Slashdot Mirror
Security Issues with Windows 2000 Datacenter?
"My company is currently looking to cluster our SQL 7 servers. We're
considering Win2000 advanced server or datacenter. Around a month ago I sat in a meeting with our VP of IT, and the rest of the network admins I work with. Compaq tried to pitch their Windows 2000 Datacenter or Advanced Server solution. Here is the way the compaq people explained it:
You get datacenter only from an OEM. They look at the apps you're running
and customize a solution for you in their lab. Every datacenter implementation is different, and every datacenter CD is different. Since we would be using an EMC SAN as our clustered storage system they said our implementation would take special customization. They would have to contact EMC engineers and work together. Once you deploy it, the OEM monitors it. And you can't install any service packs or anything without getting an OK from your OEM. Any service packs are customized for your enviroment. The SLA guarantees a 99.999% uptime or your money back. Part of your money at least. Datacenter isn't an OS, but a program in their words.
Now here is the problem. With Code Red and Nimda, how do you patch IIS
running on datacenter in a timely manner? The reason IIS servers became
infected was because the admins didn't patch them in the first place. So say
a new worm comes out in a few months and it takes a few days for MS to
create a hotfix. Datacenter admins can't install it until they get their
customized copy from their OEM. And almost every 2000 server runs IIS for
terminal server. It can take a few days and in the meantime your servers
could be down. And I don't see the SLA covering a situation like this. Meanwhile you're explaining to your CEO how this $500K supposedly guaranteed solution is sitting dead in the water and you can't do a thing about.
Is there something I'm missing, or did Microsoft look over something like
this? Especially when they are trying to push Datacenter as 'Big Iron'."
Erm, what are the big advantages of Datacentre over Advanced server etc?
Laptop Reviews
Another major fear is that the databases will become corrupted by patches. Transition from mysql 3.2.6 -> 3.2.10.
PHP, it kicks ASP!
Ask the vendor to modify the SLA to specifically cover the contingency of exploits and how they will be dealt with. Your vendor might try to claim that the 99.9999 uptime would cover this, but I'd counter that a server which is up but exploited is useless.
No one ever had to evacuate a city because the solar panels broke!
First of all if your company is wealthy enough to be using Datacenter as a web server I hope they are paying you a decent salary. :)
Its a waste to use Datacenter as a web server or front end machine for applications, its best use is for big honking SQL applications like MS SQL server. Datacenter is a waste for Oracle/NT because Oracle on NT is the worst implementation of Oracle in existence. If you want a big honking box to do oracle for gods sake get a Solaris/HPUX/AIX monster. Big ass database servers should never be directly exposed to the internet anyways, the connectivity should be happening thru a balls to the wall firewall.
I think something that both Microsoft and the OEM's count on is the time it takes from the time a bug is found until the time the bug is exploited! In the case of Code Red and Nimda I think that time spanned months.
Is it not also true that only large OEMs offer Datacenter? I don't think you are going to have a huge problem with the likes of Compaq or Dell providing timely fixes. It may not be available the same day the Microsoft Fix is, but I would be guessing that MS provides enough info to the OEMs to get the fix applied within 3-5 days.
All in all I think the amount you need to worry shouldn't be more than the satisfaction you can get from a 99.999% guarentee
"And almost every 2000 server runs IIS for terminal server"
Erm, I work for a Citrix Gold partner and I've never encountered this before. Installing Terminal Server does not require IIS.
In fact, according to M$ recommendations, you should minimise the services running on the TS box.....That means no IIS.
Also, the "smaller but more servers vs fewer 8 way servers" for TS debate has been done and dusted, and the recommendation certainly isn't for having fewer large servers. The "sweet spot" is a farm of dual processor servers with 1.5Gb of RAM, thus you wouldn't need Data Center anyway - normal W2k Server would be more than adequate.
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
Keep these SQL apps behind the firewall.. turn off all IIS features on the sql boxes.. and at least Nimda should not be able to get at it. Any web interface would hopefully not use Datacenter, and use standard Advanced Server, which is easily patchable. If sql was available on the front line, well, they almost deserve it.
-=-Ze End-=-
Lets not forget that the vulnerability code red, etc takes advantage of has had a patch out for several months, but quite a few people never bothered to patch their servers. Chances are the patch(s) will be available shortly after the mainstream ones are released if you have a good vendor.
Besides, say your running *NIX with a specially modified version of apache, and there is some remote exploit that is discovered. Obviously you can't just download the source, compile, and install, for fear of loosing those 'special features'.. You need to patch your source code, which may barf (and then you either have to modify the patch file or do it manually. Which could suck if you have no programming skills, and its heavily modified)...
While most of us would view using a patch trivial (patch, recompile, install), the point is that similar situations could happen.
Datacenter servers are not the only ones: Many e-banking applications (see s1.com, for example) are rolled by vendors, and upgrades do not come out as fast as vanilla IIS upgrades because of this.
I don't know of one bank that uses a non-IIS platform. Kind of scary.
almost every 2000 server runs IIS for terminal server Errr, since when? Terminal Server doesn't require IIS to be installed.
Worlds largest crack/xxx/iso/divx/pr0n server!
I've seen it happen to production servers b4 ">
If you aren't allowed to patch your server, then you should isolate it behind a firewall of some sort, so that the chances of infection are minimized. This may not work well for IIS (beyond simply not running it), but it will serve you well in the general case.
Reboot macht Frei.
Is a locked down version of Windows. What happens when you lock it down? Well, intensive testing occurs first to determine what is being done with the box and what possible problems could arrise. Then those problems are solved. Also, only certain applications are certified to run on a datacenter box. The goal here is to achieve five nines. That is have this box up and running for 99.999% of the year. Without thorough testing of applications this level of availability would be impossible.
Part of what you get with a Datacenter purchase is a premier level of support. This includes a named engineer for support, and automatic escalation to the highest level for any support needs. It also includes any updates and or fixes on a priority basis - if you have a Datacenter server you get patches, updates, etc. before anyone else does.
Get the vendor to patch your servers within 12 hours of Microsoft issuing a hotfix/patch. If they will not put that into the contract, tell them they're not professional enough. If they cannot do something as easy as that, would you really want them running truly business critical solutions for you?
Stop the brainwash
Because. if you do *anything* not certified by the vendor, the 99.999% agreement is void, and they are not responsible for downtime.
Datacenter is more of a custom solution package than a version of windows. Yes.. it's a version of windows 2000.. but it's really a whole package.
In other words, it's a version of windows used by vendors to create huge custom solutions, usually for databases.
Then you can negotiate all the details. And remember: 99.999% uptime does not mean that your server stay up that long, but that you have only an unscheduled downtime of 0.001% or less. Applying a patch is, in nearly every case, a scheduled downtime and does not count.
Now imagine you really, really need this patch: you can urge your OEM to install it and keep him free from all responsibility (e. g. a server crash after this does not count to the unscheduled downtime, because it was your decision to apply it). If you trust him to play fair, that's fair for both of you.If the OEM is trustworthy, he'll do what you order him to do, but in that case you will be responsible for the outcome as well.You can't burden someone with responsibility if he can't make the decision (unless you don't play fair).
You found a sword: +4 damage, +5 moderator points
Because this would void the 99.999% uptime deal and all the "sounds good on paper" but is really worthless crap when you do these deals. Is getting a refund on your fees worth more than your servers going down? So I agree with you to a degree but the pointy haired bosses would never agree with this... Least not until you gave them the "get hax0red right now or load an unapproved patch" rush case.
I can't find any info on MS's site right now, but I'm sure that OEMs that supply W2k datacenter are required to have a support team ONSITE at MS's campus 24/7.
;)
This article raises a very good point, but Microsoft's idea behind datacenter was they hat total control over the hardware environment, and they made sure OEMs would stand behind it too, so I'd be very surprised (and dissapointed) if the OEM didn't contact their customers *immediately* with patches whenever there was a hole (and I'd guess they are pretty busy too
Put datacenter behind a firewall, the webserver (advanced server or the like) on dmz and have a secure "pipe" to the datacenter server where you database resides - no need to use the datacenter server as your webserver too, if you can afford datacenter server, you can afford a separate machine acting as a webserver.
Just my opinion, buy hey, I'm a linux guy...
Any technology distinguishable from magic, is insufficiently advanced.
I can see you haven't worked with Microsoft software very much, so I'll give you the solution: Reinstall your machine.
It's *just that simple*, can you believe it? Every time Nimda hits your machine, just wipe out the system drives, reformat and re-install! Easy, right? Sure you may have to reinstall 40 or 50 times a day, but again, if you are familiar with M$ software, you'll know you need tons of backup machines that you can swap out as needed with your infected machines. Make an assembly line of it. Have one guy reformatting, another guy reinstalling and a third guy disconnecting the infected boxes and plugging the fresh machines into the network!
Now, where do you want to go today?
"Your superior intellect is no match for our puny weapons!"
*Nod* all of these servers should be placed far behind a strict ruleset firewall.
But what about Redundancy? That's one thing I don't like about this "datacenter" why should there be only one? Or.. why should an application have to call for just "one" server? Wouldn't it be more wise to develop the application across a dual array of servers? Each one of these servers could be easily patched in a matter of minutes, at the same time. (Say windows2k advanced servers.
I'm personally not a fan of MS server products.. Although I have had to use them for quite a few applications.. but there has to be a way to get by the "necesity" for DataCenter Server.
------------
Sase
"It's the opposite of that."
This is commonly refered to as the Mainframe Mentality: these systems are so critical to a business, you don't make any changes to them unless these changes are a. absolutely critical and b. have been tested extensively in the exact configuration you'll be running them.
Now, it may seem that this would cause every Windows 2000 Datacenter server to be instantly infected with Code Red and friends, but in reality this will not be the case, because:
1. You don't expose your Datacenter servers to the Internet -- never. No matter if you're running Microsoft, AIX, Solaris or Linux: only trusted systems should have strict "need to know" access to your server;
2. Datacenter-type servers typically don't run HTTP servers. You would scale out HTTPDs (more boxes), not scale them up (bigger boxes). Also see rule 1;
3. The config of your Datacenter server is the bare minimum. So, in the case of Windows 2000, you would not ever run IIS or Index Server (the true culprit in case Code Red et al...) on it, just your database server and perhaps your business logic (although that, again, tends to scale out better than it scales up).
In summary: security hotfixes and Datacenter-type environments tend to be mutually exclusive. If you need a patch to your Datacenter server, it pretty much needs to be custom-developed for you. Fortunately, since Datacenter setups are not typically designed by the clueless individuals that gave Code Red free reign, this tends not to be an issue in real life.
If anyone out there is running Win2k Datacenter, I've got an important question I've been trying to find the answer to, with no luck so far. Can someone finally give me an answer? The question is this:
Does Windows 2000 Datacenter ship with 3-D Pinball installed by default? If so, is it in the Start menu?
That's all. Thanks.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Comment removed based on user account deletion
Nimda did go behind firewalls. It came in via e-mail or external consultants with laptops that attached to the LAN, and then attacked all intranet servers. As the story says, IIS is used for administering these servers, so they are indeed in a very vulnerable position and need to be patched.
Since you're paying microsoft a shitload of money, I'm sure that something can be worked out. All the friggin losers who were hitting my box with (a la Code Red) were on DSL / @home lines.
Incidentally, the iis vunerability was known since iis 4.0 was released. It was kept secret by MS because of the "If no one knows about it, no one will exploit it". I'm thinking the data center people get the patches that home users don't - sort of like netware's support, there is a $200 per support issue, but they will forward the problem all the way up to the guy who coded the section you are having a problem with.
The lame fuck of the day is 24.202.127.156
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
As a sort of related issue, we're going to see many more implementations of W2K/DC & MS-SQL, as Sybase have decided to "update" their licensing model and fuck their customers in the arse.
Originally, it was:
Is your Sybase database accessed outside your company? Yes? More money please!
Now its:
Is the data in your Sybase database accessed outside your company? Yes? More money please!
Nte the subtle difference. We've got many front end applications in a DMZ talking to Sybase in our datacentre - the users never see Sybase, nor even know where the data comes from - but now Sybsae want more money...
So our CIO has done a deal with the Great Satan of Software, and we're going to
1. Sell all our Sun kit we use for hosting Sybase
2. Buy shit-loads of cheap x86 servers
3. Have MS "consulting services" port all the DBs and integrate them with our existing applications.
This sig left unintentionally blank.
Specs are hard to write and all vendors have weasel clauses. Just look at insurance policies - damage due to acts of war are generally excluded. With cracking being described as a "terrorist act" you could end up with exploits not being covered.
A big common exclusion is "unscheduled" downtime. One of our vendors would see a router or firewall machine starting to act funny and then quickly "schedule" some emergency downtime that night to reboot it thus avoiding having to pay.
I have not had good experience with outsourcing - never forget that these are the same bunch of folks who are getting skewered for lousy tech support for poor end-users who have paid extra for support packages. Attitudes don't change much across corporations.
Before I would spend the bucks for any sort of "managed services" I would make sure that the vendor guaranteed 100% availibility without exception. Availibility must be defined as a maximum latency (ie. no end user will wait more than 750ms for a response or whatever is needed).
Rationale? Any app that requires this type of support must be available to the end user without fail. That's why you pay the bucks.
OS is "up" but web server is compromised or down? It's no good to the user. The downtime was scheduled? End user doesn't care.
Why 100%? Why not. They are already guaranteeing less than 316 seconds per year of downtime. Let them work their payments for that downtime into the contract cost. I don't want to have to total up downtime and argue over when the year started. I want the vendor to know that any downtime costs them bucks. No argument, no weasel clauses, no exceptions (better keep those machines maintained, protected and patched).
Been there - been burned. We moved our servers from a "managed solution provider" to a generic server farm and got far better service for one tenth the cost.
Put the datacenter server behind a firewall, preferably with some string matching functionality (ie watchdog).
/default.ida, filtering on global.asa is also a good idea ;-) etc ..
the later iptables have a string-patch included, which allow you to target certain port/string combo's, with this it is easy to block worms from the webserver, as long as you know what request it makes.
exampple to block cmd.exe access (taken from my own internal firewall scripts, this will block nimda)
$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
-m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"
$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"
$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset
If you wanted to block codered, filter on
(see iptables docs for more info)
G'luck
You don't have to wait for the "vendor" to patch anything.
It's open source. if the maintainer of that specific package don't come with a solution in less than 24h FIX IT YOURSELF. you have the code for G_d sake...
What ? Me, worry ?
Service Level Agreement.
Basically, what is and is not covered in your support contract. For big orders, you get to negotiate your own EULA not just take what they hand you.
For example, an SLA might cover finacial losses due to system failure, whereas every normal EULA under the sun absolves hardware vendors of liability for secondary losses.
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
This is an odd question because both code red and nimda were actually viruses that took advantage of things like directory traversal and admin tools on the system. In short most admins already knew about these issues and fixed them themseleves by disabling the dir traversing and removing the template site.
So in short to answer your question when it comes to code red or nimda you really should not have a problem if you are a good admin. The same is true in the linux world and newbie web programmers that do things like system calls without checking out what is going to be called. If you call something that the users passes to you then obviously they can do things like tracrt ip; rm -rf / and your code would let it. This is not perls fault or php's fault or any other languages fault it is the programmers fault.
As much as I dislike windows, mainly because I have been an asp programmer for a long time and I would rather use linux and do perl programming (which I do now), Microsoft is somewhat right in that a knowledgable sysadmin already had the holes fixed. At the same time they should not send out software with issues like that.
--MD--
You really don't want to put IIS on you Terminal Server. If you're using TS in admin mode you don't need to use TSAC (the web plugin). I find I do just as well with the RDP client application. It works smoother and the win32 version will fit on one floppy if you want to carry it around.
Would anyone actually recommend one of those Linux based "all-in-one" appliances that you guys love so much? You have to wait for your vendor to patch those too!! Do you hear anyone asking that question?? Nope.
... fix it yourself(assuming you have someone who understands the code)!
2 Things you can do if you find a security hole in a linux server:
1. You can
2. You can hire anyone else to do it for you, not just the vendor.
Those are 2 things you can't do with things like win2000 datacenter.
Got Freedom?
Thinking?
Loaded statement... entering Slashdot filter code...
Made by Slashdot author = PASS...
Negative against Microsoft = PASS...
Vaguely positive to Open Source operating systems = PASS...
Good to go.
I actually posted this question twice, and I'm glad they used this second posting with our actuall situation. The first one was more of a what if scenario.
As far as terminal server and IIS, you need IIS if you want to use the Terminal Server Advanced Client and go in through the web. I was originally taught to use TS through IE and forgot going in through the TS client.
If we do go with Datacenter, the servers will host SQL 2000 Enterprise in a clustered enviroment. We currently use SQL and have a propritery in house written app for it.
And as far as the Code Red holes being found months prior to infection, I just used this as an example. I remember in 1997 and 1998 NT had new security holes every week. Windows 2000 is slightly better. 6 months ago I remember downloading hotfixes that will appear in service pack 3.
My question still remains, if a new flaw in IIS, the kernel or any other part of the OS is found how long are we supposed to wait for a fix? I forgot the specifics, but I'm pretty sure the compaq people said they customize the source code for your enviroment. They will need a copy of our in-house app, get in touch with the EMC engineers because our EMC box will be our clustered storage and analyze everything else. Then we will get a CD with a customized copy of Windows 2000 Datacenter. Like EMC, the servers will be monitored by another company and they will most likely know of any problems before us. Every so often we will get a new CD with updates, service packs, etc customized for us. But if a new worm comes out in a few months that exploits some currently unknown flaw in Win2000 or any other part of the OS, will we be dead in the water while we wait for a patch? After September 11th we were calling EMC for tech support on our Symetrix and we were basically told get in line. They had richer customers to support first.
Comment removed based on user account deletion
Both Nimda and Code Red can be avoided by locking down the IIS 5 configuration (... as demonstrated by the MS IIS lockdown tool). No patches (not even OS service packs, i.e. no Win 2k SP1 or SP2) are required! If you add some firewalls in front of your IIS, one of those being e.g. ISA Server 2k, you could use - HTTP forward caching (where all cached requests would be handled on the "other" side of the NAT firewall) - content filtering (to block offensive code such as Nimda). If your admin knows her job, everything should be just fine with your Win 2k Datacenter (except for the noise those boxes tend to make) ...
M.
The issues mentioned in this article are null & void, as a situation like that would most likely never, ever happen. (Then again, you picked Compaq as your OEM, so maybe...*insert rim shot here*)
Comment removed based on user account deletion
So say a new worm comes out in a few months and it takes a few days for MS to create a hotfix.
Is there something I'm missing?
Absolutely. You've got your timelines backwards.
Worms come out a few months after the bugs have been discovered and patches have been made available. We're talking months here. Code Red came out more than 2 months after the bug had been discovered and patches created.
Microsoft has had their patches out in the wild within a few days of a major bug being discovered. The worms however take much longer to be created/deployed/spread. Although it is possible for the worms to come out much faster, they will still be lagged behind the discovery of the bug, and the patches are issued almost immediately.
And if you have an agreement with your provider that you will have 99.999% uptime, then you better believe that they will be phoning you at 2am in the morning to tell you that they're coming over to install a new patch lest they break their contract.
If God gave us curiosity
Comment removed based on user account deletion
All it took was one nimrod getting infected and then tunneling in through the VPN software. Damn near everyone behind the firewall was running (of course unpatched) IIS because the standard software install didn't disable it. But you know, there's corporate IT for you in a nutshell. Did the CIO catch flack for it? Was any attempt made to improve procedures so this wouldn't happen again in the future? Hell no! They patched everything for that one problem and then went back to their complacent little lives. I guess they think lightning never strikes twice.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Five nines (99.999) is 5.256 minutes of down time per YEAR! NOT 1.44 minutes per day.
None of my NT boxes can do that. My SCO box (nicknamed "The Uptime Server") is down only when I wish it down.
He obviously didn't even bother to check, but rather was just spewing FUD. Using Netcraft, I found out the following (now that you got me curious)... these are the (Canadian) banks that I trust with my money nowadays...
www.tdcanadatrust.com - IBM_HTTP_Server/1.3.12.2 Apache/1.3.12 (Unix) on AIX
www.ingdirect.ca - Netscape-Enterprise/4.1 on unknown
www.cibc.com - Netscape-Enterprise/3.6 SP2 on Solaris
www.bmo.com - Netscape-Enterprise/3.6 SP3 on Solaris
www.royalbank.ca - Netscape-Enterprise/3.6 SP3 on unknown
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Is it possible to cluster SQL server in order to yield increased performance?
Intuition tells me no, which is why you see so many large database servers.
But is it possible at all?
You can run it from any webserver.. it's active-X.. it's client side.
Also, you only need it available once.. you don't have to have it on each terminal server. You don't have to have it on ANY terminal server.. you can stick it wherever it's convenient... and use it to connect to as many terminal servers as you want.
Windows 2000 Advanced Server and Datacenter support network load balancing. Kind of like Beowolf where the machines divide the tasks among them. Never used it. We only had clustering running on advanced server at work to test it.
SQL 2000 Enterprise and Exchange 2000 Enterprise support clustering on advanced server and datacenter server. I assume they support network load balancing too.
Awhile back my organization had several major security concerns with both Win2K Server and Win2K Datacenter, most of which dealt with LDAP. After our concerns were finally escallated high enough within Microsoft, a surprising reply was sent to us... it basicly stated that some of the holes were to be patched by Q4 2001 but that we should consider upgrading to what they called 'whistler datacenter' (essentially the server and datacenter versions of Windows XP) for complete security. I for one am tired of feeding the M$ machine.
The SLA guarantees a 99.999% uptime or your money back
Let me see, 99.999% uptime on a windows system. That translates to 4 minutes and 12 seconds downtime per year. I don't know about you guys, but on this planet that's not what I call a credible proposition. On windows, that' more like winning the lottery. I surely hope somebody in that meeting had the sense to laugh.
-- Another senseless waste of fine bytes.
As someone who just had Unisys install an ES7000 with Datacenter and talking to the install people. You can do anything to the box that dose not touch the kernel. How Unisys explained the 5 9's SLA is that they will have a copy of you set up and will apply patches to them before they are installed on your system, but I cases like code red they will issue them to you and put it on the test server to test. They aren't going to keep you from installing a critical hot fix but when possible they will test it before they unleash it upon you.
If only Citrix wasn't so stupid they would realize that the best way to keep Microsoft out of the Terminal Server space would be to adopt more competitive pricing.
On the one hand you have Citrix at $5000 for 20 users. On the other hand you have Microsoft for $0 for unlimited users ($75 for any user not running Win2000).
That's utterly insane. Why do they make such an absurdly high barrier to entry? Microsoft begins Server and Small Business Server at the 5-client license level so why on earth is Citrix starting at 20? They are immediately discounting almost all of the small businesses out there.
Knowing now that I can't run 256 colors on Windows 2000 Terminal Services...I'm not about to recommend this mom and pop shop plunk down five grand for Citrix...i'm going to recommend they pay a few hundred and upgrade to Windows XP server.
One day, like Novell, Citrix will wake up and wonder where all their customers went. Only then will they realize that people aren't interested in paying a premium for a market leader when Microsoft has a "good enough" option available for free.
Feh! I was already upset I had to install Windows 2000 instead of Windows NT 4.0 Terminal Server...now I gotta install XP! Bleah!
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
This may not be modded up high enough for the +4 folks to see it, but I have to say that the people posting at +4 and above have some really great comments.
It's nice to see Slashdot as a technical community, not just a Linux one. I know, I know, *nix is the preferred OS of many of the readers/posters, but it's nice to see such an array of comments and extremely constructive ideas and comments. Nice Comments, all.
Hmmm, Two AC's. One offering real tips, the other just flaming.
t ml
I have nothing against him getting laid. My problem is he doesn't do his job, and when he does do it he screws everything up. The fact that our production servers got infected with the Nimda virus was just one example.
And just for the record, I DO go out, get drunk and get laid. I also rock climb, dance and hang out with friends.
Now, to the intelligent AC - Thanks for the tips.
I'm already working with the CTO and CIO to get the ports blocked. Sadly, the chucklehead is the one who would make the change in the firewall, so I have to figure out a way to get the change assigned to myself or the CTO.
The monitoring software is on the way. I've wanted it for ages, but the company owner didn't OK the purchase until we had a CTO. It's interesting that when I (25 year old tech) propose an idea it gets shot down, but when our CTO (Early 40's, an experienced tech, but studying for law exams) puts fourth the exact same idea it gets snapped up and hailed as revolutionary. If the CTO wasn't a damn smart guy who has a bunch of other good ideas I never thought of I'd be annoyed.
The CTO knows this guy is a nit-wit, and is forcing him to take the A+ exam. Once he fails....
Restricting his bandwidth is an excellent idea. I could cut him down to 1k and he'd never realize there was anything wrong (except for the plummeting performance that is) Knowing him, he'd reinstall Windows before he checked anything else, and that would take him out for a good three days.
Anyone know off hand if Morpheous or Limewire keep any logs of downloaded files?
After my initial post I read the most recent edition of the BOFH, and liked the changes the BOFH made to some text he got off the Internet...
http://www.theregister.co.uk/content/30/22378.h
Sadly, starting an STD rumor with this group might give one of the females an "It's OK, he already has it, I won't infect him," moment
Where did I put that copy of "Evil Geniuses for Dummies?"
"Live Free or Die." Don't like it? Then keep out of the USA
That has absolutely nothing to do with my question.
Load balancing is NOTHING like beowulf.. beowulf is about using appropriate parallel-processing libraries (PVM, etc) to squeeze performance out of a cluster of machines.
As for the machines 'supporting clustering'.. that's an industry buzzword that's not terribly meaningful. ALL operating systems 'support network load balancing' in this respect.
Win2k advanced server & datacenter do NOT automatically cluster anything; clustering is application specific.
My question is whether database servers in particular can be clustered in order to increase performance (some queries to one machine, some to another). My theory is that they generally can't, because, in order to remain coherent, each machine would have to receive all transactions anyway.
(Certianly lookups could be done with replicated databases.. that's not what I mean though.. I mean real transaction processing stuff)
Microsoft got the top spots in the TPC-C transaction performance benchmark by using clusters of SQLserver2000. The feature that makes it worth using these clusters is 'partitioned views', which is something like: having a view on a set of data that is retrieved from more than 1 machine, i.e. what you want.
Never underestimate the relief of true separation of Religion and State.
which features? like easy remote bruteforce hacking of user ID's/Passwords and almost trivial escalation to admin privalages?
Maybe Microsoft is starting to pull its head back out into the sunshine. Legacy support often purpetuates legacy bugs/exploits. Personaly, if someone is spending $500K on hardware/software system, the life-blood of the corp isn't have a competant admin on site pretty cheap insurance?
Apocalypse Cancelled, Sorry, No Ticket Refunds
Run Hogwash... its modification of snort that actualyl makes firewall decisions based on snort rules... so you can detect an attack and refuse to allow it into your network.
hogwash.sourceforge.net