Security Issues with Windows 2000 Datacenter?

alen asks: "The recent IIS security incidents got me thinking. Code Red and Nimda hit servers that weren't patched by their sys admins. If you get infected, you patch your server and end of story. But what if you're running Windows 2000 Datacenter Server? It's a customized solution that you can't change. All your service packs are customized by your vendor. What happens if you have a web or database server that needs to be patched immediately? Are you left out in the cold running unsecure software that you can't patch while you wait in line for your vendor to issue you a service pack or hotfix?" In a situation like this, the whole ball-o-wax resides with the vendor. If you have a good vendor who actually cares about customer satisfaction, these hotfixes will be available quickly. Would anyone out there actually recommend Datacenter for corporate environments?

"My company is currently looking to cluster our SQL 7 servers. We're considering Win2000 advanced server or datacenter. Around a month ago I sat in a meeting with our VP of IT, and the rest of the network admins I work with. Compaq tried to pitch their Windows 2000 Datacenter or Advanced Server solution. Here is the way the compaq people explained it:

You get datacenter only from an OEM. They look at the apps you're running and customize a solution for you in their lab. Every datacenter implementation is different, and every datacenter CD is different. Since we would be using an EMC SAN as our clustered storage system they said our implementation would take special customization. They would have to contact EMC engineers and work together. Once you deploy it, the OEM monitors it. And you can't install any service packs or anything without getting an OK from your OEM. Any service packs are customized for your enviroment. The SLA guarantees a 99.999% uptime or your money back. Part of your money at least. Datacenter isn't an OS, but a program in their words.

Now here is the problem. With Code Red and Nimda, how do you patch IIS running on datacenter in a timely manner? The reason IIS servers became infected was because the admins didn't patch them in the first place. So say a new worm comes out in a few months and it takes a few days for MS to create a hotfix. Datacenter admins can't install it until they get their customized copy from their OEM. And almost every 2000 server runs IIS for terminal server. It can take a few days and in the meantime your servers could be down. And I don't see the SLA covering a situation like this. Meanwhile you're explaining to your CEO how this $500K supposedly guaranteed solution is sitting dead in the water and you can't do a thing about.

Is there something I'm missing, or did Microsoft look over something like this? Especially when they are trying to push Datacenter as 'Big Iron'."

Whats it needed for?

[Izeickl]

Erm, what are the big advantages of Datacentre over Advanced server etc?

Re:Whats it needed for?

[Osty]

Erm, what are the big advantages of Datacentre over Advanced server etc?

Straight from http://www.microsoft.com/windows2000/datacenter/ev aluation/business/overview/default.asp:

Microsoft® Windows® 2000 Datacenter Server is the most powerful and functional server operating system ever offered by Microsoft. It supports up to 32-way symmetric multiprocessing (SMP) and up to 64 gigabytes (GB) of physical memory. It provides both 4-node clustering and load balancing services as standard features. It also provides the rich Internet and network operating system (NOS) services of all the versions of Windows 2000 Server. It is optimized for large data warehouses, econometric analysis, large-scale simulations in science and engineering, online transaction processing (OLTP), and server consolidation.

From http://www.microsoft.com/windows2000/advancedserve r/evaluation/business/overview/advanced.asp:

The Windows® 2000 Advanced Server operating system contains all the functionality and reliability of the standard version of Windows 2000 Server, plus additional features for applications that require higher levels of scalability and availability. This makes Advanced Server the right operating system for essential business and e-commerce applications that handle heavier workloads and high-priority processes.

Other pieces of information not listed in that blurb about AS: supports up to 8-way SMP and 8 GB of RAM (compared to DC's 32-way and 64GB).

You're obviously not going to have a DataCenter machine sitting underneath your desk at work, but it's quite possible to do so with Advanced Server.

Re:Whats it needed for?

[Waffle+Iron]

In other words, Datacenter changes the following two lines of code in the kernel header:

#define MAX_CPUS 32
#define MAX_MEM_GB 64

You pay only a few dollars for that mod. The remainder of the huge expense goes to pay for a special team of engineers whose purpose in life is to try to keep your systems up and running.

Re:Whats it needed for?

[ostiguy]

Datacenter can do 4 way active clusters- AS can only go 2 way.

ostiguy

Re:Whats it needed for?

[Density_Altitude]

AS: supports up to 8-way SMP and 8 GB of RAM (compared to DC's 32-way and 64GB)

Isn't those limitations just about which license you have? Like they do with MSSQL Server and the per-CPU licensing scheme?

Re:Whats it needed for?

[Osty]

Isn't those limitations just about which license you have? Like they do with MSSQL Server and the per-CPU licensing scheme?

Do you seriously think there's no technical difference between a OS that allows you to run uniprocessor up to 8-way SMP, and an OS that runs 8-way SMP at minimum (the minimum requirement for fault tolerance) up to 32-way SMP? It's more than just changing a license. You have to properly tune the system for such high concurrency. There's a reason DataCenter didn't ship at the same time Win2k Pro/Server/Advanced Server all shipped.

Re:Whats it needed for?

[joedoe]

It is optimized for large data warehouses, econometric analysis, large-scale simulations in science and engineering, online transaction processing (OLTP), and server consolidation.

My question is, just how good is it for econometric analysis and large-scale simulations? That would seem to be an area in which nobody really uses Windows, but I'm curious as to whether this could actually be competitive with the traditional usage of Unix boxes. Any thoughts?

--joedoe

Re:Whats it needed for?

[addaon]

Windows 2k AS can also use more than 4GB of ram... I've tested it with 12GB, and it worked fine with that. An 8GB limit would be mildly bizarre... 33 bit addressing? (Recent) Pentiums use 36 bit addressing, giving the 64GB limit which is inherent to well-designed OS's stuck on an Intel platform.

Re:Whats it needed for?

[BitwizeGHC]

In that case doesn't it make more sense to use a 64-bit arch that was built to scale to this sort of application, like, I don't know, say, SPARC? Trying to shoehorn Wintel boxen (aimed squarely at the desktop market) into such a role seems a bit silly, though Beowulf managed to get a few things right.

That's one of the things that bug me about Microsoft: they try so hard to be All Things to All People. Gee, it's like they want to conquer the world or something.

Re:Whats it needed for?

[the+eric+conspiracy]

I follow Linux Kernel development. Current kernels handle at least 8 way without much degradation.

If you want to address large amounts of RAM (> GB), you are better off with a 64 bit architecture.

Which you can download from RedHat today.

Re:Whats it needed for?

[foobar104]

If you follow the Linux kernel development, and read around, you'd notice that scaling to a 2-way or 4-way machine is a big leap in performance. Throw Linux or any other OS on a 6-way or 8-way machine and you will watch that increase in performance degrade (ie a 2-way machine isnt x 2 the performance of a single CPU machine, and an 8-way system isnt x 2 the performance of a 4-way machine).

This, of course, is crap. To say that "any other OS" has the same scalability problem that Linux has is simply not true.

Take IRIX, for instance. I wrote some image processing code that runs on Origin servers. The 8-processor server in my lab runs my code about four times faster than my 2-p servers. And, surprise, the 32-p server in my friend's lab runs my code about four times faster than my 8-p machine.

To generalize the problems you see on Linux and Windows to "any other" operating system is simply hogwash. Your point about Windows scalability is well taken, though.

Re:Whats it needed for?

[innocent_white_lamb]

In that case doesn't it make more sense to use a 64-bit arch that was built to scale to this sort of application, like, I don't know, say, SPARC? Trying to shoehorn Wintel boxen (aimed squarely at the desktop market) into such a role seems a bit silly,

You're right, from an "outside" point of view. However, when you're Microsoft then what you have to sell is Windows. Therefore, if you ask Microsoft the answer to your needs (whatever they are) is a Windows solution.

Remember the old jokes about the peddlars? "Special deal just for you today -- What do you mean, those shoes are too tight? They fit you fine! You just have to wear them for a few days to get used to them! Look at the lovely beadwork on the side! Isn't it lovely beadwork? Step right up folks! Sale on today! Special deals! Come on! Come in! Step up! Step up! Curse you, guy, I've sold you thos shoes already! No refunds, sorry! (bugger off, before I have to swat you) Step up folks, shoes for sale today! Step up! Nice shoes! Special deals! Step up!"

See? The "only reasonable solution" to any problem is, of course, the one that you're selling! And, like I said, MS has Windows. Therefore, the rest follows naturally.

Re:Whats it needed for?

[Cramer]

And you weren't running on a PC either.

There are scalability limits beyond 4 and 8 processors. Part of it is hardware and a lot of it is software. SGI/IRIX does both very well (hello, they make/made the CRAY!) The scheduler used for small SMP systems does not work well with large SMP systems. And PXE, the 36-bit address extensions, is a significant performance hit for machines not acutally requiring it.

Performance does not scale linearly -- on any system. "About 2x" is not "2x". IRIX scales better than most, but it still isn't perfect. And, surprise, Windows scales better than Linux (or used to.) BeOS is about the best thing I've seen for standard PC hardware -- too bad it never caught on.

Datacenter is a great deal different from the other windows'. Unlike the difference between NT Workstation and Server (two registry keys), Datacenter is very different.

Re:Whats it needed for?

[fams]

wrong, kernel 2.4 scales better than windows...
and the best system to use SMP that i know is OS/390

Re:Whats it needed for?

[Fnord]

I hate to tell you this but SGI didn't "make the Cray". SGI bought Cray along with their product line and then proceeded to slowly kill off their product line (while gradually trying to transition their customers to Origins). Thing is conventional systems like Origins (conventional relative to Crays at least) just really can't do what a true vector supercomputer can. And anyways, making a multiprocessor system is nothing like making a vector machine.

Re:Whats it needed for?

[mentin]

You got the point: IRIX runs on a special hardware, that allows it to scale. If you want to scale that good on PC, you need special hardware support beyond standard chipsets. If you have specialized hardware, you get specialized code in Windows (or Linux, or whatever) that knows about that hardware and can utilize it. So you get a customized version of Windows.
IRIX runs on a single hardware design, so it is always customized for it.

Re:Whats it needed for?

[mentin]

That is idiotic idea, written by somebody who does not understand how SMP works. Compare datacenter with IBM's mods of Linux kernel that allows it to scale up better (as a result Linux with IBM's mods scales down bad). If you think all IBM did is changing couple of defines - go for it.
Datacenter goes beyond IBM's mods in that it customizes Windows for particular hardware. This does gives good performance, but has its disadvantages (see the original post)

Re:Whats it needed for?

[King+Of+Chat]

You'll notice though that pretty much nobody actually runs it as flat 32 way SMP. The Unisys 32 CPU boxes are normally configured as a 4 x 8 way CMP machine (basically a cluster in a box). In fact, the 16/32 processor Compaq machines are rebadged Unisys ES7000s.

Back to the topic, as mentioned by other posters, you don't need IIS if you're just using the DC box a a big f*ck-off database server. In fact, you're better off not having IIS on there - especially if you're open to RDS (the s'kiddies favourite) as they can cause untold havoc using SQL server. Personally, if I had to use IIS for something public, I'd have a second firewall between the IIS box and the data box with no data at all on the IIS box.

Oh, and another point, if you are using SQL 7, then forget clusters/CMP. It just about works with SQL 2000, but has no load balancing (you can do it manually by partitioning the database) and the failover time is 1 - 5 minutes.

From what I can gather, DC and AS are very similar (although MS will deny this). Both have address extensions allowing over 4GB to be used, > 4 way SMP etc., but DC comes with all the drivers etc. checked out on the specific hardware so - hopefully - not as many BSODs. I wouldn't be surprised if someone comes up with the reg settings to turn AS into DC (Max_Processors=32, Max_Cluster_Boxes = 4) - but you'd have to frig with a DC box first - if you can get your hands on one.

Re:Whats it needed for?

[foobar104]

IRIX runs on a single hardware design, so it is always customized for it.

Actually, that's not right, either. IRIX 6.2 scaled about the same on the Challenge-series architecture (up to 36 processors) as IRIX 6.5 does on the Origin (up to 512 processors), two radically different designs.

It really has more to do with operating system architecture and scheduler design than it does with hardware.

Re:Whats it needed for?

[ahde]

yeah...I'm going to go out and buy me a 32-way pentium. Its marketing hype. There is, in theory, and 8-way Xeon, but you can't find one. It's marketing hype, that in Microsoft's actual code isn't much more than a #define.

Something like this:

/* New and improved command line interface*/

char c[1024];
printf("(A)bort, (R)etry, or (F)ail?");
scanf("%c", &c[0]);

/* this will stop over a thousand times as many stack overruns, rendering windows virtually 100% secure */

Corruption

[phpAbUser]

Another major fear is that the databases will become corrupted by patches. Transition from mysql 3.2.6 -> 3.2.10.

Modify the SLA

[SwedishChef]

Ask the vendor to modify the SLA to specifically cover the contingency of exploits and how they will be dealt with. Your vendor might try to claim that the 99.9999 uptime would cover this, but I'd counter that a server which is up but exploited is useless.

Re:Modify the SLA

[Multispin]

Usually 'uptime' is defined by clients being able to access it. If the exploit denies clients access to the service then the server is down. Otherwise, you could get 99.999% by just booting up into the BIOS or firmware and let it sit there.

Re:Modify the SLA

[baptiste]

Usually 'uptime' is defined by clients being able to access it.

Which means being hit by nimda would be a good thing since it 'enhances' machine accessability :) :) Root access for everybody! :)

Re:Modify the SLA

[Multispin]

LOL

Problem of the vender

[Twisted+Mind]

I think this problem is smaller than it seems.

The vender probably has a fix quickly, although it are special computers, they're still i386 compatible (sort of) so the vender won't have to port.

Re:Problem of the vender

[ByTor-2112]

No you are wrong here. Microsoft has in the past releases a botched hotfix that caused problems. To maintain 99.999% uptime the vendor would have to do massive testing before approving your installation of such a fix. It could VERY easily end up taking you from 99.999% to 99% uptime.

Datacenter?

First of all if your company is wealthy enough to be using Datacenter as a web server I hope they are paying you a decent salary. :)

Its a waste to use Datacenter as a web server or front end machine for applications, its best use is for big honking SQL applications like MS SQL server. Datacenter is a waste for Oracle/NT because Oracle on NT is the worst implementation of Oracle in existence. If you want a big honking box to do oracle for gods sake get a Solaris/HPUX/AIX monster. Big ass database servers should never be directly exposed to the internet anyways, the connectivity should be happening thru a balls to the wall firewall.

Re:Datacenter?

[spongman]

yup, you shouldn't be running IIS and SQL Server one the same machine. Ideally, you'd run SQL Server alone on the big machine and have a cluster of load-balanced inexpensive boxes running stateless ASP/ISAPI pages connecting to the DB over the LAN. You'll be free to patch the IIS boxes as needed and you can put them in a DMZ for extra security.

Re:Datacenter?

[King_TJ]

Yeah, but despite Oracle for NT being a terrible implementation, my workplace still uses it (on a DEC Alphaserver running NT 4) because Oracle won't support their products as "tier 1 support" if they're running on a non-Intel processor and Linux.

What's with that policy? "Oh, sure - we'll take your Oracle installation seriously if you have it loaded on a generic PII or PIII server - but on an Alphaserver? Nope, sorry... must not really be important to your business."

Re:Datacenter?

[Zurk]

umm..load OSF/1 or Tru64 on to your alpha box and oracle for tru64 gets tier 1 support.,

Re:Datacenter?

[spongman]

addendum: for extra security you should make your ASP scripts run as a domain user that only has access to the SQL server, specifically only has access to those tables/SPs on the server that are necessary to run the application. You should also disallow access to the SQL server by all other users except an admin group, none of which have access to log onto the IIS boxes. the reason for this is that even if security is breached on the IIS box, whatever user they run code as will still not have destructive access. it would also require a hacker to write a specific hack for your system in order to access the DB, which, while not being perfectly secure, will greatly reduce the possibilty of a 'script' attack and the likeliness that someone will bother to embark on such a hack will be diminished. of course, if you have really sensitive data then you should hire a security expert (which I am not).

hope this helps, though.

Time from Bug Found to Bug Exploited

[KingAdrock]

I think something that both Microsoft and the OEM's count on is the time it takes from the time a bug is found until the time the bug is exploited! In the case of Code Red and Nimda I think that time spanned months.

Is it not also true that only large OEMs offer Datacenter? I don't think you are going to have a huge problem with the likes of Compaq or Dell providing timely fixes. It may not be available the same day the Microsoft Fix is, but I would be guessing that MS provides enough info to the OEMs to get the fix applied within 3-5 days.

All in all I think the amount you need to worry shouldn't be more than the satisfaction you can get from a 99.999% guarentee

Re:Time from Bug Found to Bug Exploited

[Johnno74]

I think something that both Microsoft and the OEM's count on is the time it takes from the time a bug is found until the time the bug is exploited! In the case of Code Red and Nimda I think that time spanned months.

No, in code red's case the discoverer of the bug didn't go public until the patch was out, so the delay was effectively zero. Nimda used up to 7 different holes, but these were also patched very quickly.

It was months until the actual automated exploits and worms started appearing to exploit these well known holes, there was no excuse for being caught by Code Red or Nimda.

If there is one thing you can't accuse microsoft, its not being prompt to release patches for their holes... its just that their patches are requred far to frequently...

Where did you get your advice?!

[ssimpson]

"And almost every 2000 server runs IIS for terminal server"

Erm, I work for a Citrix Gold partner and I've never encountered this before. Installing Terminal Server does not require IIS.

In fact, according to M$ recommendations, you should minimise the services running on the TS box.....That means no IIS.

Also, the "smaller but more servers vs fewer 8 way servers" for TS debate has been done and dusted, and the recommendation certainly isn't for having fewer large servers. The "sweet spot" is a farm of dual processor servers with 1.5Gb of RAM, thus you wouldn't need Data Center anyway - normal W2k Server would be more than adequate.

Re:Where did you get your advice?!

[Kevinv]

WIth Windows 2000, when people talk about installing Terminal Services they are invariably talking about installing the administrative (2 connection only) version -- virtually everyone turns this on their servers, even IIS boxes and file servers.

I waiting for the first exploit of this.

Kevin

Re:Where did you get your advice?!

[murphj]

Installing Terminal Server does not require IIS.

If you want to use the IE active x control for TS you need to run IIS. Otherwise, you need to install the TS client.

Re:Where did you get your advice?!

[glrotate]

An exploit is not a DOS.

Re:Where did you get your advice?!

[SectoidRandom]

Quote: "The "sweet spot" is a farm of dual processor servers with 1.5Gb of RAM, thus you wouldn't need Data Center anyway - normal W2k Server would be more than adequate."

The main advantage of Datacenter is not necessarily the greater memory / etc capability, its the vendor support, (think unix system?) being able to get a 99.999% uptime GUARANTEE is a very very good thing on a Windows server, not that its impossible to do similar work for any *very* experienced admin (even on Windows) but having it as a vendor solution means you dont necessarily have to have a *true* expert on your payroll, which especially in the Win2k market is not as easy as you may think!

The problem here is making certain that your vendor is keeping you upto-date, as I see it this whole patch issue is NOT an issue, actually for many companies it would be a great advantage! Remember that all the patches for Nimbda and Code Red were out long before those worms were made, meaning that as long as your contract with your vendor ensures timley updates code red and nimda would be a complete non-issue!

I believe the situation is very similar to that of most Unix systems, and that is really how Datacenter is targeted.

Re:Where did you get your advice?!

[wazza]

No, an exploit is a means; a DOS is an end.

Datacenter

[fazil]

Keep these SQL apps behind the firewall.. turn off all IIS features on the sql boxes.. and at least Nimda should not be able to get at it. Any web interface would hopefully not use Datacenter, and use standard Advanced Server, which is easily patchable. If sql was available on the front line, well, they almost deserve it.

Re:Datacenter

[SurfsUp]

Keep these SQL apps behind the firewall.. turn off all IIS features on the sql boxes.. and at least Nimda should not be able to get at it.

Your attacker could still use some other exploit that doesn't rely on IIS. I hope you don't think we've seen the last of these.

Note that an exploit like the above wouldn't turn into a Ro0t on a Linux/Unix box because the database server typically doesn't run with system privilege.

Re:Datacenter

[thogard]

Its locked down all right. Just like the cisco call manager. The week before I had to make a decision between their IP phones and everyone elses, code red hit. I had a script that would pull back web pages from machines that tried to infect my home box. I was hit by at least three different cisco call managers. Now I have a system from someone else that isn't running windows.

Re:Datacenter

[SurfsUp]

Did you mean to link to some other page? The link you gave had no such exploit.

"Using extended stored procedures, the attacker could essentially gain complete control over the server itself."

Lets not forget..

[Phasedshift]

Lets not forget that the vulnerability code red, etc takes advantage of has had a patch out for several months, but quite a few people never bothered to patch their servers. Chances are the patch(s) will be available shortly after the mainstream ones are released if you have a good vendor.

Besides, say your running *NIX with a specially modified version of apache, and there is some remote exploit that is discovered. Obviously you can't just download the source, compile, and install, for fear of loosing those 'special features'.. You need to patch your source code, which may barf (and then you either have to modify the patch file or do it manually. Which could suck if you have no programming skills, and its heavily modified)...

While most of us would view using a patch trivial (patch, recompile, install), the point is that similar situations could happen.

Re:Lets not forget..

Dammit, I am tired of eveyone saying "Microsoft had the patches out month's in advance, but the lazy admins did not patch their machines."

Fact: Microsoft released a security patch on June 17th. Code red explited the security hole this patch fixed on July 4th. That is NOT a lot of time to patch evey IIS on your network.

Considering that most default IIS boxes took 34 patches to fix as of June 17th, and a reboot is required after every patch, this is a very bad place for an admin to be in.

A friend of mine started working for a company on June 2nd and started the first day patching the companies 12 IIS boxes. When code red hit, he still got infected on two boxes. One because a patch did not take, or human error and another box because it was not patchable because the patch would not work with a certain Compaq RAID controler.

MS has taken steps to help admins since the attacks by providing software that will scan you IIS box and let you know what problems you may have. But, this software was a month too late for most companies and all I have done since code red was charge companies $200/hr to move their IIS/ASP servers to Apache/PHP.

I code in both ASP and PHP and I made 2x more money on ASP because it takes 2x longer to write anything.

Re:Lets not forget..

[agallagh42]

"and a reboot is required after every patch"

Not if you know what you're doing. Using the qchain utility, you only have to reboot once after applying all the patches is one go (and can even be scripted). Then check if they all took by using the hfnetchk utility. This can easily be done (yes I've done it) on 12+ servers in less than an hour without ever getting up from your desk.

Re:Lets not forget..

[agallagh42]

...and in case anyone's wondering:

hfnetchk utility
qchain utility

Not only MS Datacenter

[ChazeFroy]

Datacenter servers are not the only ones: Many e-banking applications (see s1.com, for example) are rolled by vendors, and upgrades do not come out as fast as vanilla IIS upgrades because of this.

I don't know of one bank that uses a non-IIS platform. Kind of scary.

Re:Not only MS Datacenter

[ssimpson]

"I don't know of one bank that uses a non-IIS platform."

You need to look harder then. The first 5 banks I could be bothered to look at:

• www.smile.co.uk - Solaris
• www.hsbc.com - HP-UX
• www.barclays.com - AIX
• www.bankofamerica.com - Solaris
• www.bankofny.com - NT / Netscape Enterprise

Re:Not only MS Datacenter

[ecampbel]

There's a huge difference between a Bank's external web server and the internal systems it uses for handling transactions and other applications. While I can't vouch for the accuracy of the other poster's comment, checking netcraft really doesn't tell you if a bank uses Microsoft's technology for its mission critical applications.

Re:Not only MS Datacenter

[Florian+Weimer]

The server I use to access my bank account is running Apache. When the firewall settings were less tight, you could see that they were running a Linux kernel somewhere (at least for the firewalling), now I'm not sure.

To be honest, the bank is a "Genossenschaft", a concept which was invented back in the 19th century and is in some way similar to the free software movement. The bank itself uses OS/2 almost exclusively on desktops, which means that they were unaffected by the recent Microsoft worm craze, and they don't have a direct Internet connection. AFAIK, the computing center still issues IP addresses according to a scheme which is not compatible with the official IANA one, i.e. they use the whole IPv4 address space as if there was no public Internet.

Re:Not only MS Datacenter

[csbruce]

"I don't know of one bank that uses a non-IIS platform."

You need to look harder then. The first 5 banks I could be bothered to look at

There's no need to correct the previous poster. What he said is a tautology provided that he is ignorant.

Re:Not only MS Datacenter

[HR]

To get anal about it...
if it was a tautology there would be no "provided that", it would be true by definition.

IIS for Terminal Server?

[michael.creasy]

almost every 2000 server runs IIS for terminal server Errr, since when? Terminal Server doesn't require IIS to be installed.

Re:IIS for Terminal Server?

[0xA]

The Terminal Services Advanced Client (TSAC) requires IIS.

Well yeah, seeing as though TSAC is the web plugin for TS. But jsut why the hell yould you use Datacenter server for an app server?

Even if you did, does the IIS server have to be the same machine as the app server. I don't think it does but I can't recall. I know that with Citrix NFuse it DOESN'T and probably SHOULDN'T.

This whole discussion is pretty academic isn't it? Nobody is going to use Datacenter server for IIS or Terminal Services. That is not what it's for, you use Datacenter server for big databases or transaction processing, in which case there is no reason it should be accessable from an untrusted network.

Keep in mind, untrusted includes your users as well as your DMZ. Never trust your own network!

do it yourself

[vsync64]

I'm not an NT fan (run all UNIX stuff myself) but in general I've learned from bitter experience not to trust any sort of outsourcing solution. Learn to do it yourself, or hire someone who knows their stuff. But make sure you have direct control over your systems or they will spiral into ickiness.

Re:do it yourself

[11+platter+hard+driv]

YOU FOOL!

You need an OEM to even get the chance to touch a MS Datacenter Server. You can buy advanced server off the shelf, but datacenter server is where the big bucks are, so of course they made it so that you have to go buy it direct from manufacturer, with all extra features.

Please know what you are talking about before you post again.

Re:do it yourself

[innocent_white_lamb]

What's foolish about his comment. Read it again. He is saying "stay away from outsourced services." MS Datacenter Server is available "outsourced" only. Therefore, the logical conclusion is "stay away from MS Datacenter Server and find another solution." See? It doesn't sound terribly foolish to me....

Unpatched MS Data Center box + routable IP ==

[angry_android]

Worlds largest crack/xxx/iso/divx/pr0n server!
I've seen it happen to production servers b4 ">

Re:Unpatched MS Data Center box + routable IP ==

[markov_chain]

coke | nose > keyboard

Thanks for the laugh :)

~

When you can't secure it, hide it.

[haruharaharu]

If you aren't allowed to patch your server, then you should isolate it behind a firewall of some sort, so that the chances of infection are minimized. This may not work well for IIS (beyond simply not running it), but it will serve you well in the general case.

Re:When you can't secure it, hide it.

[SurfsUp]

If you aren't allowed to patch your server, then you should isolate it behind a firewall of some sort, so that the chances of infection are minimized. This may not work well for IIS (beyond simply not running it), but it will serve you well in the general case.

So, you're suggesting security by obscurity? Hmm, best of luck to you.

Some exploits work just fine through the firewall, so then you've got a compromised server insider your firewall and a false sense of security. There's no substitute for being secure in the first place. If it's not secure, don't connect it to your network.

Re:When you can't secure it, hide it.

[haruharaharu]

So, you're suggesting security by obscurity? Hmm, best of luck to you.

I would prefer to solve the problem, but if i can't patch, I'll do the next best thing: isolate the servers from the rest of the network. Good luck infecting with nimda when you can't even hit port 80 and all mail ports are blocked (in case some nimrod installs outlook on a datacenter.

Re:When you can't secure it, hide it.

[innocent_white_lamb]

Good luck infecting with nimda when you can't even hit port 80 and all mail ports are blocked

And what about the "next big thing" in cracks that can wander in and stomp all over your server from "causes unknown"? I didn't hear anybody screaming about the security holes that let Nimda in before Nimda actually got in. Perhaps the patch was available, but it wasn't the top-of-mind item for every IIS admin that there is. For evidence, see the spread of Nimda and Sircam.

You can firewall for this and you can firewall for that, but you might not be able to firewall for "exploit x" unless you know what it is. And you might not know what it is until you have been 0Wn3D.

Re:When you can't secure it, hide it.

[haruharaharu]

You can firewall for this and you can firewall for that

When you let 1, maybe 2 ports through, the next big thing tends to bounce off your firewall. If we don't explicitly need it, it ain't getting in!

Re:When you can't secure it, hide it.

[falstaff]

I work for a fairly large corporation, > 27k people. We had Nimda running loose inside our firewall. So did all the major firms in town that I work with. Someone gets a laptop infected at home, then brings it in to work. Poof, the corporation is infected. Best not to run IIS at all.

Re:When you can't secure it, hide it.

[haruharaharu]

what is needed is compartmentalization - sure, you run a firewall between the world and the corp, but you also run a firewall in front of anything sensitive. Internal firewalls of this sort have the advantage of being able to be more restrictive because they're protecting at most a few services. Corp level firewalls have to be more permissive in order to prevent open user revolt.

Re:When you can't secure it, hide it.

[Afrosheen]

Solution: don't put win2k on laptops.

Re:When you can't secure it, hide it.

[pmz]

If you aren't allowed to patch your server, then

you shouldn't have bought it in the first place. What's a system administrator good for if he/she can't administrate?

Re:When you can't secure it, hide it.

[Jburkholder]

>You can firewall for this and you can firewall for that, but you might not be able to firewall for "exploit x" unless you know what it is

Isn't that the reverse of how a firewall actually should be set up? My limited experience has been that you start by blocking everything, and then open holes for just the things that need to get through. If you leave it open, and then attempt to run around blocking things as you become aware of them, it almost defeats the purpose, doesn't it?

Re:When you can't secure it, hide it.

[innocent_white_lamb]

If you leave it open, and then attempt to run around blocking things as you become aware of them, it almost defeats the purpose, doesn't it?

Indeed. Perhaps I didn't make my point sufficiently clear. Lets try again:

There is a way to get through any firewall. There has to be, unless your box is disconnected from the net entirely, because that's the only way to have any functional use out of the thing. Therefore, by firewalling all of the functions that you are not using (or by firewalling all of the functions and then selectively opening up the ones that you are using, as you said) you are thereby opening a hole which could theoretically be exploited by the "next big thing" in massive Internet problems.

There, does that clarify what I'm trying to say?

Datacenter

[Nickodemus]

Is a locked down version of Windows. What happens when you lock it down? Well, intensive testing occurs first to determine what is being done with the box and what possible problems could arrise. Then those problems are solved. Also, only certain applications are certified to run on a datacenter box. The goal here is to achieve five nines. That is have this box up and running for 99.999% of the year. Without thorough testing of applications this level of availability would be impossible.

Part of what you get with a Datacenter purchase is a premier level of support. This includes a named engineer for support, and automatic escalation to the highest level for any support needs. It also includes any updates and or fixes on a priority basis - if you have a Datacenter server you get patches, updates, etc. before anyone else does.

customized solutions&patching

[nusuth]

It must be impossible to patch any linux installation if customized solutions are sooo hard to patch. Why would one wait for their OEM to move if they know a patch for one of the applications they are using is available? Download or apply only relevant parts of service packs, and you are done.

Re:customized solutions&patching

[mindstrm]

Because. if you do *anything* not certified by the vendor, the 99.999% agreement is void, and they are not responsible for downtime.

Datacenter is more of a custom solution package than a version of windows. Yes.. it's a version of windows 2000.. but it's really a whole package.

In other words, it's a version of windows used by vendors to create huge custom solutions, usually for databases.

Re:customized solutions&patching

[cymen]

Because this would void the 99.999% uptime deal and all the "sounds good on paper" but is really worthless crap when you do these deals. Is getting a refund on your fees worth more than your servers going down? So I agree with you to a degree but the pointy haired bosses would never agree with this... Least not until you gave them the "get hax0red right now or load an unapproved patch" rush case.

Get a guarantee within the contract

[Jeppe+Salvesen]

Get the vendor to patch your servers within 12 hours of Microsoft issuing a hotfix/patch. If they will not put that into the contract, tell them they're not professional enough. If they cannot do something as easy as that, would you really want them running truly business critical solutions for you?

Would They?

[nexex]

"Would anyone out there actually recommend Datacenter for corporate environments?" -- Sure, Bill Gates, Paul Allen, etc... ;)

It all boils down to trust

[DevTopics]

The real question is: can you trust your OEM?
Then you can negotiate all the details. And remember: 99.999% uptime does not mean that your server stay up that long, but that you have only an unscheduled downtime of 0.001% or less. Applying a patch is, in nearly every case, a scheduled downtime and does not count.
Now imagine you really, really need this patch: you can urge your OEM to install it and keep him free from all responsibility (e. g. a server crash after this does not count to the unscheduled downtime, because it was your decision to apply it). If you trust him to play fair, that's fair for both of you.If the OEM is trustworthy, he'll do what you order him to do, but in that case you will be responsible for the outcome as well.You can't burden someone with responsibility if he can't make the decision (unless you don't play fair).

Re:It all boils down to trust

[SectoidRandom]

I disagree, if i was such a vendor and someone asked for me to trust them to do a patch, hell even to click Start-Shutdown, i would only do so if two condition, first, i have known and worked with you for YEARS (so i know exactly what you know), and secondly if the contract allows it.

The second point i certainly hope would *never* allow it! The whole point of a vendor provided / supported solution like this is to keep every "computer expert" from goin in and "fixing" it! (Note emphasis, nothing personal of course)

Its all a non-issue i believe anyway, the whole point of such contracts and vendor sollutions is that they do the work, including all maintainance and patching. If its a money-back (or part of) guarantee, then they (the vendor) better be damn sure they keep things patched / running.

Re:It all boils down to trust

[SectoidRandom]

Sorry let me clarify my point there a little, especially in contex of what you said;

Quote: "Now imagine you really, really need this patch: you can urge your OEM to install it and keep him free from all responsibility"

That is especially bad from the vendors point of view, as one small patch could cause not only an immediate effect, but much much worse some minor, perhaps unknown problems later.

From my perspective as soon as such a server is (lets say) tainted by someone else its a lost cause! :)

Maybe im just a control freak tho? :)

Re:It all boils down to trust

[anticypher]

99.999% uptime does not mean that your server stay up that long

It depends on who writes the contract. I maintain servers with a 5x9's availability (not uptime, that is something different) guaranteed, the metric is taken at the end of every month for the previous 12 months of operation for a period of 6 years. The 5x9's include no scheduled downtime, we always switch in a fully tested duplicate system for the biannual hardware maintenance. If we ever have a crash that takes out the whole system for more than 7 minutes, we can write our bonuses goodbye for the next 13 months. The bonuses are the only form of profit built into the contract after all the engineering costs are covered.

The real question is: can you trust your OEM?

No, the real question is whether your management is stupid enough to believe a vendor offering a mythical 5x9's availability without a well developed plan for redundant hardware switchover, mirrored machines, raid storage, onsite spare hardware, experienced engineers who live within 30 minutes drive from your site with a goddamned pager surgically attached[end rantlet]. Did I forget to mention the motorcycles in case of large traffic jams :-) For the original poster's question, start googling for horror stories about the OEM and their failed installations, and complile a list for the next presentation. Then watch the sales slime start to sweat, mumble, and wave their hands to try warding off bad karma.

To offer 5x9's, the vendor must provide their own power (a battery room built by a qualified company), local stocks of spare hardware, and be able to supply a complete duplicate system within a few hours. At every one of our 5x9's sites, we have our own office space, with our own phones and our own internet connection.

As you can tell, a real 5x9's contract costs about 5 times as much as a regular installation. A real 5x9's contract always specifies the length of time to measure against, usually over a number of years, often as a moving average for the previous year or 24 months. A real 5x9's system isn't delivered on a custom burned CD-R so the client can fuck up the installation.

the AC

Re:It all boils down to trust

[HiThere]

The kinds of contract being discussed here seem to demand a control freak. Who else would be willing to honestly make that kind of a guarantee?

(There are answers, but those folk aren't honest.)

Re:Terminal Server but sort of OT

[ssimpson]

Your out of luck I'm afraid buddy as this is a "feature" of TS.

Adding Citrix XPs with give you more colours, better management tools etc.

OEM's are required to give 24/7 support.

[Johnno74]

I can't find any info on MS's site right now, but I'm sure that OEMs that supply W2k datacenter are required to have a support team ONSITE at MS's campus 24/7.

This article raises a very good point, but Microsoft's idea behind datacenter was they hat total control over the hardware environment, and they made sure OEMs would stand behind it too, so I'd be very surprised (and dissapointed) if the OEM didn't contact their customers *immediately* with patches whenever there was a hole (and I'd guess they are pretty busy too ;)

Datacenter, advanced server and a firewall

[Daath]

Put datacenter behind a firewall, the webserver (advanced server or the like) on dmz and have a secure "pipe" to the datacenter server where you database resides - no need to use the datacenter server as your webserver too, if you can afford datacenter server, you can afford a separate machine acting as a webserver.
Just my opinion, buy hey, I'm a linux guy...

Re:Datacenter, advanced server and a firewall

[Bert64]

But, putting a possibly insecure webserver where it can both be accessed from the outside, AND gain access to the critical internal systems, is no better than putting the critical systems directly accessible. If a cracker or a worm infiltrates the webserver, it could be used as a stepping stone into the internal systems.

Re:Datacenter, advanced server and a firewall

[haruharaharu]

Not likely. In this configuration, the database runs SQL server and nothing else. There is a firewall between the web and data tier with one, maybe two ports turned on. Besides, you can patch the web server.

DUH! :)

[gnovos]

I can see you haven't worked with Microsoft software very much, so I'll give you the solution: Reinstall your machine.

It's *just that simple*, can you believe it? Every time Nimda hits your machine, just wipe out the system drives, reformat and re-install! Easy, right? Sure you may have to reinstall 40 or 50 times a day, but again, if you are familiar with M$ software, you'll know you need tons of backup machines that you can swap out as needed with your infected machines. Make an assembly line of it. Have one guy reformatting, another guy reinstalling and a third guy disconnecting the infected boxes and plugging the fresh machines into the network!

Now, where do you want to go today?

Redundancy?

[Sase]

*Nod* all of these servers should be placed far behind a strict ruleset firewall.

But what about Redundancy? That's one thing I don't like about this "datacenter" why should there be only one? Or.. why should an application have to call for just "one" server? Wouldn't it be more wise to develop the application across a dual array of servers? Each one of these servers could be easily patched in a matter of minutes, at the same time. (Say windows2k advanced servers.

I'm personally not a fan of MS server products.. Although I have had to use them for quite a few applications.. but there has to be a way to get by the "necesity" for DataCenter Server.

Re:Redundancy?

[Sase]

WAsn't there a linux project that pooled the resources of multiple servers to create one virtual server... or really.. isn't there one out there.

Hrm.

The good sides of Mainframe Mentality...

[mdb31]

Windows 2000 Datacenter installations are hard to patch for the very same reason that apply to IBM, Sun, HP, etc. installations of the same magnitude: you just don't touch them.

This is commonly refered to as the Mainframe Mentality: these systems are so critical to a business, you don't make any changes to them unless these changes are a. absolutely critical and b. have been tested extensively in the exact configuration you'll be running them.

Now, it may seem that this would cause every Windows 2000 Datacenter server to be instantly infected with Code Red and friends, but in reality this will not be the case, because:

1. You don't expose your Datacenter servers to the Internet -- never. No matter if you're running Microsoft, AIX, Solaris or Linux: only trusted systems should have strict "need to know" access to your server;

2. Datacenter-type servers typically don't run HTTP servers. You would scale out HTTPDs (more boxes), not scale them up (bigger boxes). Also see rule 1;

3. The config of your Datacenter server is the bare minimum. So, in the case of Windows 2000, you would not ever run IIS or Index Server (the true culprit in case Code Red et al...) on it, just your database server and perhaps your business logic (although that, again, tends to scale out better than it scales up).

In summary: security hotfixes and Datacenter-type environments tend to be mutually exclusive. If you need a patch to your Datacenter server, it pretty much needs to be custom-developed for you. Fortunately, since Datacenter setups are not typically designed by the clueless individuals that gave Code Red free reign, this tends not to be an issue in real life.

Re:The good sides of Mainframe Mentality...

[Kevinv]

Well to counter point 1 - we had a user take windows 2000 laptop home, get infected with code red, then bring it back in the office and start infecting IIS that hadn't been patched because "they weren't exposed to the internet"

So that is no protection.

Kevin

Re:The good sides of Mainframe Mentality...

[mdb31]

Well to counter point 1 - we had a user take windows 2000 laptop home, get infected with code red, then bring it back in the office and start infecting IIS that hadn't been patched because "they weren't exposed to the internet"

May I suggest reading point 1? "Only trusted systems should have strict "need to know" access to your server" (emphasis mine). Now, user laptops != trusted systems -- they should not be anywhere on the same network. In some scenarios, the user could infect a trusted system, which would then get to the Datacenter server, but clueful system designers/admins would not let that happen either (by not installing IIS and/or Index Server on systems that don't require it, limiting outbound connections from the middleware servers to the Datacenter server to be SQL-only, etc. etc.)

Re:The good sides of Mainframe Mentality...

[mdb31]

MS Clustering for W2K REQUIRES IIS and the Index service!

Oh, wow, I guess I better go fix all my Windows 2000 AS clusters, then, since it's impossible that they have been running only SQL server for the past few years! Even if the cluster service install depends on IIS/Index Server (I don't remember and am too lazy to try, although I doubt it...), you can definitely disable the services afterwards.

Firewalls are a false illusion of safety

Yeah, in most cases I would tend to agree with you, especially since the term "firewall" has been overloaded into oblivion. Firewall-like tools (NAT, port/address ACLs, content screening, etc.) can be extremely valuable in building secure services, though.

The most common problem is that people equate a $100K Firewall-1 box with security. In reality, security requires a deep awareness of all related issues on all levels (hardware, software, people).

Re:The good sides of Mainframe Mentality...

[haruharaharu]

Firewall don't stop users from bringing in infected laptops from home that start infecting production machines. --- Firewalls are a false illusion of safety. Stupid users can always bypass security at any time.

I've seen you before. You were spewing the same tripe then as now

Firewalls do stop users when they lie between the server and everything else. If i were configuring a database server, it would have two ports accessible from the corp - ssh and the database. Nimda can't do much over that.

Also, if your users can get physical access to a datacenter style box, you're boned. That's just a given

Re:The good sides of Mainframe Mentality...

[Kevinv]

Maybe you should re-read your own point 1:

You don't expose your Datacenter servers to the Internet -- never.

The internal network is not the Internet. Now you're saying not to expose your data center to the internal network -- valid, but not your first point.

Kevin

Re:The good sides of Mainframe Mentality...

[evilphish]

or Linux: only trusted systems should have strict "need to know" access to your server;


finish reading his first point please

Re:The good sides of Mainframe Mentality...

[gentlemoose]

I run one datacenter server. 8-way intel hardware.

1: It got spanked by nimda. It's inside the corp. firewall, but the virus got into the network via email. Once inside, that particular region of the network is largely insecure. We're running it in a lab/demo environment, so security is not a huge concern.

2: The damned thing shipped with IIS installed and running. Since it's the only OEM OS we have in our lab, I didn't notice it there in the three days the box was plugged in.

3: see 2.

Called the vendor. Support was !ofclue about patches. The best I could do was apply all of the IIS-related patches, disable all MS internet services, and clean the hell out of the system. Love me some MS.

Re:The good sides of Mainframe Mentality...

[haruharaharu]

,i>So _trusted_ systems means your tech support teams Windows based computers

Of course not. Trusted means the other machines in the cluster and a port through the firewall to untruster SQL clients or whatever your Datacenter box does. And, if you run IIS on that thing, you had better not allow anything to talk to it. Do that and I will point and laugh.

Re:The good sides of Mainframe Mentality...

[Tony-A]

The internal network is not the Internet.
Only if no one on the internal network has ever received email or accessed a web page. Probably a few others I have forgotten.
How to get any work done without exposing your data center is an exercise left to the reader.

Re:The good sides of Mainframe Mentality...

[mmcgreal]

I'm gonna have to disagree with you here, as an administrator of many large installations of IBM and Sun systems, I can assure you that when we become aware of a root exploit, we assess the impact of the upgrade, and get it installed. The "mainframe mentality" you refer to is a copout. Any admin worth his salt should have his systems stable enough that he will not be afraid to change things on them (with due caution of course). Of course, I'm not an NT admin, so I can only conjecture how shady a patch from Microsoft can be.

And as for "You don't expose your Datacenter servers to the Internet" - you obviously are not keeping up with current security issues, since it's well know that 80% of breakins occur from the inside. Not to mention the fact that all large enterprises are internetworked, period. There is always a way in from somewhere, including the Internet, and thus there is no such thing as a "secure network".

And what's this about "Datacenter-type servers typically don't run HTTP servers"? There's plenty of services besides web servers that are potential points of attack. IIS just happens to be consistently faulty.

And what's this about "The config of your Datacenter server is the bare minimum"? I've never seen a bare minimum server running SAP, or Oracle.

The question is, what does Microsoft mean by Datacenter? They make it sound like you have every operation in the company riding on one Microsoft box. If you're doing that, you've got bigger problems than the occasional security patch.

Re:The good sides of Mainframe Mentality...

[posmon]

1. you shouldn't run iis on dc
2. you shouldn't share folders on dc
3. wtf? email?!? you wouldn't be installing outlook on it

Re:The good sides of Mainframe Mentality...

[Ioldanach]

Firewalls do stop users when they lie between the server and everything else. If i were configuring a database server, it would have two ports accessible from the corp - ssh and the database. Nimda can't do much over that.

Scratch ssh, too, if you have operators in your shop 24x7. And if you're looking for 5x9's, you probably do. If you need something done on the server, do it via console or via a special workstation (also running minimal services) inside that level of firewall and inside your secure server room.

Linux

[g_bit]

Would anyone actually recommend one of those Linux based "all-in-one" appliances that you guys love so much? You have to wait for your vendor to patch those too!! Do you hear anyone asking that question?? Nope.

Re:Linux

[C0vardeAn0nim0]

You don't have to wait for the "vendor" to patch anything.

It's open source. if the maintainer of that specific package don't come with a solution in less than 24h FIX IT YOURSELF. you have the code for G_d sake...

Re:Linux

[mickeyreznor]

Would anyone actually recommend one of those Linux based "all-in-one" appliances that you guys love so much? You have to wait for your vendor to patch those too!! Do you hear anyone asking that question?? Nope.

2 Things you can do if you find a security hole in a linux server:

1. You can ... fix it yourself(assuming you have someone who understands the code)!

2. You can hire anyone else to do it for you, not just the vendor.

Those are 2 things you can't do with things like win2000 datacenter.

Re:Linux

[Afrosheen]

Please don't feed the trolls.

Unanswered Question

[Phroggy]

If anyone out there is running Win2k Datacenter, I've got an important question I've been trying to find the answer to, with no luck so far. Can someone finally give me an answer? The question is this:

Does Windows 2000 Datacenter ship with 3-D Pinball installed by default? If so, is it in the Start menu?

That's all. Thanks.

Re:Unanswered Question

[alen]

If we do buy datacenter I'm planning on burning me a copy and install it on my home network. And maybe share it out to a few thousand of my closest friends.

Re:Unanswered Question

[thefogger]

Yea, and I'm gonna put it on my router. Since it's custom developed for me, it'll surely run on that AMD K5. And don't tell me that "it needs at least 8 CPUs" - I'll just fire up my hex editor and find that stupid "Number of CPUs: 0x01" byte in my BIOS and change it to 0x08... or the heck, I'll set it to 0xFF.

Re:Unanswered Question

[tino_sup]

I think Phroggy is onto something regarding Pinball. Hmmmmmmmm. Thanks for the laugh Phroggy!!

Re:Unanswered Question

It doesn't matter, I've seen way to many servers running the OpenGL screensavers. Mind you, servers aren't known for their hardware 3d, so its all done in software.

That alone will take up many times more hardware resources than a game of pinball.

Re:Unanswered Question

Actually no, they took all non-esesntials out. Even the "fade" effect in the start menu :-(

Re:Unanswered Question

[Patrick+Cable+II]

Yes, I've found 3-D Pinball to be an extremely useful database tool ;-)

Patrick

Re:Unanswered Question

[Noehre]

I wish I had one of those cool 5-way SMP boards.

Re:Unanswered Question

[EvilStein]

It does?!?! Oh crap.. oh well, I guess that's what I get for grabbing the first CD I saw lying around the office.. arrrgh..

Good thing RAM is cheap. :)

In truth, it's running ok on a 700mhz Athlon, 256mb RAM. It doesn't do a whole lot but act as a DC, and "fun with IIS!" box. *shrug*

Comment removed

[account_deleted]

Comment removed based on user account deletion

Datacenter _is_ vulnerable

[dybdahl]

Nimda did go behind firewalls. It came in via e-mail or external consultants with laptops that attached to the LAN, and then attacked all intranet servers. As the story says, IIS is used for administering these servers, so they are indeed in a very vulnerable position and need to be patched.

Re:Datacenter _is_ vulnerable

[Score+Whore]

Err. In every clued in installation I've worked in, all the database servers were sitting in their own private DMZ. With tight ass firewall rules. Only specific hosts can connect to the database servers and then only on specific ports. And the firewalls are stateful and makes sure that the protocols being used are appropriate for talking to the database servers.

Any architect that will sign off on a $500k server installation that doesn't include at least $50k for an HA, stateful firewall spefically in place for that server is an idiot that deserves to be pink slipped.

I'm guessing

[loraksus]

Since you're paying microsoft a shitload of money, I'm sure that something can be worked out. All the friggin losers who were hitting my box with (a la Code Red) were on DSL / @home lines.

Incidentally, the iis vunerability was known since iis 4.0 was released. It was kept secret by MS because of the "If no one knows about it, no one will exploit it". I'm thinking the data center people get the patches that home users don't - sort of like netware's support, there is a $200 per support issue, but they will forward the problem all the way up to the guy who coded the section you are having a problem with.

The lame fuck of the day is 24.202.127.156

Sybase

[YuppieScum]

As a sort of related issue, we're going to see many more implementations of W2K/DC & MS-SQL, as Sybase have decided to "update" their licensing model and fuck their customers in the arse.

Originally, it was:
Is your Sybase database accessed outside your company? Yes? More money please!

Now its:
Is the data in your Sybase database accessed outside your company? Yes? More money please!

Nte the subtle difference. We've got many front end applications in a DMZ talking to Sybase in our datacentre - the users never see Sybase, nor even know where the data comes from - but now Sybsae want more money...

So our CIO has done a deal with the Great Satan of Software, and we're going to

1. Sell all our Sun kit we use for hosting Sybase
2. Buy shit-loads of cheap x86 servers
3. Have MS "consulting services" port all the DBs and integrate them with our existing applications.

Re:Sybase

You need a Client Access License (CAL) only if the user is directly accessing the SQL Server. If you have 1,000 users hitting a webserver, but the one webserver is the only device hitting the SQL Server, then only the webserver needs a CAL, not the 1,000 users.

If 1,000 Internet users are directly accessing the SQL Server, then you need to get a per-processor license for the SQL Server.

If 1,000 corporate users are directly accessing the SQL Server over the WAN or LAN, then you need 1,000 CALs.

Re:Sybase

[MadAndy]

You need a Client Access License (CAL) only if the user is directly accessing the SQL Server. If you have 1,000 users hitting a webserver, but the one webserver is the only device hitting the SQL Server, then only the webserver needs a CAL, not the 1,000 users.

That's not quite right. From the MS website ( http://www.microsoft.com/sql/howtobuy/pricing/defa ult.asp ):

Multiplexing is the use of hardware and/or software to reduce the number of devices that directly access or use the software on a particular server. An example of multiplexing is a server application that calls the Microsoft Transaction Server (MTS) component of Microsoft Windows 2000 Server on one server, which in turn pulls data from a SQL Server database on another server. The client computer has a direct connection to the server running MTS, but it also has an indirect connection to SQL Server because it is ultimately retrieving and using the SQL Server data through MTS.

Use of such multiplexing, pooling, or related hardware and/or software does not reduce the number of CALs required for SQL Server. Regardless of how many tiers of hardware or software exist between the SQL Server and the client devices that ultimately use its data, services, or functionality, a CAL is required for each distinct input to the multiplexing, pooling, or related software or the hardware front end. Processor licensing will likely be the appropriate licensing option in these situations, due to its simplicity and affordability.

The processor license changes are relatively new - in the past you used an 'internet connector' license for websites (which didn't cover internal users), but it looks like the processor license covers everybody now.

Re:Sybase

[LegendLength]

But wouldn't this mean you could put a custom proxy in front of the SQL boxen and get all client to connect through that? It would only have a single link to the database then.

I'm just asking btw, not trying to be a smart ass.

Uptime is a poor metric

Specs are hard to write and all vendors have weasel clauses. Just look at insurance policies - damage due to acts of war are generally excluded. With cracking being described as a "terrorist act" you could end up with exploits not being covered.

A big common exclusion is "unscheduled" downtime. One of our vendors would see a router or firewall machine starting to act funny and then quickly "schedule" some emergency downtime that night to reboot it thus avoiding having to pay.

I have not had good experience with outsourcing - never forget that these are the same bunch of folks who are getting skewered for lousy tech support for poor end-users who have paid extra for support packages. Attitudes don't change much across corporations.

Before I would spend the bucks for any sort of "managed services" I would make sure that the vendor guaranteed 100% availibility without exception. Availibility must be defined as a maximum latency (ie. no end user will wait more than 750ms for a response or whatever is needed).

Rationale? Any app that requires this type of support must be available to the end user without fail. That's why you pay the bucks.

OS is "up" but web server is compromised or down? It's no good to the user. The downtime was scheduled? End user doesn't care.

Why 100%? Why not. They are already guaranteeing less than 316 seconds per year of downtime. Let them work their payments for that downtime into the contract cost. I don't want to have to total up downtime and argue over when the year started. I want the vendor to know that any downtime costs them bucks. No argument, no weasel clauses, no exceptions (better keep those machines maintained, protected and patched).

Been there - been burned. We moved our servers from a "managed solution provider" to a generic server farm and got far better service for one tenth the cost.

Re:Uptime is a poor metric

[SuiteSisterMary]

And at that point, you should have a cluster. Period. No one box will have full uptime. But wait, you say, what about a mainframe? Well, a mainframe is just a cluster in a box. At a really really low level. So when you hotswap a CPU, you're just knocking out a cluster node.

Re:Uptime is a poor metric

[SectoidRandom]

Quote: "One of our vendors would see a router or firewall machine starting to act funny and then quickly "schedule" some emergency downtime that night to reboot it thus avoiding having to pay."

Thats the whole point of the contract, they are paid to notice that, and then fix it at a convienient time, ie not a week later in the middle of your bussiest hour when that something 'funny' turns into something not so funny. :)

But it is hard i guess, finding a vendor who will actually be able to deliver what they claim..

Re:Uptime is a poor metric

[athmanb]

Yes, but during the reboot, end users will be sitting at their machines, pressing frantically on Reload and ask themselves why your fucking site doesn't work.

Thus, the explanation "But the downtime was scheduled!" doesn't really help.

Think firewall + watchdog functionality

[chabotc]

Put the datacenter server behind a firewall, preferably with some string matching functionality (ie watchdog).

the later iptables have a string-patch included, which allow you to target certain port/string combo's, with this it is easy to block worms from the webserver, as long as you know what request it makes.

exampple to block cmd.exe access (taken from my own internal firewall scripts, this will block nimda)

$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
-m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"

$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"

$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset

$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset

If you wanted to block codered, filter on /default.ida, filtering on global.asa is also a good idea ;-) etc ..

(see iptables docs for more info)

G'luck

Re:Think firewall + watchdog functionality

[haruharaharu]

Put the datacenter server behind a firewall

better yet, don't run a webserver on your datacenter

Re:Think firewall + watchdog functionality

[SumDeusExMachina]

Do you ever just wake up in the middle of the night thinking "God, my web site is just one big ripoff of other people's material!"? I mean, I assume it happens, but you can never tell with some people.

Re:SLA...

[b0r1s]

try something more useful than e2....

it'll help. really. :

SLA : Service Level Agreement

SLA : Software License Agreement

Re:Terminal Server but sort of OT

[dark+druid]

This is fixed with XP and .NET server. In W2K and NT 4 TSE there is no way to go above 256 colors.

Re:SLA...

[JoeShmoe]

Service Level Agreement.

Basically, what is and is not covered in your support contract. For big orders, you get to negotiate your own EULA not just take what they hand you.

For example, an SLA might cover finacial losses due to system failure, whereas every normal EULA under the sun absolves hardware vendors of liability for secondary losses.

- JoeShmoe

Odd question

[md_doc]

This is an odd question because both code red and nimda were actually viruses that took advantage of things like directory traversal and admin tools on the system. In short most admins already knew about these issues and fixed them themseleves by disabling the dir traversing and removing the template site.

So in short to answer your question when it comes to code red or nimda you really should not have a problem if you are a good admin. The same is true in the linux world and newbie web programmers that do things like system calls without checking out what is going to be called. If you call something that the users passes to you then obviously they can do things like tracrt ip; rm -rf / and your code would let it. This is not perls fault or php's fault or any other languages fault it is the programmers fault.

As much as I dislike windows, mainly because I have been an asp programmer for a long time and I would rather use linux and do perl programming (which I do now), Microsoft is somewhat right in that a knowledgable sysadmin already had the holes fixed. At the same time they should not send out software with issues like that.

Re:Terminal Server but sort of OT

[JoeShmoe]

Unfortunately, a small shop like this one cannot afford to fork out the money for the server hardware, Windows 2000 Server AND on top of that, Citrix licensing.

If I could have my wish I'd just X-server the whole thing but unfortunately this application is strictly closed-source Windows-only.

I can't believe Microsoft hardcoded this. I mean, they are basically using the same code for their remote administration tools yet it lacks this most basic option that pcAnywhere and VNC has had forever.

Unbelievable.

- JoeShmoe

This is simple

[/dev/trash]

Make sure the OEM you sign with states in the contract that they will hotfix you quickly or you leave/get a refund/etc.

If you are really concerned such language and costs will be understandable.

Well thanks...

[KingAdrock]

for agreeing with me, but you didn't have to do it in such a hostile manner. I'm not blaming MS. I think MS gets a bum wrap. Of course if you have such a large installed user base, you are going to run into more public problems than an OS with a relativly small user base most of which are techies.

Re:Well thanks...

[Johnno74]

No hostility intended.

I dissagree, I think MS deserves MUCH more than they get. They are primarily a marketing company, and yes, they make some good things, but they always try their hardest to lock you in once you bite - classic carrot-on-a-stick technique - they INVENTED embrace and extend.

I think the poor security record of products like NT/2k is *very* dissapointing, when you consider they COULD have been such good products. NT's security is pretty comprehensive and well thought out, and leaves linux in the dust for features, but they missed the last hurdle - e.g. out of the box installs of NT and 2K give FULL file permissions to ALL the system files to everyone by default, and even worse, all of the system daemons (IIS etc) run in the security context of local admin! (localsystem). That way, something as simple as a buffer overflow in IIS can give you local root access. There is no need, yet I've never managed to get the IIS service to run as anything other than localsystem (and I can't find any docos relating to this at MS either - anyone help?)

A Bit OT but I have to ask

[Canyon+Rat]

Yesterday my computers asked me if they could DL patches for the two MOSX security holes reported here recently. IIRC, Win 98 used to do the same thing. So why were all those NT and Win2K machines unpatched? If MS has the patches months before the worms appear in the wild, why haven't the machines already patched themselves?

Re:A Bit OT but I have to ask

[KingAdrock]

Imagine the screams from the slashdot community if the machines patched themselves. It would be hearlded as an invasion of privacy.

Re:A Bit OT but I have to ask

Good quesiton, so here's the deal:

Windows 2000 does have an update notification service, but it's not installed by default. You need to go to WindowsUpdate (Right on the Fucking Start Menu) once and install it. I think 98 was the same deal, but it might be preinstalled in ME.

Furthermore, security patches don't immedately get pushed out through WindowsUpdate, but instead get posted to another corner of MS website and announced through a listserv. To be fair, MS security patches aren't always QA'ed very well and tend to break something or other. They only show up in WindowsUpdate after a week or two and are known good.

But the basic problem was just laziness -- people who installed SP2 and thought they were up-to-date, people that didn't know they were running IIS and didn't install the patches while they were DLing the latest DirectX, and people that didn't bother to check at all.

Re:Moron.

[Enlightened_0ne]

And wtf is "runs IIS for terminal server" supposed to mean? That doesn't even make any sense.

It is called TSweb, and it allows you to log into the server using terminal server without having to have the client installed on the local machine.

No IIS on the terminal servers

[0xA]

You really don't want to put IIS on you Terminal Server. If you're using TS in admin mode you don't need to use TSAC (the web plugin). I find I do just as well with the RDP client application. It works smoother and the win32 version will fit on one floppy if you want to carry it around.

Slashdot filter code

[SilentChris]

"Would anyone out there actually recommend Datacenter for corporate environments?"

Loaded statement... entering Slashdot filter code...

Made by Slashdot author = PASS...
Negative against Microsoft = PASS...
Vaguely positive to Open Source operating systems = PASS...

Good to go.

Thank you for your answers

[alen]

I actually posted this question twice, and I'm glad they used this second posting with our actuall situation. The first one was more of a what if scenario.

As far as terminal server and IIS, you need IIS if you want to use the Terminal Server Advanced Client and go in through the web. I was originally taught to use TS through IE and forgot going in through the TS client.

If we do go with Datacenter, the servers will host SQL 2000 Enterprise in a clustered enviroment. We currently use SQL and have a propritery in house written app for it.

And as far as the Code Red holes being found months prior to infection, I just used this as an example. I remember in 1997 and 1998 NT had new security holes every week. Windows 2000 is slightly better. 6 months ago I remember downloading hotfixes that will appear in service pack 3.

My question still remains, if a new flaw in IIS, the kernel or any other part of the OS is found how long are we supposed to wait for a fix? I forgot the specifics, but I'm pretty sure the compaq people said they customize the source code for your enviroment. They will need a copy of our in-house app, get in touch with the EMC engineers because our EMC box will be our clustered storage and analyze everything else. Then we will get a CD with a customized copy of Windows 2000 Datacenter. Like EMC, the servers will be monitored by another company and they will most likely know of any problems before us. Every so often we will get a new CD with updates, service packs, etc customized for us. But if a new worm comes out in a few months that exploits some currently unknown flaw in Win2000 or any other part of the OS, will we be dead in the water while we wait for a patch? After September 11th we were calling EMC for tech support on our Symetrix and we were basically told get in line. They had richer customers to support first.

Re:Thank you for your answers

[KingAdrock]

My question still remains, if a new flaw in IIS, the kernel or any other part of the OS is found how long are we supposed to wait for a fix?

What do you feel would be a reasonable time? A day? A week? Two weeks? Determine what is acceptable for you, and have it written into your Service Agreement.

After September 11th we were calling EMC for tech support on our Symetrix and we were basically told get in line. They had richer customers to support first.

Unhappy with your service? Can you find better elsewhere? If so, make the change. If not let someone in their management know that you are unhappy. Be persistant. Yell and scream!

Other than that I suggest you look through this thread for suggestion about how to protect your expensive datacenter server with firewalls and other common network security.

Re:Thank you for your answers

[sheldon]

I was going to say. Once you have the ActiveX control you can connect to any box running Terminal Services. There's absolutely no need to run IIS on the box you are trying to manage.

Re:Thank you for your answers

[sheldon]

First you go and take the Windows 2000 security training course at the SANS conferences. There you will learn about turning off unnecessary services, hardening the installation of the software and the OS. You'll learn about ipsec and filtering out illegitimate traffic at the network layer of the box. You'll learn about auditing your box to watch for problems, etc.

Then you will realize you won't have an IIS server on your SQL Server box anyway, because it's unnecessary. So you won't be at risk to Code Red or Nimda or any similar IIS Worm. Even if you did have IIS, you'd lock down the install by removing the various ISAPI filters and such that were exploited, so even without the patches you would never have been vulnerable.

Then your going to go out and subscribe to the advisories from microsoft.com/security, sans.org, securityfocus, ntbugtraq, etc... so you won't have to worry about waiting a few months you will know about them the day they hit the streets.

I think the training will help, in conjunction with a better understanding of exactly what you are doing you can be pretty confident about your installation. If you want to lock it down, you can... and I'd say it's advisable to do so.

Comment removed

[account_deleted]

Comment removed based on user account deletion

No patches needed to block Nimda and Code Red

[MoritzB]

Both Nimda and Code Red can be avoided by locking down the IIS 5 configuration (... as demonstrated by the MS IIS lockdown tool). No patches (not even OS service packs, i.e. no Win 2k SP1 or SP2) are required! If you add some firewalls in front of your IIS, one of those being e.g. ISA Server 2k, you could use - HTTP forward caching (where all cached requests would be handled on the "other" side of the NAT firewall) - content filtering (to block offensive code such as Nimda). If your admin knows her job, everything should be just fine with your Win 2k Datacenter (except for the noise those boxes tend to make) ... M.

Get your facts straight first

[thesolo]

A few things here:

1. Datacenter machines will NEVER be running IIS. I've worked with several OEMs before, and none of them would EVER send out a datacenter machine with IIS running on it. If your OEM gives you a datacenter machine with IIS on it, run. Run as fast as you can to another OEM that doesn't.
2. Datacenter should NOT be available to the internet! If this is a mission-critical machine, why would you want it on the internet? So it can double as an EFNet server?! Machines like this should only be accessible to a select group of machines on its own network.
3. As stated before, Terminal Services does NOT require IIS to run. And also, you really shouldn't be using Terminal Services on this machine to do anything except possibly monitor performance--any changes made to the system would violate the uptime guarantee from your Vendor. This is a "LEAVE IT ALONE" situation.
4. If you are dumb enough to have a Datacenter machine running IIS, you deserve to get a worm on it. Anyone who has the kind of money to get one of these machines should have some active brain cells too.

The issues mentioned in this article are null & void, as a situation like that would most likely never, ever happen. (Then again, you picked Compaq as your OEM, so maybe...*insert rim shot here*)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Woah, big misunderstanding...

[Telek]

So say a new worm comes out in a few months and it takes a few days for MS to create a hotfix.

Is there something I'm missing?

Absolutely. You've got your timelines backwards.

Worms come out a few months after the bugs have been discovered and patches have been made available. We're talking months here. Code Red came out more than 2 months after the bug had been discovered and patches created.

Microsoft has had their patches out in the wild within a few days of a major bug being discovered. The worms however take much longer to be created/deployed/spread. Although it is possible for the worms to come out much faster, they will still be lagged behind the discovery of the bug, and the patches are issued almost immediately.

And if you have an agreement with your provider that you will have 99.999% uptime, then you better believe that they will be phoning you at 2am in the morning to tell you that they're coming over to install a new patch lest they break their contract.

Re:Woah, big misunderstanding...

[alen]

Melissa is a bad example since WSH has always been there, but patches and virus updates only came out after the fact. How about when hackers stole some of the source code from Microsoft? I bet there is a least 1 flaw that someone other than Microsoft know about.

Re:Woah, big misunderstanding...

[Telek]

but patches and virus updates only came out after the fact

They came out after the bug was announced, which was long before the exploits were created.

How about when hackers stole some of the source code from Microsoft?

To what are you referring? I know of nothing of the sort.

I bet there is a least 1 flaw that someone other than Microsoft know about.

If this is the case then why hasn't it been exploited yet? If it has we surely would have heard about it and it surely would have spread in usage by now.

Re:Woah, big misunderstanding...

[alen]

About a year ago some hackers from Russia hacked into Microsoft's internal network and downloaded some source code over the period of a few months.

Re:Woah, big misunderstanding...

[sheldon]

Hmm. While it was confirmed some hackers did get access to the Microsoft network. I don't believe it was ever confirmed that they downloaded any important source code.

I believe this is called playing telephone, where the story distorts itself the further from the source it gets...

Re:Woah, big misunderstanding...

[MikeBabcock]

The easy-to-find official comment is that Microsoft doesn't think its code for Windows XP was compromised.

It specifically mentioned one product ...

Re:Woah, big misunderstanding...

[Rogerborg]

• • How about when hackers stole some of the source code from Microsoft?
  To what are you referring? I know of nothing of the sort.

Microsoft got infected with the QAZ notepad virus (as did my own company) which installs a backdoor on the compromised machine. However, it doesn't actively tunnel out through firewalls, so it's vanishingly unlikely that any machine on the M$ LAN was hit. For the source to have been compromised, it would have had to have been on an employee's home machine, and that employee would have had to not be running a firewall.

It's possible that the source was ripped from an M$ machine, but there are softer targets out there; .edu's and .mil's can get access to M$ source, for example.

Re:Terminal Server but sort of OT

[operagost]

Not true. You can do this with FR1 (feature release 1). We are running this on out TS4/MF 1.8 farm right now.

Uptime guarantee

[CyberLife]

The SLA guarantees a 99.999% uptime or your money back.

Remember, 99.999% uptime is 1.44 minutes of downtime per day. Just enough time to reboot a well-tuned system.

Re:Uptime guarantee

[starburst]

Five nines (99.999) is 5.256 minutes of down time per YEAR! NOT 1.44 minutes per day.

None of my NT boxes can do that. My SCO box (nicknamed "The Uptime Server") is down only when I wish it down.

Re:Uptime guarantee

[paenguin]

No, 99.999% uptime gives you .864 seconds per day of downtime, or just over 315 seconds per year.

24 x 60 x 60 = 86400 seconds per day

86400 x .00001 = .864

Re:Uptime guarantee

[CyberLife]

You're right. I was off by two decimal places. :)

Still, are there any NT/2000 boxes out there that fail less than a total of 5.26 minutes per year? I'd like to see the fine print in these so-called uptime guarantees.

Which brings up more questions

[moosesocks]

This brings up the age-old question; Why are we even using windows?

Sure, on the desktop, windows has the largest user base. Why? Application compatibility, all you apps run on windows. No, its not the most secure, the fastest, the most stable. Its compatible.

Why use windows as a server?
Simple, your desktops are running windows, why not run windows as the server. You get easy configuration, tight intergration, etc. Very rarely will a server run windows, just for the heck of it, nor will a windows server power a network full of linux boxes.

Why use windows as a datacenter server?
I honestly cant answer this question. Unix is known specifically for its scalability to run on the biggest and baddest boxes around (read mainframes). IBM and Sun have been in this market for years. Microsoft is a new contendor in this market. Sure, ibm and sun both made their own hardware, but their mainframes were designed with a few specific tasks in mind.
Sure, a datacenter server shouldnt be exposed to the internet, but microsoft has the ability to expose these vital machines to the net. Generally, for an application of this magnitude, the os with the highest performance which fits the needs of the people owning the server gets chosen. I dont have numbers to back this up, but i highly dobut that windows is winning that race.

Which brings me to another point.
Why do we use any os in particular?
Why do we use linux as a server?
Its scalable, runs on many platforms, fast, secure, plays nice with others, open source (big + for developrers using machines this big, so they can fine tune it to their specifications), and most of all, secure (yes i know i said secure twice... its that important)

Why use linux on a desktop?
No reason in particular. Only that it's free. It isnt very usable (Jakob Neilsen definition of usable, as in intuitiveness, rather than if it works or not). Its confusing, and few desktop apps run on it. But, its secure and stable, and thats a big +

Why use mac os (classic)as a desktop os (or beos or any of those niche oses)

They're usable, theyre not necessarily secure or extremely stable, but they have a lot of desktop apps, and are relatively easy to use, yet remain powerful enough for the demanding user.

Re:Which brings up more questions

[smashdot]

OpenBSD lacks SMP support. So although OpenBSD's performance may be fine on your desktop, Linux, FreeBSD, or W2K are better choices on a mid-size server.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Firewall didn't help us against Code Red

[Greyfox]

All it took was one nimrod getting infected and then tunneling in through the VPN software. Damn near everyone behind the firewall was running (of course unpatched) IIS because the standard software install didn't disable it. But you know, there's corporate IT for you in a nutshell. Did the CIO catch flack for it? Was any attempt made to improve procedures so this wouldn't happen again in the future? Hell no! They patched everything for that one problem and then went back to their complacent little lives. I guess they think lightning never strikes twice.

Re:It's what they call lock-in

[jrothlis]

As opposed to the choice of backing out of any other platform decision, involving potentially hundreds of thousands of dollars worth of labour? Microsoft bashing as a sport needs a reality check.

My banks

[JediTrainer]

He obviously didn't even bother to check, but rather was just spewing FUD. Using Netcraft, I found out the following (now that you got me curious)... these are the (Canadian) banks that I trust with my money nowadays...

www.tdcanadatrust.com - IBM_HTTP_Server/1.3.12.2 Apache/1.3.12 (Unix) on AIX

www.ingdirect.ca - Netscape-Enterprise/4.1 on unknown

www.cibc.com - Netscape-Enterprise/3.6 SP2 on Solaris

www.bmo.com - Netscape-Enterprise/3.6 SP3 on Solaris

www.royalbank.ca - Netscape-Enterprise/3.6 SP3 on unknown

Re:Terminal Server but sort of OT

[SectoidRandom]

The reason for the seeming lack of features is licenceing. Remember the whole TS backend (RDP protocol) is originally based on Citrix work, which was licenced with many restrictions for obvious reasons, although i am only guessing. Example NT4 Term Server was limited to 16 colours no auto-drive mapping etc, 2kTS 256 cols with auto-printer mapping but no drive mapping, XP will have full colour support and printer / drive mapping.

Obviously Citrix knew that it would be best to limit M$ 'innovation' as much as possible in the short-medium term when they licenced their code to them.

Question about Databases and clustering.

[mindstrm]

Is it possible to cluster SQL server in order to yield increased performance?
Intuition tells me no, which is why you see so many large database servers.

But is it possible at all?

Nope. No need for IIS.

[mindstrm]

You can run it from any webserver.. it's active-X.. it's client side.

Also, you only need it available once.. you don't have to have it on each terminal server. You don't have to have it on ANY terminal server.. you can stick it wherever it's convenient... and use it to connect to as many terminal servers as you want.

Re:Question about Databases and clustering.

[alen]

Windows 2000 Advanced Server and Datacenter support network load balancing. Kind of like Beowolf where the machines divide the tasks among them. Never used it. We only had clustering running on advanced server at work to test it.

SQL 2000 Enterprise and Exchange 2000 Enterprise support clustering on advanced server and datacenter server. I assume they support network load balancing too.

EXACTLY! (MOD UP)

[SectoidRandom]

Spot on! This whole article is flawed, the purpose of Datacenter and the restrictions on it is by design! Premium support means just that, when patches come out from MS, sure it means a few days(/weeks?) etc to be verified, but each M$ advisory has more than just a link to the patch, including steps to limit vulnerability in the interum.

Also the big thing to remember here is each of those exploits used in Nimbda / CodeRed were patched by ms MONTHS before either of those worms came out.

Like any highly customized - specialized vendor supplied unix, Datacenter is limited by design, and for damn good reason!

Windows 2002/XP Datacenter

[green+pizza]

Awhile back my organization had several major security concerns with both Win2K Server and Win2K Datacenter, most of which dealt with LDAP. After our concerns were finally escallated high enough within Microsoft, a surprising reply was sent to us... it basicly stated that some of the holes were to be patched by Q4 2001 but that we should consider upgrading to what they called 'whistler datacenter' (essentially the server and datacenter versions of Windows XP) for complete security. I for one am tired of feeding the M$ machine.

If the worm gets in the corporate network

[elandal]

For everyone proposing firewalls etc:

Of course the W2kDC wouldn't be exposed to the internet. But, Code Red and Nimda could get into the corporate network through internet connected external webserver that then launches attacks all over the corporate intra. That's why some company could have hundreds of infected computers: not because all of them were exposed to the internet, but because one server that sees both internet and intra is compromised. And that may be under somebody else's responsibility. It takes just one lazy admin...

I don't know anything about W2kDC, so I don't know if running IIS on them would be required or not. Just that I've seen gazillion cases where some stupid application required IIS for some functionality that was pretty much essential for the application to be useful at all. Apparently everything by MS that has an administrative interface is nowadays "administrative WEB interface" that requires MS IIS to work, and administering the software without using said interface might be hard.

IIS needed for Terminal Server?

[OSgod]

Since when? IIS is not neccessary for TS -- the advanced client for TS works on an IIS page but you only need one web server which can allow you to access any TS server in your environment -- in other words don't run IIS on your Data Center server -- it doesn't need it.

Re:Terminal Server but sort of OT

[OSgod]

Partially right:

NT4 TSE had 256 colors.

W2K TS supports auto printer and drive mapping (drive mapping is via a tool provided for free from MS in the resource kit...)

XP sounds like it makes Citrix that much more marginal....

Rate parent funny +1

[blang]

The SLA guarantees a 99.999% uptime or your money back
Let me see, 99.999% uptime on a windows system. That translates to 4 minutes and 12 seconds downtime per year. I don't know about you guys, but on this planet that's not what I call a credible proposition. On windows, that' more like winning the lottery. I surely hope somebody in that meeting had the sense to laugh.

Re:Rate parent funny +1

[AlgUSF]

It is probably 99.999% uptime, or your money back for your downtime. 8 crashes * 5 minute reboot / 365*24*60... :-)
I don't see how they could possibly guarantee a Windows box will stay up 99.999% of the time. It is probably just a marketing gimmick like the 10yr/100,000 mile warranty on cheap cars (Hyundai, Kia, ...).

Unisys and Datacenter

[isfry]

As someone who just had Unisys install an ES7000 with Datacenter and talking to the install people. You can do anything to the box that dose not touch the kernel. How Unisys explained the 5 9's SLA is that they will have a copy of you set up and will apply patches to them before they are installed on your system, but I cases like code red they will issue them to you and put it on the test server to test. They aren't going to keep you from installing a critical hot fix but when possible they will test it before they unleash it upon you.

Re:Terminal Server but sort of OT

[JoeShmoe]

If only Citrix wasn't so stupid they would realize that the best way to keep Microsoft out of the Terminal Server space would be to adopt more competitive pricing.

On the one hand you have Citrix at $5000 for 20 users. On the other hand you have Microsoft for $0 for unlimited users ($75 for any user not running Win2000).

That's utterly insane. Why do they make such an absurdly high barrier to entry? Microsoft begins Server and Small Business Server at the 5-client license level so why on earth is Citrix starting at 20? They are immediately discounting almost all of the small businesses out there.

Knowing now that I can't run 256 colors on Windows 2000 Terminal Services...I'm not about to recommend this mom and pop shop plunk down five grand for Citrix...i'm going to recommend they pay a few hundred and upgrade to Windows XP server.

One day, like Novell, Citrix will wake up and wonder where all their customers went. Only then will they realize that people aren't interested in paying a premium for a market leader when Microsoft has a "good enough" option available for free.

Feh! I was already upset I had to install Windows 2000 instead of Windows NT 4.0 Terminal Server...now I gotta install XP! Bleah!

- JoeShmoe

Nice Comments

[Null_Packet]

This may not be modded up high enough for the +4 folks to see it, but I have to say that the people posting at +4 and above have some really great comments.

It's nice to see Slashdot as a technical community, not just a Linux one. I know, I know, *nix is the preferred OS of many of the readers/posters, but it's nice to see such an array of comments and extremely constructive ideas and comments. Nice Comments, all.

Re:Patching Rant...

[doublem]

Hmmm, Two AC's. One offering real tips, the other just flaming.

I have nothing against him getting laid. My problem is he doesn't do his job, and when he does do it he screws everything up. The fact that our production servers got infected with the Nimda virus was just one example.

And just for the record, I DO go out, get drunk and get laid. I also rock climb, dance and hang out with friends.

Now, to the intelligent AC - Thanks for the tips.

I'm already working with the CTO and CIO to get the ports blocked. Sadly, the chucklehead is the one who would make the change in the firewall, so I have to figure out a way to get the change assigned to myself or the CTO.

The monitoring software is on the way. I've wanted it for ages, but the company owner didn't OK the purchase until we had a CTO. It's interesting that when I (25 year old tech) propose an idea it gets shot down, but when our CTO (Early 40's, an experienced tech, but studying for law exams) puts fourth the exact same idea it gets snapped up and hailed as revolutionary. If the CTO wasn't a damn smart guy who has a bunch of other good ideas I never thought of I'd be annoyed.

The CTO knows this guy is a nit-wit, and is forcing him to take the A+ exam. Once he fails....

Restricting his bandwidth is an excellent idea. I could cut him down to 1k and he'd never realize there was anything wrong (except for the plummeting performance that is) Knowing him, he'd reinstall Windows before he checked anything else, and that would take him out for a good three days.

Anyone know off hand if Morpheous or Limewire keep any logs of downloaded files?

After my initial post I read the most recent edition of the BOFH, and liked the changes the BOFH made to some text he got off the Internet...
http://www.theregister.co.uk/content/30/22378.ht ml

Sadly, starting an STD rumor with this group might give one of the females an "It's OK, he already has it, I won't infect him," moment

Where did I put that copy of "Evil Geniuses for Dummies?"

Re:ms premier support = $12/hour outsourcer

[Nickodemus]

Not with Datacenter. Part of the price you are paying for this OS covers support directly from redmond. you call, give them your account number and you are escalated to level four tech support with an engineer within minutes. That's what you get for a million dollar (hardware and software) solution.

Re:Question about Databases and clustering.

[dsb3]

Actually, that is *NOTHING* like Beowulf at all.

Beowulf is about squeezing speed out of multiple machines. Beowulf is not about load balancing. Beowulf is not about high availability.

From the FAQ


1. What's a Beowulf? [1999-05-13]

It's a kind of high-performance massively parallel computer built
primarily out of commodity hardware components, running a free-software
operating system like Linux or FreeBSD, interconnected by a private
high-speed network. It consists of a cluster of PCs or workstations
dedicated to running high-performance computing tasks. The nodes in
the cluster don't sit on people's desks; they are dedicated to running
cluster jobs. It is usually connected to the outside world through
only a single node.

Some Linux clusters are built for reliability instead of speed. These
are not Beowulfs.

Heres an idea...

Ask the vendor! If they are working with you, they'll be more than happy to answer (and I'm sure even in writing). Don't open the obvious flame war to all the trolls.
-k

Thanks. but..

[mindstrm]

That has absolutely nothing to do with my question.

Load balancing is NOTHING like beowulf.. beowulf is about using appropriate parallel-processing libraries (PVM, etc) to squeeze performance out of a cluster of machines.

As for the machines 'supporting clustering'.. that's an industry buzzword that's not terribly meaningful. ALL operating systems 'support network load balancing' in this respect.

Win2k advanced server & datacenter do NOT automatically cluster anything; clustering is application specific.

My question is whether database servers in particular can be clustered in order to increase performance (some queries to one machine, some to another). My theory is that they generally can't, because, in order to remain coherent, each machine would have to receive all transactions anyway.
(Certianly lookups could be done with replicated databases.. that's not what I mean though.. I mean real transaction processing stuff)

Re:Thanks. but..

[FigWig]

Clustering DBs is possible, just difficult. Two phase commits allow for ACID transactions across remote DBs. I believe Oracle has some sort of system that does this. I have never seen one in production though.

MCP finally paying off

[Karl+Cocknozzle]

According to the MCT/Drone that taught us at my office, Datacenter can be modified to handle up to 64 processors based on hardware.

Essentially, we were told 99.999% of Windows business operations would never have any realistic need for Datacenter. This was designed for the poor bastard who has to run a site like E-Bay on windows/IIS.

[SARCASM]Or handle a national ID card DB...[/SARCASM]

With all of this said, if you're doing something that requires this much horsepower (64 GB of RAM and 32+ processors?) you should be running linux. I mean, how much of your horsepower on this type of machine is wasted by Windows just to handle the SMP?

old updates

[wr0ng]

arent the exploits used by code red/nimda relatively old? it seems to me even with windows 2000 datacenter, the vendors would have released updates well before these worms were written.

wr0ng

Re:Patching Rant...

[Kamel+Jockey]

It's interesting that when I (25 year old tech) propose an idea it gets shot down, but when our CTO (Early 40's, an experienced tech, but studying for law exams) puts fourth the exact same idea it gets snapped up and hailed as revolutionary

Its because you didn't do that hand gesture like that guy did in that commercial :)

IIS on Datacenter

[Karl+Cocknozzle]

As the story says, IIS is used for administering these servers, so they are indeed in a very vulnerable position and need to be patched.

If you are stuck in this unfortunate arrangement (having to run a customized version of Windows is a bigger nightmare than having to run regular strength windows) this is my recommendation:

Uninstall IIS, FTP, and SMTP services. (Your call if this is a best practice in every circumstance... :)

First, there is no legit use for Datacenter server other than SQL Server. Any DB large enough to warrant Datacenter could not be adequately administered using IIS. Second, rule #1 of SQL server is NEVER EVER RUN IIS ON YOUR SQL SERVER. If you break this rule, you do so at your own peril even without Code Red, Nimda, and whatever next week's major compromise is.

Read up on Compaq's Datacenter program...

You should read up on Compaq's Data Center program at http://www.compaq.com/datacenter

Specifically, this link http://www.compaq.com/solutions/datacenter/answer1 .html#q1-1 says "Hot fixes and patches will be reviewed on a case-by-case basis for early release."

You are most certainly not left out in the cold with this program. The "don't you dare update drivers, or install service packs and hotfixes" is there to prevent people blowing things up, when they shouldn't be touching the system, like with the recent Terminal Services hotfix.

Datacenter's change control is really no different than you would see in a mainframe environment.

Re:the guarantee is bullshit

[Tony-A]

It's a Microsoft 99.999%
For real 99.999% try IBM or Sun with a real OS.
*BSD on very good hardware might make it.
Linux on very good hardware should be close. (You want a year or two of actual field experience)

screw it

[wickedhobo]

I generally wouldn't use Win2k in a production environment. While SQL server I think is a great product, the weak link in the chain isn't SQL-Server it's the operating system. I've gotten bitten too many times with windows, and I've never really gotten bitten with Solaris.
I remember when I first started my own company, we were looking for venture capital. There were vc companies that wouldn't even talk to us unless we switched over to solaris. It the time I thought, "screw them." Now I'm dumber, but know they were essentially right.

A pointless question

Not to defend data server (which we run on an enterprise basis at my company with no problems - our Dell Service packs are always up to date)

But what sort of a response did you actually expect to get by posting this on here ?

I mean come on now - this is Slashdot

MS Product = BAD
Free Source = GOOD

Therefore asking ANYONE on here to take a logical and intelligent look at this is a waste of time - in the last year i havent seen much in the way of balanced and intelligent comment on anything other than how good anything LINUX is and how bad anything MS is - thats the fact

Stop posting TROLL news articles - thats all this is.

www.tpc.org

[Otis_INF]

Microsoft got the top spots in the TPC-C transaction performance benchmark by using clusters of SQLserver2000. The feature that makes it worth using these clusters is 'partitioned views', which is something like: having a view on a set of data that is retrieved from more than 1 machine, i.e. what you want.

i suppose

[jlemmerer]

datacenter is only a way for microsoft partners top make more money... i think that an advanced server is enough for almost any company. they just want to sell their "customized" solutions for companies that don't trust in their sysadmins.

Re:ms premier support = $12/hour outsourcer

[velouria]

I can't comment on the situation in the US, but when I worked as third level support at a MS Certified Support Centre (or whatever they're called now), any customer with a support agreement got all their server issues passed by us as soon as they were logged, and we in turn had incidents logged with our MS Regional Support Centre pretty much straight away if there wasn't an obvious fix.

I will admit that the first response from MS was often some first level engineer asking us to check vaguely related KB articles, but as long as we included reasonable detail when logging an incident and preemptively listed KB articles which we'd tried / didn't apply then we got a proper engineer reasonably smartly.

If the problem was with something like Exchange Server then we'd usually get a very experience guy straight away. Also, you get to know the MS guys and I'd ring a good engineer direct if I was getting mucked about.

There's your Technical Account Manager at MS too - if we logged an incident with MS at the wrong priority or had been too slow in providing MS with followup information they'd asked for, you could guarantee our TAM would be on the phone to our manager. We could call him direct if we thought we weren't getting adequate service from the MS engineer.

If you had a Compaq Datacenter Server (for example) then Compaq would be your Premier Support Centre. They'd definitely have a named third level support person dealing with you, who would definitely be able to talk to real MS engineers very quickly (when we logged a Priority A incident MS guaranteed a knowledgable engineer would phone us day or night within an hour - it was in Microsoft's SLA with us).

The couple of times large customers encountered bugs that didn't already have hotfixes available, we got new hotfixes created by QFE remarkable quickly.
Service packs for things like Terminal Server did come out after NT Server service packs, but hotfixes were available or created for all of the issues we had (lots and lots - we had 10 or 12 stability related hotfixes in our standard image when we did a very early rollout of a Terminal Server farm).

Timelines.... Re:Woah, big misunderstanding...

[rainer_d]

Well, according to eeye's Marc Maiffret, the predecessor of Code-Red was a .htr worm that went more or less unnoticed because Microsoft quitely released a patch.
While in the past a worm followed more or less closely after the exploit, this may not be the case in the future.
Just imagine if the exploit-coder and the worm writer were the same person !
Would you release the exploit while you have the worm in the works ?

Monkeys

[saqmaster]

Come on.

At a functional level, the thought of having customized patches made 'just for you' probably sounds quite appealing to most large scale MS users - to think that Microsoft are dedicating their time in some manner to cater for this company's needs to fine detail is pretty good.

Unfortunately I don't have any experience as an end-user of these apparent focus support promises, but i've never actually heard of this coming up before..

Of course, any large scale cluster on _any_ platform will create havoc if it is exploited - this news posting is just a troll to bring up the old iis-sucks-cos-of-vbs-etc hole yadda and view it in a different light and try and scaremonger people.

It all boils down to how good your admin is. Whatever platform you choose, you need to make sure your SysAdmin is as good as they need to be to make your shit secure - that's the bottom line.

Re:Terminal Server but sort of OT

[Taurine]

Didn't Microsoft buy a very large, possibly controlling chunk of Citrix about three years ago? I remember reading at the time that the conditions of the investment were that MS got a director on the board and very easy terms for integrating TS into Win2k.

Re:Terminal Server but sort of OT

[budgenator]

which features? like easy remote bruteforce hacking of user ID's/Passwords and almost trivial escalation to admin privalages?

Maybe Microsoft is starting to pull its head back out into the sunshine. Legacy support often purpetuates legacy bugs/exploits. Personaly, if someone is spending $500K on hardware/software system, the life-blood of the corp isn't have a competant admin on site pretty cheap insurance?

Re:Unisys and ES7000 with Datacenter

[niklausm]

if you would use the ms products for an e-business-platform, datacenter is not the recommended product as os for the web-layer. there you should take an advanced server with apllication center to load-balance and replicate the webs. on the other layers, datacenter is really great. and if you implement high-availability-solutions, you can take down a partition without stopping the services to the outside. this shutdowns are planned, and so on, not in the sla's to achieve 99.999%. we are working with 3 es7000 and 10 partitions with MS win2k DC-editition since February, and just to the moment i've seen one bluescreen on all machines....

First Union Bank..

[Mage99]

Here in NC (where I am located)First Union Bank uses this software and I believe they ended up going with some sort of advanced IDS system, that actually has some sort of counter-response to an attack built in. They did this because of just this situation where the OEM vendor couldn't get them patches quick enough, they basically let their systems become infected and stopped all non-authorized traffic going either way. Problem with this tactic is that although code red/nimda where relatively harmless the next version may not be so harmless and may take out there data center.

Clueless source

[Archfeld]

If you have datacenter edition you have an enterprise contract, the person who submitted this has very little clue. We run MANY copy of DC, COMPAQ and M$ are our vendors and they have 2 hr response time on ALL critical ENTERPRISE level services. You DON'T us DC server unless you have a contract, YOU CAN'T even install the product without special codes. Nice editorial work /.
Just what I expect from an enquirer like source that you've become over the last few months. Will you guys still be alive when Andover goes under very soon ? Will you get control of /. back or will it be sold off as assets ?

Re:bullshit microsoft lies...

[Nickodemus]

Too bad you have so little faith in Microsoft. Until you have experienced this level of support firsthand you should probably refrain from commenting. I am involved in a Datacenter project and can verify -first hand- that they meet their obligations on this, if no other, product.

Re:making linux as secure as OpenBSD

[ahde]

sed s/\n/\n#/ etc/inet.d

openBSD is only especially secure as a default install, which means, essentially, turning all the services off. Kernel root exploits come about as common as linux, and they're using almost all the same apps

Hogwash

[matman]

Run Hogwash... its modification of snort that actualyl makes firewall decisions based on snort rules... so you can detect an attack and refuse to allow it into your network.

hogwash.sourceforge.net

Re:ms premier support = $12/hour outsourcer

[AKAJack]

Premier Support is a contract with Microsoft with a specific SLA and a person assigned (part or full time) to your account (Technical Account Manager).

Our Premier Support is great (at nearly US $500k per 18/months it should be!)

Premier Tickets are routinely escalated in the first five minutes of the phone call once the Microsofty realizes they're not talking to an idiot. Engineer direct support within an hour is possible, if needed.

I agree that first level is going to search TechNet and the knowledge base and make sure you've covered your bases - all things you should be doing before you call anyway.

Our previous TAM was "moved on to another account" after we complained ONCE that he was not keeping an eye on our support tickets the way we desired.

I don't know what kind of support you're getting, but it's not Premier.

Datacenter No Different From Server?

[v4sudeva]

I'm posting this mostly to correct any misconceptions I might have about the way service packs work, so please feel free to correct me wherever I need it.

It's my understanding, given to me by a top Microsoft consultant (this guy was a fricking wizard), that service packs only replace files that actually exist on the target computer; that is to say, if you don't use, for instance, some Novell DLLs, they don't get placed onto your system.

Now, while Compaq or whoever are handing you a custom solution, they're not handing you custom code, are they? They don't rewrite lsass.exe, for instance, right? So whatever combination of Microsoft code they give you should be detected and updated properly by the logic in the service pack. Or so it seems to me at first blush.

Like I said, please correct me anywhere I've screwed up.

-vasudeva,
parenting http://users.downcity.net/~vasudeva/,
helping birth http://www.megarad.com

Re:ms premier support = $12/hour outsourcer

[mrbinary]

I can't comment on MS' support, I imagine it would be pretty good for a thing like DataCenter (DC). I'd wouldn't be too surprised to find out that they will bend over backwards to give a DC customer every resource needed even at the expense of other customers with less fattened accounts. Here's a story of IBM's support. I work for a large outfit in Canada. We do A LOT of business with Big Blue, software and hardware. When we ran into troubles with IMS (an ancient d/b product that runs on OS/390 that predates DB2) they actually flew in a crit-sit team assembled from England, the US, Australia and Canadian offices that were IBM's best and brightest in this software and also really knowledgeable about the OS. Similar situation last week with me and a problem I ended up having to take care of. They didn't need to fly in a team in this situation but I had an IBM hand-holder sitting in my office calling the various software support teams directly, and I was getting so many calls and emails from IBM support teams that if I hadn't ignored some of them it would have been impeding getting the problem resolved. The problem was actually sent up to their DB2 development team at one point. You pay big bucks for the gold-plated support contract, but IBM pulls out all the stops when you get into a jam. Just thought I'd add a different perspective.

Re:SLA...

[TheMidget]

In fact, i'm kinda counting on it because of Slashdot's stupid URL chopper. If I make it a link, it translates the %'s into clear text and if I write the URL out it gets cut at the fourth letter. What's a trickster to do?

Just use + to represent a space.