux and do perl programming (which I do now), Microsoft is somewhat right in that a knowledgable sysadmin already had the holes fixed. At the same time they should not send out software with issues like that.

This is simple

[/dev/trash]

Make sure the OEM you sign with states in the contract that they will hotfix you quickly or you leave/get a refund/etc.

If you are really concerned such language and costs will be understandable.

Well thanks...

[KingAdrock]

for agreeing with me, but you didn't have to do it in such a hostile manner. I'm not blaming MS. I think MS gets a bum wrap. Of course if you have such a large installed user base, you are going to run into more public problems than an OS with a relativly small user base most of which are techies.

Re:Well thanks...

[Johnno74]

No hostility intended.

I dissagree, I think MS deserves MUCH more than they get. They are primarily a marketing company, and yes, they make some good things, but they always try their hardest to lock you in once you bite - classic carrot-on-a-stick technique - they INVENTED embrace and extend.

I think the poor security record of products like NT/2k is *very* dissapointing, when you consider they COULD have been such good products. NT's security is pretty comprehensive and well thought out, and leaves linux in the dust for features, but they missed the last hurdle - e.g. out of the box installs of NT and 2K give FULL file permissions to ALL the system files to everyone by default, and even worse, all of the system daemons (IIS etc) run in the security context of local admin! (localsystem). That way, something as simple as a buffer overflow in IIS can give you local root access. There is no need, yet I've never managed to get the IIS service to run as anything other than localsystem (and I can't find any docos relating to this at MS either - anyone help?)

A Bit OT but I have to ask

[Canyon+Rat]

Yesterday my computers asked me if they could DL patches for the two MOSX security holes reported here recently. IIRC, Win 98 used to do the same thing. So why were all those NT and Win2K machines unpatched? If MS has the patches months before the worms appear in the wild, why haven't the machines already patched themselves?

Re:A Bit OT but I have to ask

[KingAdrock]

Imagine the screams from the slashdot community if the machines patched themselves. It would be hearlded as an invasion of privacy.

Re:A Bit OT but I have to ask

Good quesiton, so here's the deal:

Windows 2000 does have an update notification service, but it's not installed by default. You need to go to WindowsUpdate (Right on the Fucking Start Menu) once and install it. I think 98 was the same deal, but it might be preinstalled in ME.

Furthermore, security patches don't immedately get pushed out through WindowsUpdate, but instead get posted to another corner of MS website and announced through a listserv. To be fair, MS security patches aren't always QA'ed very well and tend to break something or other. They only show up in WindowsUpdate after a week or two and are known good.

But the basic problem was just laziness -- people who installed SP2 and thought they were up-to-date, people that didn't know they were running IIS and didn't install the patches while they were DLing the latest DirectX, and people that didn't bother to check at all.

Re:Moron.

[Enlightened_0ne]

And wtf is "runs IIS for terminal server" supposed to mean? That doesn't even make any sense.

It is called TSweb, and it allows you to log into the server using terminal server without having to have the client installed on the local machine.

No IIS on the terminal servers

[0xA]

You really don't want to put IIS on you Terminal Server. If you're using TS in admin mode you don't need to use TSAC (the web plugin). I find I do just as well with the RDP client application. It works smoother and the win32 version will fit on one floppy if you want to carry it around.

Yes your missing something...

You like most Linux users haven't worked in real enterprise shops on enterprise class hardware and software. First Datacenter-like systems aren't new, Tandom and other has made NT systems with five-9's uptime guarantee for years. Compaq's DataCenter box is based on the old Tandom sysem. They typically run the backend of multi-tier business systems not web services. So they aren't very visible or accessable. There is big money on the line if these system don't deliver. If the systems go down and SLA's aren't met lawyers are on the phone. This is one of the things that will keep Linux out of the Enterprise, there is no one to hold responsible when things go wrong. I work in a LARGE MS and Sun shop. When things go wrong and it takes longer to fix than it should we are on the phone and MS and Sun are on site and calling whoever they need in MS or Sun to get the problems resolved. Until someone offers Linux support at that level it will be left to departmental or web servers.

Slashdot filter code

[SilentChris]

"Would anyone out there actually recommend Datacenter for corporate environments?"

Loaded statement... entering Slashdot filter code...

Made by Slashdot author = PASS...
Negative against Microsoft = PASS...
Vaguely positive to Open Source operating systems = PASS...

Good to go.

Re:Slashdot filter code

Do you take a shower after gym class?

Thank you for your answers

[alen]

I actually posted this question twice, and I'm glad they used this second posting with our actuall situation. The first one was more of a what if scenario.

As far as terminal server and IIS, you need IIS if you want to use the Terminal Server Advanced Client and go in through the web. I was originally taught to use TS through IE and forgot going in through the TS client.

If we do go with Datacenter, the servers will host SQL 2000 Enterprise in a clustered enviroment. We currently use SQL and have a propritery in house written app for it.

And as far as the Code Red holes being found months prior to infection, I just used this as an example. I remember in 1997 and 1998 NT had new security holes every week. Windows 2000 is slightly better. 6 months ago I remember downloading hotfixes that will appear in service pack 3.

My question still remains, if a new flaw in IIS, the kernel or any other part of the OS is found how long are we supposed to wait for a fix? I forgot the specifics, but I'm pretty sure the compaq people said they customize the source code for your enviroment. They will need a copy of our in-house app, get in touch with the EMC engineers because our EMC box will be our clustered storage and analyze everything else. Then we will get a CD with a customized copy of Windows 2000 Datacenter. Like EMC, the servers will be monitored by another company and they will most likely know of any problems before us. Every so often we will get a new CD with updates, service packs, etc customized for us. But if a new worm comes out in a few months that exploits some currently unknown flaw in Win2000 or any other part of the OS, will we be dead in the water while we wait for a patch? After September 11th we were calling EMC for tech support on our Symetrix and we were basically told get in line. They had richer customers to support first.

Re:Thank you for your answers

[KingAdrock]

My question still remains, if a new flaw in IIS, the kernel or any other part of the OS is found how long are we supposed to wait for a fix?

What do you feel would be a reasonable time? A day? A week? Two weeks? Determine what is acceptable for you, and have it written into your Service Agreement.

After September 11th we were calling EMC for tech support on our Symetrix and we were basically told get in line. They had richer customers to support first.

Unhappy with your service? Can you find better elsewhere? If so, make the change. If not let someone in their management know that you are unhappy. Be persistant. Yell and scream!

Other than that I suggest you look through this thread for suggestion about how to protect your expensive datacenter server with firewalls and other common network security.

Re:Thank you for your answers

[sheldon]

I was going to say. Once you have the ActiveX control you can connect to any box running Terminal Services. There's absolutely no need to run IIS on the box you are trying to manage.

Re:Thank you for your answers

[sheldon]

First you go and take the Windows 2000 security training course at the SANS conferences. There you will learn about turning off unnecessary services, hardening the installation of the software and the OS. You'll learn about ipsec and filtering out illegitimate traffic at the network layer of the box. You'll learn about auditing your box to watch for problems, etc.

Then you will realize you won't have an IIS server on your SQL Server box anyway, because it's unnecessary. So you won't be at risk to Code Red or Nimda or any similar IIS Worm. Even if you did have IIS, you'd lock down the install by removing the various ISAPI filters and such that were exploited, so even without the patches you would never have been vulnerable.

Then your going to go out and subscribe to the advisories from microsoft.com/security, sans.org, securityfocus, ntbugtraq, etc... so you won't have to worry about waiting a few months you will know about them the day they hit the streets.

I think the training will help, in conjunction with a better understanding of exactly what you are doing you can be pretty confident about your installation. If you want to lock it down, you can... and I'd say it's advisable to do so.

Damn you are so right.

Tomorrow I'm going to tell the CTO that we have to replace all our Datacenter machines with overclocked AMD Athlon's running Debian Unstable and administered by a geeky fuck still in high school.

Re:Damn you are so right.

I recently bought a website, Dmusic.com from Lynx Technology, one of Michael Ovitz' companies. It ran on Free BSD. They were in the process of converting it to Slackware 8.0. The project was run by a 23 year old Canadian.

My network runs Slackware 8.0 at the suggestion of my network administrator, who is a 44 year old PhD in quantum mechanics from Ohio Sate, by way of Bombay , India.

You are undoubtedly right to suggest that Coprporations like other Corporations. Thats why there are Red Hats and Caldera for consumers and Hackers, and IBM and Dell for corporations.

Not so far fetched, and more prevalent than you think.

I have six athelon machines running slackware and redhat. No problem. I also run NT and Windows 2000 Professional. on HP netservers and Vectras.

I started a website called Windux.com

Leflaw
leflaw@leflaw.com

Comment removed

[account_deleted]

Comment removed based on user account deletion

No patches needed to block Nimda and Code Red

[MoritzB]

Both Nimda and Code Red can be avoided by locking down the IIS 5 configuration (... as demonstrated by the MS IIS lockdown tool). No patches (not even OS service packs, i.e. no Win 2k SP1 or SP2) are required! If you add some firewalls in front of your IIS, one of those being e.g. ISA Server 2k, you could use - HTTP forward caching (where all cached requests would be handled on the "other" side of the NAT firewall) - content filtering (to block offensive code such as Nimda). If your admin knows her job, everything should be just fine with your Win 2k Datacenter (except for the noise those boxes tend to make) ... M.

Get your facts straight first

[thesolo]

A few things here:

1. Datacenter machines will NEVER be running IIS. I've worked with several OEMs before, and none of them would EVER send out a datacenter machine with IIS running on it. If your OEM gives you a datacenter machine with IIS on it, run. Run as fast as you can to another OEM that doesn't.
2. Datacenter should NOT be available to the internet! If this is a mission-critical machine, why would you want it on the internet? So it can double as an EFNet server?! Machines like this should only be accessible to a select group of machines on its own network.
3. As stated before, Terminal Services does NOT require IIS to run. And also, you really shouldn't be using Terminal Services on this machine to do anything except possibly monitor performance--any changes made to the system would violate the uptime guarantee from your Vendor. This is a "LEAVE IT ALONE" situation.
4. If you are dumb enough to have a Datacenter machine running IIS, you deserve to get a worm on it. Anyone who has the kind of money to get one of these machines should have some active brain cells too.

The issues mentioned in this article are null & void, as a situation like that would most likely never, ever happen. (Then again, you picked Compaq as your OEM, so maybe...*insert rim shot here*)

Re:Get your facts straight first

You forgot rule 0:

0: There will be at least one customer who has an environment that must violate any/all possible rules.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Woah, big misunderstanding...

[Telek]

So say a new worm comes out in a few months and it takes a few days for MS to create a hotfix.

Is there something I'm missing?

Absolutely. You've got your timelines backwards.

Worms come out a few months after the bugs have been discovered and patches have been made available. We're talking months here. Code Red came out more than 2 months after the bug had been discovered and patches created.

Microsoft has had their patches out in the wild within a few days of a major bug being discovered. The worms however take much longer to be created/deployed/spread. Although it is possible for the worms to come out much faster, they will still be lagged behind the discovery of the bug, and the patches are issued almost immediately.

And if you have an agreement with your provider that you will have 99.999% uptime, then you better believe that they will be phoning you at 2am in the morning to tell you that they're coming over to install a new patch lest they break their contract.

Re:Woah, big misunderstanding...

[alen]

Melissa is a bad example since WSH has always been there, but patches and virus updates only came out after the fact. How about when hackers stole some of the source code from Microsoft? I bet there is a least 1 flaw that someone other than Microsoft know about.

Re:Woah, big misunderstanding...

[Telek]

but patches and virus updates only came out after the fact

They came out after the bug was announced, which was long before the exploits were created.

How about when hackers stole some of the source code from Microsoft?

To what are you referring? I know of nothing of the sort.

I bet there is a least 1 flaw that someone other than Microsoft know about.

If this is the case then why hasn't it been exploited yet? If it has we surely would have heard about it and it surely would have spread in usage by now.

Re:Woah, big misunderstanding...

[alen]

About a year ago some hackers from Russia hacked into Microsoft's internal network and downloaded some source code over the period of a few months.

Re:Woah, big misunderstanding...

[sheldon]

Hmm. While it was confirmed some hackers did get access to the Microsoft network. I don't believe it was ever confirmed that they downloaded any important source code.

I believe this is called playing telephone, where the story distorts itself the further from the source it gets...

Re:Woah, big misunderstanding...

[MikeBabcock]

The easy-to-find official comment is that Microsoft doesn't think its code for Windows XP was compromised.

It specifically mentioned one product ...

Re:Woah, big misunderstanding...

[Rogerborg]

• • How about when hackers stole some of the source code from Microsoft?
  To what are you referring? I know of nothing of the sort.

Microsoft got infected with the QAZ notepad virus (as did my own company) which installs a backdoor on the compromised machine. However, it doesn't actively tunnel out through firewalls, so it's vanishingly unlikely that any machine on the M$ LAN was hit. For the source to have been compromised, it would have had to have been on an employee's home machine, and that employee would have had to not be running a firewall.

It's possible that the source was ripped from an M$ machine, but there are softer targets out there; .edu's and .mil's can get access to M$ source, for example.

Cant recommend Microsoft products... come on

[hebertrich]

Noone can recommend Microsoft products where high security and reliability are concerned.
This is not serious.
In no mission critical service can a single Microsoft product be relied on .
MS can probably be used at home ,for personal amusement ,or curiosity ,but that's where it ends.

Uptime guarantee

[CyberLife]

The SLA guarantees a 99.999% uptime or your money back.

Remember, 99.999% uptime is 1.44 minutes of downtime per day. Just enough time to reboot a well-tuned system.

Re:Uptime guarantee

[starburst]

Five nines (99.999) is 5.256 minutes of down time per YEAR! NOT 1.44 minutes per day.

None of my NT boxes can do that. My SCO box (nicknamed "The Uptime Server") is down only when I wish it down.

Re:Uptime guarantee

[paenguin]

No, 99.999% uptime gives you .864 seconds per day of downtime, or just over 315 seconds per year.

24 x 60 x 60 = 86400 seconds per day

86400 x .00001 = .864

Re:Uptime guarantee

1.44 minutes (even if your calculation is wrong) is nowhere near the amount of time it takes a 32 processor machine to boot up.

Our 32-proc machine takes nearly 30 minutes to boot up.

Re:Uptime guarantee

[CyberLife]

You're right. I was off by two decimal places. :)

Still, are there any NT/2000 boxes out there that fail less than a total of 5.26 minutes per year? I'd like to see the fine print in these so-called uptime guarantees.

Which brings up more questions

[moosesocks]

This brings up the age-old question; Why are we even using windows?

Sure, on the desktop, windows has the largest user base. Why? Application compatibility, all you apps run on windows. No, its not the most secure, the fastest, the most stable. Its compatible.

Why use windows as a server?
Simple, your desktops are running windows, why not run windows as the server. You get easy configuration, tight intergration, etc. Very rarely will a server run windows, just for the heck of it, nor will a windows server power a network full of linux boxes.

Why use windows as a datacenter server?
I honestly cant answer this question. Unix is known specifically for its scalability to run on the biggest and baddest boxes around (read mainframes). IBM and Sun have been in this market for years. Microsoft is a new contendor in this market. Sure, ibm and sun both made their own hardware, but their mainframes were designed with a few specific tasks in mind.
Sure, a datacenter server shouldnt be exposed to the internet, but microsoft has the ability to expose these vital machines to the net. Generally, for an application of this magnitude, the os with the highest performance which fits the needs of the people owning the server gets chosen. I dont have numbers to back this up, but i highly dobut that windows is winning that race.

Which brings me to another point.
Why do we use any os in particular?
Why do we use linux as a server?
Its scalable, runs on many platforms, fast, secure, plays nice with others, open source (big + for developrers using machines this big, so they can fine tune it to their specifications), and most of all, secure (yes i know i said secure twice... its that important)

Why use linux on a desktop?
No reason in particular. Only that it's free. It isnt very usable (Jakob Neilsen definition of usable, as in intuitiveness, rather than if it works or not). Its confusing, and few desktop apps run on it. But, its secure and stable, and thats a big +

Why use mac os (classic)as a desktop os (or beos or any of those niche oses)

They're usable, theyre not necessarily secure or extremely stable, but they have a lot of desktop apps, and are relatively easy to use, yet remain powerful enough for the demanding user.

Re:Which brings up more questions

I have to disagree with you about using Linux as a server.

IMHO OpenBSD has Linux (and other OS's) beat hands down when it comes to security and it's performance is also on par with that of Linux, thus making this a much better choice for a server OS.
(And you can also get the source code for it too)

Re:Which brings up more questions

Nice troll. The tip-off was lauding Linux's security compared to Microsoft's. Maybe if you had chosen a *BSD, but Linux? Good Lord. Or its speed (maybe on your 486, but Linux consistently gets beaten by Windows 2000 on modern hardware).

Your biggest strike against Windows on big iron seems to be that they're new at it compared to the Suns and IBMs of the world. Funny attitude coming from someone who seems to be an advocate of a relatively new OS himself. Funnier still is the number of Unix zealots and those at Unix companies who laughed at Microsoft when the decided to enter the server world with NT. Microsoft started with 0% then, and now the graveyard of computing history is loaded with the bones of Unix companies and the zealots' dreams.

Re:Which brings up more questions

could there be any more desktop apps for beos??

Re:Which brings up more questions

[smashdot]

OpenBSD lacks SMP support. So although OpenBSD's performance may be fine on your desktop, Linux, FreeBSD, or W2K are better choices on a mid-size server.

Re:Which brings up more questions

This brings up the age-old question; Why are we even using windows?

It's the easiest desktop os beos and linux are niche products and mac os is tied to mac therefore restricting it's market.

The fact that it's compatible is not the fundamental reason, sure its a big reason but you must also consider familarity - people know windows, where to click, how it will respond (if at all :o) ) etc.

Why use windows as a server?

Not so simple. You must consider the motive's behind the original drive to NT. NT servers became common as business unit's branched out their own IT needs, we saw different divisions exploring different objectives and strategies, hence having systems independent of other business areas was required. In steps NT - cheap. runs on low cost hardware.

Enter management hell, which is why so many corporations have 'computer management centres' as opposed to computing centres

Could an NT server run a network of linux boxes? - samba up the linux boxes? 'nix services on nt?

Why use windows as a datacenter server?

Sure Solaris runs on E10000's and AIX runs on big RS6000's - chunky boxes indeed but they're NOT mainframes.

Sun don't make mainframes, and I don't see big blue running AIX on many S/390's as the CORE os. I'm not aware of how integrated linux is with the s/390. Can someone clarify if the systems can function solely on Linux?

Mainframes generally run mainframe os's and are an entirely different market. No Unix or windows box can come close to the level of memory bandwidth and raw power from a mainframe. -

Microsoft have the ability to expose these machines to the net? what do they come along and lay extra network paths for you?

Performance is not the only measure used (infact its a less important fact), normally there are many, cost per transaction tends to be very important - not many unix vendors can say they beat microsoft on that front.

of course microsoft isn't winning the race at the mo, datacentre is an immature procuct. hasn't been around long people are still unaware, one must look at the level of growth it is experiencing at the momment. forecasts, analyst info etc.

Windows datacentre running on Unisys hardware has one of the lowest costs per transaction, one of its most attractive features.

Why do we use linux as a server?

Cheap

Fast

Geek Pride

Customisation

Opensource? hmm you wouldn't really tinker/fine tune the code in this market. Too many inherent risks.

Secure? Any thing can be insecure, you can't assume linux is - see other posts here

Why use linux on a desktop?

Anti Microsoft feelings

Geek pride

Sense of belonging to a movement

Customisation

challenge

etc

Why use mac os (classic)as a desktop os (or beos or any of those niche oses)

Niche markets

Comment removed

[account_deleted]

Comment removed based on user account deletion

Firewall didn't help us against Code Red

[Greyfox]

All it took was one nimrod getting infected and then tunneling in through the VPN software. Damn near everyone behind the firewall was running (of course unpatched) IIS because the standard software install didn't disable it. But you know, there's corporate IT for you in a nutshell. Did the CIO catch flack for it? Was any attempt made to improve procedures so this wouldn't happen again in the future? Hell no! They patched everything for that one problem and then went back to their complacent little lives. I guess they think lightning never strikes twice.

Re:Firewall didn't help us against Code Red

Exactly what happened at my company. Verbatim. Of course, I was patched, so I was merrily coding away and suppressing my giggles as everybody around me was either moaning or asking me why they couldn't connect to their IIS instances.

A few weeks later when Nimda came along, I got another bundle of laughs as I explained to our "virus administrator" that it was not the old virus he thought it was, and that Trend wasn't going to do jack until they updated their signatures. The next day I got treated to hearing the "response team" discussing details "just in from Trend," oblivious to the fact that they had been thoroughly discussed on various lists the day before. Bunch of damn retards around here :(

Patching Rant...

[doublem]

The thing you're overlooking is that the Nimda and Code Red viruses came out AFTER the bugs they exploited had been discovered and patched.

This hypothetical DataCenter would not be impacted because the patches would have been tested and applied long before the viruses hit.

As much as we like to joke about Microsoft being "Swiss Cheese," the truth is most bugs have patches available long before there are exploits. DataCanter would mean all of the relevant patches would be tested and applied long before the viruses hit.

The only reason my servers were hit by Nimda was because I trusted out Chucklehead Network Admin to understand the difference between downloading and installing a patch. I told him to patch it, but did he listen? Apparently not. I guess flirting with the head of the Insurance Department was more important than the bulletin from the Microsoft Security Mailing list. Never mind the fact that I had to show him how to import a contact list into Outlook, never mind the fact that Clippy is too complex for him to comprehend, just ignore the guy who BUILT our infrastructure when he tells you to apply a patch that will protect the servers from the SINGLE MOST COMMON WORM ON THE NET!

I gave him the @$@(*& URL and told him to install the patch. All he had to do was paste the URL into the server's web browser, click a file name and select "Run from present Location" then Click YES on anything else he saw! But did he DO it? NOOOOOOO. He SAID he did it, but that's not the same thing as DOING it!

But hey, he managed to screw the trailer girl he'd been hitting on, so I guess out server down time and the dozens of root.exe files I had to delete were worth it, huh?

And before the tolls start in I am NOT jealous that he got laid. I spent the last 24 hours in bed with my girlfriend, and get more action in a week than he does in a month. He's the one going after the company's chain smoking pot addicts when he's supposed to be working.

And don't get me started on the 300 megs of porn on his hard drive! We only have a single T1 for the whole company's in-house operations. Thank GOD we host our servers off site or our clients would never get in. He downloads the W2K service pack off the Internet each time he installs it instead of running the local copy I saved to the server.

And don't get me started on his MP3 collection. He must eat up 90% or our bandwidth. Uploading a 50k Perl script takes me 20 minutes because he's downloading porn and MP3s, but because he's screwing the comptroller' s daughter he never gets in trouble for it. Meanwhile _I_ get grilled for out poor network performance, and just because he DENIES having downloaded all that crap he's excused and I'm told "There must be another cause."

And now he's studying for an A++ exam, and his comment to me? "Why do I need to know all this IRQ S***, we use Windows 2000. That's not in computers anymore."

ARGGGGGGGGG!!!!!!!!!!!!!

Re:Patching Rant...

2 words for ya' - bandwidth shaping. Make sure his PC is on a real switch and limit his bandwidth.

One more word: logs - gives you a little bit of extraevidence instead of just your word against his.

Final word: port blocking - Napster/Gnutella/Bearshare/Morpheus go bye-bye.

Or just take a page from the BOFH stories - 220V AC through a keyboard perhaps? "I told him not to mess with the hardware!"

As far ash his "social" life - plant rumors of nasty STDs. That'll discourage the ladies.

Re:Patching Rant...

[doublem]

Hmmm, Two AC's. One offering real tips, the other just flaming.

I have nothing against him getting laid. My problem is he doesn't do his job, and when he does do it he screws everything up. The fact that our production servers got infected with the Nimda virus was just one example.

And just for the record, I DO go out, get drunk and get laid. I also rock climb, dance and hang out with friends.

Now, to the intelligent AC - Thanks for the tips.

I'm already working with the CTO and CIO to get the ports blocked. Sadly, the chucklehead is the one who would make the change in the firewall, so I have to figure out a way to get the change assigned to myself or the CTO.

The monitoring software is on the way. I've wanted it for ages, but the company owner didn't OK the purchase until we had a CTO. It's interesting that when I (25 year old tech) propose an idea it gets shot down, but when our CTO (Early 40's, an experienced tech, but studying for law exams) puts fourth the exact same idea it gets snapped up and hailed as revolutionary. If the CTO wasn't a damn smart guy who has a bunch of other good ideas I never thought of I'd be annoyed.

The CTO knows this guy is a nit-wit, and is forcing him to take the A+ exam. Once he fails....

Restricting his bandwidth is an excellent idea. I could cut him down to 1k and he'd never realize there was anything wrong (except for the plummeting performance that is) Knowing him, he'd reinstall Windows before he checked anything else, and that would take him out for a good three days.

Anyone know off hand if Morpheous or Limewire keep any logs of downloaded files?

After my initial post I read the most recent edition of the BOFH, and liked the changes the BOFH made to some text he got off the Internet...
http://www.theregister.co.uk/content/30/22378.ht ml

Sadly, starting an STD rumor with this group might give one of the females an "It's OK, he already has it, I won't infect him," moment

Where did I put that copy of "Evil Geniuses for Dummies?"

Re:Patching Rant...

[Kamel+Jockey]

It's interesting that when I (25 year old tech) propose an idea it gets shot down, but when our CTO (Early 40's, an experienced tech, but studying for law exams) puts fourth the exact same idea it gets snapped up and hailed as revolutionary

Its because you didn't do that hand gesture like that guy did in that commercial :)

Re:Patching Rant...

hi, it's me again, what the fuck is a "chucklehead"? you sound like you got some major problems, as some 25 year old slutsican... do you really hate you job that much? are you really that overweight? what's your problem, man? who gives a fuck?! let the nigga download his porn, mp3s, and fuck the office hoes. you sound pretty upset about this... remember: jealousy is the highest form of envy and flattery, heh, maybe you wish you were the guy who was callin' shots in the office, or maybe the playbeezie who's rompin' every hoe on the block. damn man, re-read what you keep saying, you'll see you look like a fool... err, i mean "chucklehead". peace.

Re:Moron.

I know exactly what TSweb is, and that is not a clear reference to the TSAC. Nevertheless, TSAC doesn't require IIS be on the terminal machine anyway, it can run off any box. It's still just an RDP connection.

99.999%

The most important thing is that 99.999% uptime per year means a downtime of 5minuites and 16 seconds.... most PC's dont even reboot in that time frame :)

Me fail English? That's unpossible!

no text

There can be only one

why should there be only one?

Because it is the destiny of W2KDC to engage in ritual combat with other servers and OSs. W2KDC servers are monitored 24x7 by a covert group called "watchers". A W2KDC can only be brought down by cutting off the head of the sysadmin - or not paying your support contract.

All your service packs

are belong to us!

Microsoft patches before the worms

There is one thing that should be made clear. Microsoft has created patches before the worms were out, not after. System admins had months to patch their system before many of the worms were released.

My banks

[JediTrainer]

He obviously didn't even bother to check, but rather was just spewing FUD. Using Netcraft, I found out the following (now that you got me curious)... these are the (Canadian) banks that I trust with my money nowadays...

www.tdcanadatrust.com - IBM_HTTP_Server/1.3.12.2 Apache/1.3.12 (Unix) on AIX

www.ingdirect.ca - Netscape-Enterprise/4.1 on unknown

www.cibc.com - Netscape-Enterprise/3.6 SP2 on Solaris

www.bmo.com - Netscape-Enterprise/3.6 SP3 on Solaris

www.royalbank.ca - Netscape-Enterprise/3.6 SP3 on unknown

Question about Databases and clustering.

[mindstrm]

Is it possible to cluster SQL server in order to yield increased performance?
Intuition tells me no, which is why you see so many large database servers.

But is it possible at all?

Nope. No need for IIS.

[mindstrm]

You can run it from any webserver.. it's active-X.. it's client side.

Also, you only need it available once.. you don't have to have it on each terminal server. You don't have to have it on ANY terminal server.. you can stick it wherever it's convenient... and use it to connect to as many terminal servers as you want.

run oracle on solaris, dumbshit

solaris s0laris so14r15

the guarantee is bullshit

you'll soon discover that most things that bring your server down won't be covered under the bullshit SLA.

Re:the guarantee is bullshit

Such as? I've seen this a few times so far, but none of you seem to want to elaborate...

Re:the guarantee is bullshit

[Tony-A]

It's a Microsoft 99.999%
For real 99.999% try IBM or Sun with a real OS.
*BSD on very good hardware might make it.
Linux on very good hardware should be close. (You want a year or two of actual field experience)

Re:Question about Databases and clustering.

[alen]

Windows 2000 Advanced Server and Datacenter support network load balancing. Kind of like Beowolf where the machines divide the tasks among them. Never used it. We only had clustering running on advanced server at work to test it.

SQL 2000 Enterprise and Exchange 2000 Enterprise support clustering on advanced server and datacenter server. I assume they support network load balancing too.

EXACTLY! (MOD UP)

[SectoidRandom]

Spot on! This whole article is flawed, the purpose of Datacenter and the restrictions on it is by design! Premium support means just that, when patches come out from MS, sure it means a few days(/weeks?) etc to be verified, but each M$ advisory has more than just a link to the patch, including steps to limit vulnerability in the interum.

Also the big thing to remember here is each of those exploits used in Nimbda / CodeRed were patched by ms MONTHS before either of those worms came out.

Like any highly customized - specialized vendor supplied unix, Datacenter is limited by design, and for damn good reason!

ms premier support = $12/hour outsourcer

ms premier support for NT, Win2k, and Exchange is handled by clueless outsourcers like Stream International and other shithole support boiler-room/sweatshop operations. Once you get to the "third level" at the outsourcer your case gets to a first level support shithead at microsoft. I can guarantee that it will take over a month to talk to anyone that actually works for Microsoft or has ever touched a computer in a real live production enviroment.

Re:ms premier support = $12/hour outsourcer

[Nickodemus]

Not with Datacenter. Part of the price you are paying for this OS covers support directly from redmond. you call, give them your account number and you are escalated to level four tech support with an engineer within minutes. That's what you get for a million dollar (hardware and software) solution.

Re:ms premier support = $12/hour outsourcer

[velouria]

I can't comment on the situation in the US, but when I worked as third level support at a MS Certified Support Centre (or whatever they're called now), any customer with a support agreement got all their server issues passed by us as soon as they were logged, and we in turn had incidents logged with our MS Regional Support Centre pretty much straight away if there wasn't an obvious fix.

I will admit that the first response from MS was often some first level engineer asking us to check vaguely related KB articles, but as long as we included reasonable detail when logging an incident and preemptively listed KB articles which we'd tried / didn't apply then we got a proper engineer reasonably smartly.

If the problem was with something like Exchange Server then we'd usually get a very experience guy straight away. Also, you get to know the MS guys and I'd ring a good engineer direct if I was getting mucked about.

There's your Technical Account Manager at MS too - if we logged an incident with MS at the wrong priority or had been too slow in providing MS with followup information they'd asked for, you could guarantee our TAM would be on the phone to our manager. We could call him direct if we thought we weren't getting adequate service from the MS engineer.

If you had a Compaq Datacenter Server (for example) then Compaq would be your Premier Support Centre. They'd definitely have a named third level support person dealing with you, who would definitely be able to talk to real MS engineers very quickly (when we logged a Priority A incident MS guaranteed a knowledgable engineer would phone us day or night within an hour - it was in Microsoft's SLA with us).

The couple of times large customers encountered bugs that didn't already have hotfixes available, we got new hotfixes created by QFE remarkable quickly.
Service packs for things like Terminal Server did come out after NT Server service packs, but hotfixes were available or created for all of the issues we had (lots and lots - we had 10 or 12 stability related hotfixes in our standard image when we did a very early rollout of a Terminal Server farm).

Re:ms premier support = $12/hour outsourcer

[AKAJack]

Premier Support is a contract with Microsoft with a specific SLA and a person assigned (part or full time) to your account (Technical Account Manager).

Our Premier Support is great (at nearly US $500k per 18/months it should be!)

Premier Tickets are routinely escalated in the first five minutes of the phone call once the Microsofty realizes they're not talking to an idiot. Engineer direct support within an hour is possible, if needed.

I agree that first level is going to search TechNet and the knowledge base and make sure you've covered your bases - all things you should be doing before you call anyway.

Our previous TAM was "moved on to another account" after we complained ONCE that he was not keeping an eye on our support tickets the way we desired.

I don't know what kind of support you're getting, but it's not Premier.

Re:ms premier support = $12/hour outsourcer

It was Premier - our TAM was totally ineffective, I would complain and get nowhere. I escalated up to the head of Premier Support - nothing. I was told our TAM was "one of the best" and "an expert in this area". Minnie Mouse knew more than the TAM did. I had originally sent a code sample that clearly illustrated and reproduced the bug, fully commented to show the problem. And that was not the only time - we had a show-stopper bug in a major server product that took months to be told "gee yeah that's a bug, and we're not going to do anything about it". We were on "Premier Support for Developers" and got excrement piled on us by MS every time. Calling direct to engineers did no good. I'm glad for you that Premier worked for you; we've switched from targetting anything MS makes to Linux. At least we can, if need be, deal with critical problems since we can have the SOURCE.

Re:ms premier support = $12/hour outsourcer

[mrbinary]

I can't comment on MS' support, I imagine it would be pretty good for a thing like DataCenter (DC). I'd wouldn't be too surprised to find out that they will bend over backwards to give a DC customer every resource needed even at the expense of other customers with less fattened accounts. Here's a story of IBM's support. I work for a large outfit in Canada. We do A LOT of business with Big Blue, software and hardware. When we ran into troubles with IMS (an ancient d/b product that runs on OS/390 that predates DB2) they actually flew in a crit-sit team assembled from England, the US, Australia and Canadian offices that were IBM's best and brightest in this software and also really knowledgeable about the OS. Similar situation last week with me and a problem I ended up having to take care of. They didn't need to fly in a team in this situation but I had an IBM hand-holder sitting in my office calling the various software support teams directly, and I was getting so many calls and emails from IBM support teams that if I hadn't ignored some of them it would have been impeding getting the problem resolved. The problem was actually sent up to their DB2 development team at one point. You pay big bucks for the gold-plated support contract, but IBM pulls out all the stops when you get into a jam. Just thought I'd add a different perspective.

Windows 2002/XP Datacenter

[green+pizza]

Awhile back my organization had several major security concerns with both Win2K Server and Win2K Datacenter, most of which dealt with LDAP. After our concerns were finally escallated high enough within Microsoft, a surprising reply was sent to us... it basicly stated that some of the holes were to be patched by Q4 2001 but that we should consider upgrading to what they called 'whistler datacenter' (essentially the server and datacenter versions of Windows XP) for complete security. I for one am tired of feeding the M$ machine.

Re:Windows 2002/XP Datacenter

You're full of shit.
How do I know that you're full of shit?
There is no such thing as a "datacenter version of XP". Moron.

If the worm gets in the corporate network

[elandal]

For everyone proposing firewalls etc:

Of course the W2kDC wouldn't be exposed to the internet. But, Code Red and Nimda could get into the corporate network through internet connected external webserver that then launches attacks all over the corporate intra. That's why some company could have hundreds of infected computers: not because all of them were exposed to the internet, but because one server that sees both internet and intra is compromised. And that may be under somebody else's responsibility. It takes just one lazy admin...

I don't know anything about W2kDC, so I don't know if running IIS on them would be required or not. Just that I've seen gazillion cases where some stupid application required IIS for some functionality that was pretty much essential for the application to be useful at all. Apparently everything by MS that has an administrative interface is nowadays "administrative WEB interface" that requires MS IIS to work, and administering the software without using said interface might be hard.

Re:If the worm gets in the corporate network

Apparently everything by MS that has an administrative interface is nowadays "administrative WEB interface" that requires MS IIS to work, and administering the software without using said interface might be hard.

Please show us that you're not completely full of shit by giving us plenty of examples of this. Seeing as Microsoft has very many server products, and you say "apparently everything by MS," this shouldn't be a difficult task for you.

Patiently waiting until then...

Patching

Supposed there are Patches for Datacenter on a fairly regular basis, lets say once a month.
Lets say applying 1 patch to Datacenter takes like 5 minutes including the reboot.
This means the server does not reach 99.999% uptime already.

IIS needed for Terminal Server?

[OSgod]

Since when? IIS is not neccessary for TS -- the advanced client for TS works on an IIS page but you only need one web server which can allow you to access any TS server in your environment -- in other words don't run IIS on your Data Center server -- it doesn't need it.

Rate parent funny +1

[blang]

The SLA guarantees a 99.999% uptime or your money back
Let me see, 99.999% uptime on a windows system. That translates to 4 minutes and 12 seconds downtime per year. I don't know about you guys, but on this planet that's not what I call a credible proposition. On windows, that' more like winning the lottery. I surely hope somebody in that meeting had the sense to laugh.

Re:Rate parent funny +1

Those big 8-way machines take much longer than 4 minutes to reboot. As soon as one patch is required you have to reboot. I can see how a vendor would hate to be installing patches on such a setup.

Re:Rate parent funny +1

[AlgUSF]

It is probably 99.999% uptime, or your money back for your downtime. 8 crashes * 5 minute reboot / 365*24*60... :-)
I don't see how they could possibly guarantee a Windows box will stay up 99.999% of the time. It is probably just a marketing gimmick like the 10yr/100,000 mile warranty on cheap cars (Hyundai, Kia, ...).

Unisys and Datacenter

[isfry]

As someone who just had Unisys install an ES7000 with Datacenter and talking to the install people. You can do anything to the box that dose not touch the kernel. How Unisys explained the 5 9's SLA is that they will have a copy of you set up and will apply patches to them before they are installed on your system, but I cases like code red they will issue them to you and put it on the test server to test. They aren't going to keep you from installing a critical hot fix but when possible they will test it before they unleash it upon you.

Re:Ass sideways test utitlized again

Try shoving the FreeBSD mascot up your ass. OUCH!

Nice Comments

[Null_Packet]

This may not be modded up high enough for the +4 folks to see it, but I have to say that the people posting at +4 and above have some really great comments.

It's nice to see Slashdot as a technical community, not just a Linux one. I know, I know, *nix is the preferred OS of many of the readers/posters, but it's nice to see such an array of comments and extremely constructive ideas and comments. Nice Comments, all.

Re:Question about Databases and clustering.

[dsb3]

Actually, that is *NOTHING* like Beowulf at all.

Beowulf is about squeezing speed out of multiple machines. Beowulf is not about load balancing. Beowulf is not about high availability.

From the FAQ


1. What's a Beowulf? [1999-05-13]

It's a kind of high-performance massively parallel computer built
primarily out of commodity hardware components, running a free-software
operating system like Linux or FreeBSD, interconnected by a private
high-speed network. It consists of a cluster of PCs or workstations
dedicated to running high-performance computing tasks. The nodes in
the cluster don't sit on people's desks; they are dedicated to running
cluster jobs. It is usually connected to the outside world through
only a single node.

Some Linux clusters are built for reliability instead of speed. These
are not Beowulfs.

Heres an idea...

Ask the vendor! If they are working with you, they'll be more than happy to answer (and I'm sure even in writing). Don't open the obvious flame war to all the trolls.
-k

Thanks. but..

[mindstrm]

That has absolutely nothing to do with my question.

Load balancing is NOTHING like beowulf.. beowulf is about using appropriate parallel-processing libraries (PVM, etc) to squeeze performance out of a cluster of machines.

As for the machines 'supporting clustering'.. that's an industry buzzword that's not terribly meaningful. ALL operating systems 'support network load balancing' in this respect.

Win2k advanced server & datacenter do NOT automatically cluster anything; clustering is application specific.

My question is whether database servers in particular can be clustered in order to increase performance (some queries to one machine, some to another). My theory is that they generally can't, because, in order to remain coherent, each machine would have to receive all transactions anyway.
(Certianly lookups could be done with replicated databases.. that's not what I mean though.. I mean real transaction processing stuff)

Re:Thanks. but..

[FigWig]

Clustering DBs is possible, just difficult. Two phase commits allow for ACID transactions across remote DBs. I believe Oracle has some sort of system that does this. I have never seen one in production though.

Re:Thanks. but..

Yes they can be, and the process that it uses it a VLM virtual lock manager. This allows multiple computers to access the same file system. Something that has existed for some time on digital's unix. I believe that Oracle also uses something like this for it Parrallel Server.

Exactly what I'm thinking too

[dapic]

although according to my calculation it's 5 min 15 secs. per year. so patching every fix that M$ released seems totally unfeasible. But they would certainly have backup servers running at the same time, especially for cheap (relatively) boxes running IIS-if the OEM only made use of one webserver in their costly DataCenter solution, then they deserve to be out of business.

MCP finally paying off

[Karl+Cocknozzle]

According to the MCT/Drone that taught us at my office, Datacenter can be modified to handle up to 64 processors based on hardware.

Essentially, we were told 99.999% of Windows business operations would never have any realistic need for Datacenter. This was designed for the poor bastard who has to run a site like E-Bay on windows/IIS.

[SARCASM]Or handle a national ID card DB...[/SARCASM]

With all of this said, if you're doing something that requires this much horsepower (64 GB of RAM and 32+ processors?) you should be running linux. I mean, how much of your horsepower on this type of machine is wasted by Windows just to handle the SMP?

old updates

[wr0ng]

arent the exploits used by code red/nimda relatively old? it seems to me even with windows 2000 datacenter, the vendors would have released updates well before these worms were written.

wr0ng

IIS on Datacenter

[Karl+Cocknozzle]

As the story says, IIS is used for administering these servers, so they are indeed in a very vulnerable position and need to be patched.

If you are stuck in this unfortunate arrangement (having to run a customized version of Windows is a bigger nightmare than having to run regular strength windows) this is my recommendation:

Uninstall IIS, FTP, and SMTP services. (Your call if this is a best practice in every circumstance... :)

First, there is no legit use for Datacenter server other than SQL Server. Any DB large enough to warrant Datacenter could not be adequately administered using IIS. Second, rule #1 of SQL server is NEVER EVER RUN IIS ON YOUR SQL SERVER. If you break this rule, you do so at your own peril even without Code Red, Nimda, and whatever next week's major compromise is.

Why datacenter? Why IIS? Why all the FUD?????

First, why would you want to run IIS on your SQL 7 box? You DO NOT need IIS for terminal services, I have no idea why you think that.

Second, why are you looking at Datacenter when you want a clustered SQL solution? Advanced server is the product that you probably want here. You don't buy a mack truck to move a couch...

Read up on Compaq's Datacenter program...

You should read up on Compaq's Data Center program at http://www.compaq.com/datacenter

Specifically, this link http://www.compaq.com/solutions/datacenter/answer1 .html#q1-1 says "Hot fixes and patches will be reviewed on a case-by-case basis for early release."

You are most certainly not left out in the cold with this program. The "don't you dare update drivers, or install service packs and hotfixes" is there to prevent people blowing things up, when they shouldn't be touching the system, like with the recent Terminal Services hotfix.

Datacenter's change control is really no different than you would see in a mainframe environment.

Imagine...

Imagine a Beowulf cluster of these!

bullshit microsoft lies...

Microsoft has always had a policy of lying about the outsourced scum they use to provide support. It's doubtful that this shitty "windows datacenter" will be any different.

Re:bullshit microsoft lies...

[Nickodemus]

Too bad you have so little faith in Microsoft. Until you have experienced this level of support firsthand you should probably refrain from commenting. I am involved in a Datacenter project and can verify -first hand- that they meet their obligations on this, if no other, product.

screw it

[wickedhobo]

I generally wouldn't use Win2k in a production environment. While SQL server I think is a great product, the weak link in the chain isn't SQL-Server it's the operating system. I've gotten bitten too many times with windows, and I've never really gotten bitten with Solaris.
I remember when I first started my own company, we were looking for venture capital. There were vc companies that wouldn't even talk to us unless we switched over to solaris. It the time I thought, "screw them." Now I'm dumber, but know they were essentially right.

Re:screw it

Actually, they weren't right. Which is why so many of those companies who bought unnecessary and expensive Sun boxes are out of business right now. Hell, Sun itself doesn't even turn a profit anymore. If the last couple of years have taught you anything, it should've been that a Vulture Capitalist couldn't find his own ass with both hands.

A pointless question

Not to defend data server (which we run on an enterprise basis at my company with no problems - our Dell Service packs are always up to date)

But what sort of a response did you actually expect to get by posting this on here ?

I mean come on now - this is Slashdot

MS Product = BAD
Free Source = GOOD

Therefore asking ANYONE on here to take a logical and intelligent look at this is a waste of time - in the last year i havent seen much in the way of balanced and intelligent comment on anything other than how good anything LINUX is and how bad anything MS is - thats the fact

Stop posting TROLL news articles - thats all this is.

troll... or is it?

Imagene a cluster of these (nimbda infected dataservers with oc3 to the internet)....

www.tpc.org

[Otis_INF]

Microsoft got the top spots in the TPC-C transaction performance benchmark by using clusters of SQLserver2000. The feature that makes it worth using these clusters is 'partitioned views', which is something like: having a view on a set of data that is retrieved from more than 1 machine, i.e. what you want.

i suppose

[jlemmerer]

datacenter is only a way for microsoft partners top make more money... i think that an advanced server is enough for almost any company. they just want to sell their "customized" solutions for companies that don't trust in their sysadmins.

proxying ?

How's about proxying the IIS server through apache, and caching the site somewhere with getwww, switching to the cache when IIS becomes unusable ? This way, for, say n * $1000 (n being the amount of clustered http servers you need) you can keep any site up for a couple of days cheaply.

Of course, any poster that says that you've got to keep the DB and the httpd on separate boxen is dead on in the first place.

Rate parent "Ignorant of world beyond basement" -1

Back to playing MAME for you, junior, leave enterprise computing to people who know what they're doing.

Timelines.... Re:Woah, big misunderstanding...

[rainer_d]

Well, according to eeye's Marc Maiffret, the predecessor of Code-Red was a .htr worm that went more or less unnoticed because Microsoft quitely released a patch.
While in the past a worm followed more or less closely after the exploit, this may not be the case in the future.
Just imagine if the exploit-coder and the worm writer were the same person !
Would you release the exploit while you have the worm in the works ?

Monkeys

[saqmaster]

Come on.

At a functional level, the thought of having customized patches made 'just for you' probably sounds quite appealing to most large scale MS users - to think that Microsoft are dedicating their time in some manner to cater for this company's needs to fine detail is pretty good.

Unfortunately I don't have any experience as an end-user of these apparent focus support promises, but i've never actually heard of this coming up before..

Of course, any large scale cluster on _any_ platform will create havoc if it is exploited - this news posting is just a troll to bring up the old iis-sucks-cos-of-vbs-etc hole yadda and view it in a different light and try and scaremonger people.

It all boils down to how good your admin is. Whatever platform you choose, you need to make sure your SysAdmin is as good as they need to be to make your shit secure - that's the bottom line.

Unisys

Perhaps you should be asking this question to the people that make the defacto 'big iron' for Data centre. - Unisys

I would imagine due to the partitioning abilities you would have a seperate partition for web services, in which case your SLA may not prevent you from patching such installation beyond the core os.

http://www.unisys.com/hw/servers/es7000/

Incidently Compaq resell OEM versions of this box.

MS-Patches are themselves Bugs

Microsoft released MS-051 that was supposedly to fix an exploit for Term Srvcs. It fixed the hole all right. It also fixed NOBODY being able to access the Term Server either. Once a bug is released for DC. Where are you going to test it? DONT take the Vendors word for it, until you've tested it YOURSELF!

Re:Unisys and ES7000 with Datacenter

[niklausm]

if you would use the ms products for an e-business-platform, datacenter is not the recommended product as os for the web-layer. there you should take an advanced server with apllication center to load-balance and replicate the webs. on the other layers, datacenter is really great. and if you implement high-availability-solutions, you can take down a partition without stopping the services to the outside. this shutdowns are planned, and so on, not in the sla's to achieve 99.999%. we are working with 3 es7000 and 10 partitions with MS win2k DC-editition since February, and just to the moment i've seen one bluescreen on all machines....

Why post this article at all?

[rsimmons]

Doesn't this sort of discussion belong somewhere other than slashdot? Who cares whether you should use datacenter or not?

First Union Bank..

[Mage99]

Here in NC (where I am located)First Union Bank uses this software and I believe they ended up going with some sort of advanced IDS system, that actually has some sort of counter-response to an attack built in. They did this because of just this situation where the OEM vendor couldn't get them patches quick enough, they basically let their systems become infected and stopped all non-authorized traffic going either way. Problem with this tactic is that although code red/nimda where relatively harmless the next version may not be so harmless and may take out there data center.

Firewalls don't mean squat

Everyone keeps saying you should just keep the Datacenter server behind the firewall. Considering that Nimda has an infection vector through a MIME-type bug in a browser as well as an e-mail infection vector it will bypass your external firewall without a problem. Even if you put a firewall internally to separate the datacenter server from the rest of your LAN, you still have a browser with security problems (since its part of the OS now).

Clueless source

[Archfeld]

If you have datacenter edition you have an enterprise contract, the person who submitted this has very little clue. We run MANY copy of DC, COMPAQ and M$ are our vendors and they have 2 hr response time on ALL critical ENTERPRISE level services. You DON'T us DC server unless you have a contract, YOU CAN'T even install the product without special codes. Nice editorial work /.
Just what I expect from an enquirer like source that you've become over the last few months. Will you guys still be alive when Andover goes under very soon ? Will you get control of /. back or will it be sold off as assets ?

Re:making linux as secure as OpenBSD

[ahde]

sed s/\n/\n#/ etc/inet.d

openBSD is only especially secure as a default install, which means, essentially, turning all the services off. Kernel root exploits come about as common as linux, and they're using almost all the same apps

5 nines

5 Nines on Windows - I get this all the time. In fact the only thing that gets in the way is the odd fix. I think that configured the right way the ES7000 and Windows datacenter could make 100% - no problems.

BTW Windows DC is dictated by MS. If MS say a patch is required, its REQUIRED. No Admins to get in the way - OEM's do as they are told - bean counters happy.

Hogwash

[matman]

Run Hogwash... its modification of snort that actualyl makes firewall decisions based on snort rules... so you can detect an attack and refuse to allow it into your network.

hogwash.sourceforge.net

Datacenter No Different From Server?

[v4sudeva]

I'm posting this mostly to correct any misconceptions I might have about the way service packs work, so please feel free to correct me wherever I need it.

It's my understanding, given to me by a top Microsoft consultant (this guy was a fricking wizard), that service packs only replace files that actually exist on the target computer; that is to say, if you don't use, for instance, some Novell DLLs, they don't get placed onto your system.

Now, while Compaq or whoever are handing you a custom solution, they're not handing you custom code, are they? They don't rewrite lsass.exe, for instance, right? So whatever combination of Microsoft code they give you should be detected and updated properly by the logic in the service pack. Or so it seems to me at first blush.

Like I said, please correct me anywhere I've screwed up.

-vasudeva,
parenting http://users.downcity.net/~vasudeva/,
helping birth http://www.megarad.com

flamebait ?

I guess posting real facts vs speculation could be considered flamebait, but only on /.
As to the Andover question I'd like to hear /.'s plans regarding the potential shutdown/sell off of andover resources. Do they have a plan for the future ?

Microsoft's View on Datacenter

http://support.microsoft.com/support/kb/articles/Q 265/1/73.ASP