Security Issues with Windows 2000 Datacenter?

alen asks: "The recent IIS security incidents got me thinking. Code Red and Nimda hit servers that weren't patched by their sys admins. If you get infected, you patch your server and end of story. But what if you're running Windows 2000 Datacenter Server? It's a customized solution that you can't change. All your service packs are customized by your vendor. What happens if you have a web or database server that needs to be patched immediately? Are you left out in the cold running unsecure software that you can't patch while you wait in line for your vendor to issue you a service pack or hotfix?" In a situation like this, the whole ball-o-wax resides with the vendor. If you have a good vendor who actually cares about customer satisfaction, these hotfixes will be available quickly. Would anyone out there actually recommend Datacenter for corporate environments?

"My company is currently looking to cluster our SQL 7 servers. We're considering Win2000 advanced server or datacenter. Around a month ago I sat in a meeting with our VP of IT, and the rest of the network admins I work with. Compaq tried to pitch their Windows 2000 Datacenter or Advanced Server solution. Here is the way the compaq people explained it:

You get datacenter only from an OEM. They look at the apps you're running and customize a solution for you in their lab. Every datacenter implementation is different, and every datacenter CD is different. Since we would be using an EMC SAN as our clustered storage system they said our implementation would take special customization. They would have to contact EMC engineers and work together. Once you deploy it, the OEM monitors it. And you can't install any service packs or anything without getting an OK from your OEM. Any service packs are customized for your enviroment. The SLA guarantees a 99.999% uptime or your money back. Part of your money at least. Datacenter isn't an OS, but a program in their words.

Now here is the problem. With Code Red and Nimda, how do you patch IIS running on datacenter in a timely manner? The reason IIS servers became infected was because the admins didn't patch them in the first place. So say a new worm comes out in a few months and it takes a few days for MS to create a hotfix. Datacenter admins can't install it until they get their customized copy from their OEM. And almost every 2000 server runs IIS for terminal server. It can take a few days and in the meantime your servers could be down. And I don't see the SLA covering a situation like this. Meanwhile you're explaining to your CEO how this $500K supposedly guaranteed solution is sitting dead in the water and you can't do a thing about.

Is there something I'm missing, or did Microsoft look over something like this? Especially when they are trying to push Datacenter as 'Big Iron'."

Corruption

[phpAbUser]

Another major fear is that the databases will become corrupted by patches. Transition from mysql 3.2.6 -> 3.2.10.

Modify the SLA

[SwedishChef]

Ask the vendor to modify the SLA to specifically cover the contingency of exploits and how they will be dealt with. Your vendor might try to claim that the 99.9999 uptime would cover this, but I'd counter that a server which is up but exploited is useless.

Datacenter?

First of all if your company is wealthy enough to be using Datacenter as a web server I hope they are paying you a decent salary. :)

Its a waste to use Datacenter as a web server or front end machine for applications, its best use is for big honking SQL applications like MS SQL server. Datacenter is a waste for Oracle/NT because Oracle on NT is the worst implementation of Oracle in existence. If you want a big honking box to do oracle for gods sake get a Solaris/HPUX/AIX monster. Big ass database servers should never be directly exposed to the internet anyways, the connectivity should be happening thru a balls to the wall firewall.

Where did you get your advice?!

[ssimpson]

"And almost every 2000 server runs IIS for terminal server"

Erm, I work for a Citrix Gold partner and I've never encountered this before. Installing Terminal Server does not require IIS.

In fact, according to M$ recommendations, you should minimise the services running on the TS box.....That means no IIS.

Also, the "smaller but more servers vs fewer 8 way servers" for TS debate has been done and dusted, and the recommendation certainly isn't for having fewer large servers. The "sweet spot" is a farm of dual processor servers with 1.5Gb of RAM, thus you wouldn't need Data Center anyway - normal W2k Server would be more than adequate.

Lets not forget..

[Phasedshift]

Lets not forget that the vulnerability code red, etc takes advantage of has had a patch out for several months, but quite a few people never bothered to patch their servers. Chances are the patch(s) will be available shortly after the mainstream ones are released if you have a good vendor.

Besides, say your running *NIX with a specially modified version of apache, and there is some remote exploit that is discovered. Obviously you can't just download the source, compile, and install, for fear of loosing those 'special features'.. You need to patch your source code, which may barf (and then you either have to modify the patch file or do it manually. Which could suck if you have no programming skills, and its heavily modified)...

While most of us would view using a patch trivial (patch, recompile, install), the point is that similar situations could happen.

Re:Lets not forget..

Dammit, I am tired of eveyone saying "Microsoft had the patches out month's in advance, but the lazy admins did not patch their machines."

Fact: Microsoft released a security patch on June 17th. Code red explited the security hole this patch fixed on July 4th. That is NOT a lot of time to patch evey IIS on your network.

Considering that most default IIS boxes took 34 patches to fix as of June 17th, and a reboot is required after every patch, this is a very bad place for an admin to be in.

A friend of mine started working for a company on June 2nd and started the first day patching the companies 12 IIS boxes. When code red hit, he still got infected on two boxes. One because a patch did not take, or human error and another box because it was not patchable because the patch would not work with a certain Compaq RAID controler.

MS has taken steps to help admins since the attacks by providing software that will scan you IIS box and let you know what problems you may have. But, this software was a month too late for most companies and all I have done since code red was charge companies $200/hr to move their IIS/ASP servers to Apache/PHP.

I code in both ASP and PHP and I made 2x more money on ASP because it takes 2x longer to write anything.

It all boils down to trust

[DevTopics]

The real question is: can you trust your OEM?
Then you can negotiate all the details. And remember: 99.999% uptime does not mean that your server stay up that long, but that you have only an unscheduled downtime of 0.001% or less. Applying a patch is, in nearly every case, a scheduled downtime and does not count.
Now imagine you really, really need this patch: you can urge your OEM to install it and keep him free from all responsibility (e. g. a server crash after this does not count to the unscheduled downtime, because it was your decision to apply it). If you trust him to play fair, that's fair for both of you.If the OEM is trustworthy, he'll do what you order him to do, but in that case you will be responsible for the outcome as well.You can't burden someone with responsibility if he can't make the decision (unless you don't play fair).

Redundancy?

[Sase]

*Nod* all of these servers should be placed far behind a strict ruleset firewall.

But what about Redundancy? That's one thing I don't like about this "datacenter" why should there be only one? Or.. why should an application have to call for just "one" server? Wouldn't it be more wise to develop the application across a dual array of servers? Each one of these servers could be easily patched in a matter of minutes, at the same time. (Say windows2k advanced servers.

I'm personally not a fan of MS server products.. Although I have had to use them for quite a few applications.. but there has to be a way to get by the "necesity" for DataCenter Server.

The good sides of Mainframe Mentality...

[mdb31]

Windows 2000 Datacenter installations are hard to patch for the very same reason that apply to IBM, Sun, HP, etc. installations of the same magnitude: you just don't touch them.

This is commonly refered to as the Mainframe Mentality: these systems are so critical to a business, you don't make any changes to them unless these changes are a. absolutely critical and b. have been tested extensively in the exact configuration you'll be running them.

Now, it may seem that this would cause every Windows 2000 Datacenter server to be instantly infected with Code Red and friends, but in reality this will not be the case, because:

1. You don't expose your Datacenter servers to the Internet -- never. No matter if you're running Microsoft, AIX, Solaris or Linux: only trusted systems should have strict "need to know" access to your server;

2. Datacenter-type servers typically don't run HTTP servers. You would scale out HTTPDs (more boxes), not scale them up (bigger boxes). Also see rule 1;

3. The config of your Datacenter server is the bare minimum. So, in the case of Windows 2000, you would not ever run IIS or Index Server (the true culprit in case Code Red et al...) on it, just your database server and perhaps your business logic (although that, again, tends to scale out better than it scales up).

In summary: security hotfixes and Datacenter-type environments tend to be mutually exclusive. If you need a patch to your Datacenter server, it pretty much needs to be custom-developed for you. Fortunately, since Datacenter setups are not typically designed by the clueless individuals that gave Code Red free reign, this tends not to be an issue in real life.

Datacenter _is_ vulnerable

[dybdahl]

Nimda did go behind firewalls. It came in via e-mail or external consultants with laptops that attached to the LAN, and then attacked all intranet servers. As the story says, IIS is used for administering these servers, so they are indeed in a very vulnerable position and need to be patched.

Uptime is a poor metric

Specs are hard to write and all vendors have weasel clauses. Just look at insurance policies - damage due to acts of war are generally excluded. With cracking being described as a "terrorist act" you could end up with exploits not being covered.

A big common exclusion is "unscheduled" downtime. One of our vendors would see a router or firewall machine starting to act funny and then quickly "schedule" some emergency downtime that night to reboot it thus avoiding having to pay.

I have not had good experience with outsourcing - never forget that these are the same bunch of folks who are getting skewered for lousy tech support for poor end-users who have paid extra for support packages. Attitudes don't change much across corporations.

Before I would spend the bucks for any sort of "managed services" I would make sure that the vendor guaranteed 100% availibility without exception. Availibility must be defined as a maximum latency (ie. no end user will wait more than 750ms for a response or whatever is needed).

Rationale? Any app that requires this type of support must be available to the end user without fail. That's why you pay the bucks.

OS is "up" but web server is compromised or down? It's no good to the user. The downtime was scheduled? End user doesn't care.

Why 100%? Why not. They are already guaranteeing less than 316 seconds per year of downtime. Let them work their payments for that downtime into the contract cost. I don't want to have to total up downtime and argue over when the year started. I want the vendor to know that any downtime costs them bucks. No argument, no weasel clauses, no exceptions (better keep those machines maintained, protected and patched).

Been there - been burned. We moved our servers from a "managed solution provider" to a generic server farm and got far better service for one tenth the cost.

Odd question

[md_doc]

This is an odd question because both code red and nimda were actually viruses that took advantage of things like directory traversal and admin tools on the system. In short most admins already knew about these issues and fixed them themseleves by disabling the dir traversing and removing the template site.

So in short to answer your question when it comes to code red or nimda you really should not have a problem if you are a good admin. The same is true in the linux world and newbie web programmers that do things like system calls without checking out what is going to be called. If you call something that the users passes to you then obviously they can do things like tracrt ip; rm -rf / and your code would let it. This is not perls fault or php's fault or any other languages fault it is the programmers fault.

As much as I dislike windows, mainly because I have been an asp programmer for a long time and I would rather use linux and do perl programming (which I do now), Microsoft is somewhat right in that a knowledgable sysadmin already had the holes fixed. At the same time they should not send out software with issues like that.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Woah, big misunderstanding...

[Telek]

So say a new worm comes out in a few months and it takes a few days for MS to create a hotfix.

Is there something I'm missing?

Absolutely. You've got your timelines backwards.

Worms come out a few months after the bugs have been discovered and patches have been made available. We're talking months here. Code Red came out more than 2 months after the bug had been discovered and patches created.

Microsoft has had their patches out in the wild within a few days of a major bug being discovered. The worms however take much longer to be created/deployed/spread. Although it is possible for the worms to come out much faster, they will still be lagged behind the discovery of the bug, and the patches are issued almost immediately.

And if you have an agreement with your provider that you will have 99.999% uptime, then you better believe that they will be phoning you at 2am in the morning to tell you that they're coming over to install a new patch lest they break their contract.

Re:Uptime guarantee

[starburst]

Five nines (99.999) is 5.256 minutes of down time per YEAR! NOT 1.44 minutes per day.

None of my NT boxes can do that. My SCO box (nicknamed "The Uptime Server") is down only when I wish it down.

Nice Comments

[Null_Packet]

This may not be modded up high enough for the +4 folks to see it, but I have to say that the people posting at +4 and above have some really great comments.

It's nice to see Slashdot as a technical community, not just a Linux one. I know, I know, *nix is the preferred OS of many of the readers/posters, but it's nice to see such an array of comments and extremely constructive ideas and comments. Nice Comments, all.

A pointless question

Not to defend data server (which we run on an enterprise basis at my company with no problems - our Dell Service packs are always up to date)

But what sort of a response did you actually expect to get by posting this on here ?

I mean come on now - this is Slashdot

MS Product = BAD
Free Source = GOOD

Therefore asking ANYONE on here to take a logical and intelligent look at this is a waste of time - in the last year i havent seen much in the way of balanced and intelligent comment on anything other than how good anything LINUX is and how bad anything MS is - thats the fact

Stop posting TROLL news articles - thats all this is.