Slashdot Mirror
Security Issues with Windows 2000 Datacenter?
"My company is currently looking to cluster our SQL 7 servers. We're
considering Win2000 advanced server or datacenter. Around a month ago I sat in a meeting with our VP of IT, and the rest of the network admins I work with. Compaq tried to pitch their Windows 2000 Datacenter or Advanced Server solution. Here is the way the compaq people explained it:
You get datacenter only from an OEM. They look at the apps you're running
and customize a solution for you in their lab. Every datacenter implementation is different, and every datacenter CD is different. Since we would be using an EMC SAN as our clustered storage system they said our implementation would take special customization. They would have to contact EMC engineers and work together. Once you deploy it, the OEM monitors it. And you can't install any service packs or anything without getting an OK from your OEM. Any service packs are customized for your enviroment. The SLA guarantees a 99.999% uptime or your money back. Part of your money at least. Datacenter isn't an OS, but a program in their words.
Now here is the problem. With Code Red and Nimda, how do you patch IIS
running on datacenter in a timely manner? The reason IIS servers became
infected was because the admins didn't patch them in the first place. So say
a new worm comes out in a few months and it takes a few days for MS to
create a hotfix. Datacenter admins can't install it until they get their
customized copy from their OEM. And almost every 2000 server runs IIS for
terminal server. It can take a few days and in the meantime your servers
could be down. And I don't see the SLA covering a situation like this. Meanwhile you're explaining to your CEO how this $500K supposedly guaranteed solution is sitting dead in the water and you can't do a thing about.
Is there something I'm missing, or did Microsoft look over something like
this? Especially when they are trying to push Datacenter as 'Big Iron'."
Straight from http://www.microsoft.com/windows2000/datacenter/ev aluation/business/overview/default.asp:
From http://www.microsoft.com/windows2000/advancedserv
Other pieces of information not listed in that blurb about AS: supports up to 8-way SMP and 8 GB of RAM (compared to DC's 32-way and 64GB).
You're obviously not going to have a DataCenter machine sitting underneath your desk at work, but it's quite possible to do so with Advanced Server.
Keep these SQL apps behind the firewall.. turn off all IIS features on the sql boxes.. and at least Nimda should not be able to get at it. Any web interface would hopefully not use Datacenter, and use standard Advanced Server, which is easily patchable. If sql was available on the front line, well, they almost deserve it.
-=-Ze End-=-
Datacenter servers are not the only ones: Many e-banking applications (see s1.com, for example) are rolled by vendors, and upgrades do not come out as fast as vanilla IIS upgrades because of this.
I don't know of one bank that uses a non-IIS platform. Kind of scary.
If you aren't allowed to patch your server, then you should isolate it behind a firewall of some sort, so that the chances of infection are minimized. This may not work well for IIS (beyond simply not running it), but it will serve you well in the general case.
Reboot macht Frei.
Is a locked down version of Windows. What happens when you lock it down? Well, intensive testing occurs first to determine what is being done with the box and what possible problems could arrise. Then those problems are solved. Also, only certain applications are certified to run on a datacenter box. The goal here is to achieve five nines. That is have this box up and running for 99.999% of the year. Without thorough testing of applications this level of availability would be impossible.
Part of what you get with a Datacenter purchase is a premier level of support. This includes a named engineer for support, and automatic escalation to the highest level for any support needs. It also includes any updates and or fixes on a priority basis - if you have a Datacenter server you get patches, updates, etc. before anyone else does.
yup, you shouldn't be running IIS and SQL Server one the same machine. Ideally, you'd run SQL Server alone on the big machine and have a cluster of load-balanced inexpensive boxes running stateless ASP/ISAPI pages connecting to the DB over the LAN. You'll be free to patch the IIS boxes as needed and you can put them in a DMZ for extra security.
I can't find any info on MS's site right now, but I'm sure that OEMs that supply W2k datacenter are required to have a support team ONSITE at MS's campus 24/7.
;)
This article raises a very good point, but Microsoft's idea behind datacenter was they hat total control over the hardware environment, and they made sure OEMs would stand behind it too, so I'd be very surprised (and dissapointed) if the OEM didn't contact their customers *immediately* with patches whenever there was a hole (and I'd guess they are pretty busy too
Comment removed based on user account deletion
Put the datacenter server behind a firewall, preferably with some string matching functionality (ie watchdog).
/default.ida, filtering on global.asa is also a good idea ;-) etc ..
the later iptables have a string-patch included, which allow you to target certain port/string combo's, with this it is easy to block worms from the webserver, as long as you know what request it makes.
exampple to block cmd.exe access (taken from my own internal firewall scripts, this will block nimda)
$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
-m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"
$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"
$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset
If you wanted to block codered, filter on
(see iptables docs for more info)
G'luck
Good quesiton, so here's the deal:
Windows 2000 does have an update notification service, but it's not installed by default. You need to go to WindowsUpdate (Right on the Fucking Start Menu) once and install it. I think 98 was the same deal, but it might be preinstalled in ME.
Furthermore, security patches don't immedately get pushed out through WindowsUpdate, but instead get posted to another corner of MS website and announced through a listserv. To be fair, MS security patches aren't always QA'ed very well and tend to break something or other. They only show up in WindowsUpdate after a week or two and are known good.
But the basic problem was just laziness -- people who installed SP2 and thought they were up-to-date, people that didn't know they were running IIS and didn't install the patches while they were DLing the latest DirectX, and people that didn't bother to check at all.
If you follow the Linux kernel development, and read around, you'd notice that scaling to a 2-way or 4-way machine is a big leap in performance. Throw Linux or any other OS on a 6-way or 8-way machine and you will watch that increase in performance degrade (ie a 2-way machine isnt x 2 the performance of a single CPU machine, and an 8-way system isnt x 2 the performance of a 4-way machine).
This, of course, is crap. To say that "any other OS" has the same scalability problem that Linux has is simply not true.
Take IRIX, for instance. I wrote some image processing code that runs on Origin servers. The 8-processor server in my lab runs my code about four times faster than my 2-p servers. And, surprise, the 32-p server in my friend's lab runs my code about four times faster than my 8-p machine.
To generalize the problems you see on Linux and Windows to "any other" operating system is simply hogwash. Your point about Windows scalability is well taken, though.
I actually posted this question twice, and I'm glad they used this second posting with our actuall situation. The first one was more of a what if scenario.
As far as terminal server and IIS, you need IIS if you want to use the Terminal Server Advanced Client and go in through the web. I was originally taught to use TS through IE and forgot going in through the TS client.
If we do go with Datacenter, the servers will host SQL 2000 Enterprise in a clustered enviroment. We currently use SQL and have a propritery in house written app for it.
And as far as the Code Red holes being found months prior to infection, I just used this as an example. I remember in 1997 and 1998 NT had new security holes every week. Windows 2000 is slightly better. 6 months ago I remember downloading hotfixes that will appear in service pack 3.
My question still remains, if a new flaw in IIS, the kernel or any other part of the OS is found how long are we supposed to wait for a fix? I forgot the specifics, but I'm pretty sure the compaq people said they customize the source code for your enviroment. They will need a copy of our in-house app, get in touch with the EMC engineers because our EMC box will be our clustered storage and analyze everything else. Then we will get a CD with a customized copy of Windows 2000 Datacenter. Like EMC, the servers will be monitored by another company and they will most likely know of any problems before us. Every so often we will get a new CD with updates, service packs, etc customized for us. But if a new worm comes out in a few months that exploits some currently unknown flaw in Win2000 or any other part of the OS, will we be dead in the water while we wait for a patch? After September 11th we were calling EMC for tech support on our Symetrix and we were basically told get in line. They had richer customers to support first.
You need a Client Access License (CAL) only if the user is directly accessing the SQL Server. If you have 1,000 users hitting a webserver, but the one webserver is the only device hitting the SQL Server, then only the webserver needs a CAL, not the 1,000 users.
If 1,000 Internet users are directly accessing the SQL Server, then you need to get a per-processor license for the SQL Server.
If 1,000 corporate users are directly accessing the SQL Server over the WAN or LAN, then you need 1,000 CALs.
Both Nimda and Code Red can be avoided by locking down the IIS 5 configuration (... as demonstrated by the MS IIS lockdown tool). No patches (not even OS service packs, i.e. no Win 2k SP1 or SP2) are required! If you add some firewalls in front of your IIS, one of those being e.g. ISA Server 2k, you could use - HTTP forward caching (where all cached requests would be handled on the "other" side of the NAT firewall) - content filtering (to block offensive code such as Nimda). If your admin knows her job, everything should be just fine with your Win 2k Datacenter (except for the noise those boxes tend to make) ...
M.
The issues mentioned in this article are null & void, as a situation like that would most likely never, ever happen. (Then again, you picked Compaq as your OEM, so maybe...*insert rim shot here*)
And you weren't running on a PC either.
There are scalability limits beyond 4 and 8 processors. Part of it is hardware and a lot of it is software. SGI/IRIX does both very well (hello, they make/made the CRAY!) The scheduler used for small SMP systems does not work well with large SMP systems. And PXE, the 36-bit address extensions, is a significant performance hit for machines not acutally requiring it.
Performance does not scale linearly -- on any system. "About 2x" is not "2x". IRIX scales better than most, but it still isn't perfect. And, surprise, Windows scales better than Linux (or used to.) BeOS is about the best thing I've seen for standard PC hardware -- too bad it never caught on.
Datacenter is a great deal different from the other windows'. Unlike the difference between NT Workstation and Server (two registry keys), Datacenter is very different.
Remember, 99.999% uptime is 1.44 minutes of downtime per day. Just enough time to reboot a well-tuned system.
As someone who just had Unisys install an ES7000 with Datacenter and talking to the install people. You can do anything to the box that dose not touch the kernel. How Unisys explained the 5 9's SLA is that they will have a copy of you set up and will apply patches to them before they are installed on your system, but I cases like code red they will issue them to you and put it on the test server to test. They aren't going to keep you from installing a critical hot fix but when possible they will test it before they unleash it upon you.
Ask the vendor! If they are working with you, they'll be more than happy to answer (and I'm sure even in writing). Don't open the obvious flame war to all the trolls.
-k