UCSB Bans Windows NT/2000 in the Dorms

nick58b writes "The people in charge of the networks for all of the on-campus dorms at UCSB banned the use of Windows NT and 2000 on their networks citing security and network problems associated with them. While there are problems with NT/2000, Windows 98 and ME computers are still permitted. Students using these are "recommended" to upgrade to XP Home Edition. In other news, sales of Windows XP are way up at the campus bookstore."

This isn't just plain stupidity

[porkface]

I use Win2k primarily, and prefer it to all other Windows OSes. I know of it's problems and think I can guess what they're referring to and experiencing. But honestly, having worked tech support in the past, if these were honestly their only motivations for making this recommendation, they should be telling students to get Macs, not XP.

We will always see through this kind of bullshit. The best we can do is to educate others without seeming too fanatical to be taken seriously.

It _IS_ a security/bandwidth problem

[gimlix2]

Just for the record, I work for Residential Computing at UC Berkeley (the analog of Resnet at UCSB, except it's at Berkeley :), so you know I'm not completely talking out of my ass.

This has been a topic of discussion recently at our office mainly because there have been a tremendous number of security issues relating to Windows 2000 (not so much with NT since these are students, not corporate users). I personally think that the move is a little drastic, but it will be interesting to see how this pans out at UCSB (especially how they will enforce it).

There will be people talking about how secure/insecure Win2K is. Allow me to give a common trait to all of the compromised machines:

1) Blank Administrator Password
2) Unpatched Windows (i.e. no Service Packs installed)

In nearly ALL the compromised machines, the computer is not updated and has a blank Administrator password.

The easy solution: install SP3!
An easier solution: set an Administrator Password!

All really simple solutions that would prevent 99% of the issues we have encountered thus far.

So I said it was a security problem. How is it a bandwidth problem?

Allow me to point to the DarkIRC and Nimda security bulletins we have written up by our security.

So you've got a zombie, what do you do with it? A number of things:

1) use the compromised machine in a DoS attack
2) use it as a FTP server
3) use it as a IRC bot ...

A script kiddie can just use a machine on a fat bandwidth pipe at will to his liking. It's definitely NOT fun when the pipe is already clogged as it is with folks and P2P apps.

So there you have... if you don't think it's a problem, it IS a problem. There are too many calls about this to our helpdesk to have it be a minor issue that everyone else makes it out to be.

Read the story again

I am a student here at UCSB and I agree with the resnet staff because win2k/nt systems can be more secure than win9x/me but in reality they are not. Considering only a few people use win2k and those few manage to be the ones with nimda/code red/etc. They also agreed that if you have to run win2k they you can aslong as you secure the system and talk to them about it. They even went as far as giving all of the students antivirus software ... but the students decided not to use it. I think XP is allowed because it would be hard for them to block XP Profesional without blocking the Home edition.

PS: I don't think UCSB is getting anything from Microsoft, because they agreed to run Linux on most of the servers here.

just my $.02

The wool has been pulled over your eyes...

[SlashChick]

"I am a student at UCSB and the reason this is being done is because the average user in the dorms does not have the ability to properly secure NT or 2K from its default setup, while the default setup of XP has been deemed more secure."

Oh, boy. You just took that hook, line, and sinker, didn't you? What exploits are running around on a default version of Windows 2000 that would cause problems with your network?

Answer: NONE.

The culprit you're looking for is IIS, which is NOT installed by default on Windows NT Workstation or Windows 2000 Professional. If you install IIS from the Windows 2000 CD, you will be vulnerable until you download the patch -- but to install IIS, you must explictly insert the CD after Windows 2000 is installed, find IIS, and install it. (By the way, this problem could be eliminated other ways, such as not allowing servers on port 80.)

The IIS version that ships with the Windows XP Pro CD is not vulnerable. But to say Windows 2000 is vulnerable to a common remote root exploit out of the box is simply untrue. IIS 5.0 is the scapegoat you're looking for.

Re:The wool has been pulled over your eyes...

[htmlboy]

Oh, boy. You just took that hook, line, and sinker, didn't you? What exploits are running around on a default version of Windows 2000 that would cause problems with your network?

Answer: NONE.

The culprit you're looking for is IIS...

Having worked on dorm computers, the bigger problem with win2k and winxp is usually the presence of an administrator account with no password. There's a good number of exploits out in the wild that use the absence of an administrator password to take over machines, presumably for DDoS. I'm not certain, but I think that if you tell the installer there will be only one person using the win2k/xp system, it skips the part where it prompts you to set a password for administrator.

Re:The wool has been pulled over your eyes...

[Lord+Ender]

It is easy to make a Win2K system with no password. It doesn't complain if you leave the Admin password blank. And 2K/XP *automatically* share the entire contents of the hard drive, *read/write*, to the admin account. 9X and ME don't do this.

Re:Ubelievable

[amorsen]

Some other options are to downgrade to Windows 98, get a free operating system such as Linux

This sentence should be parsed: Some other options are to (downgrade to Windows 98), (get a free operating system such as Linux).

Like I said on the resnet forum

[CurbyKirby]

I'm kinda pissed that slashdot completely neglected my submission of the same story (I submitted it 3 weeks ago), but I'll reprint what I said here here. Please give your comments, but I still stand by what I said.

8/30/2002 2:49:15 AM

I'm writing this to the people in charge of Resnet policy, but also to people using Resnet. An outright ban on Windows 2000 will prove to be a costly and ineffective policy for increasing the security of Resnet.

1. Software and Bugs

Windows 2000, like any operating system, is a complex bundle of computer code. Like Windows XP, GNU/Linux, or MacOS, people find bugs in the software from time to time. Certain malicious people try to exploit the bugs to damage networks, reputations, etc. Other people develop software patches to fix the bugs.

Oftentimes, bugs are found with application software, like web browsers, web servers, e-mail clients, and the like. The operating system is generally not at fault. In this case, it just so happened that problems with some Microsoft application software were found in 2001 and combined creatively to create a series of rather devastating worldwide attacks.

2. Who is to Blame

It is important to realize that Windows 2000 was not the vulnerable software in these cases. Rather, bugs in Internet Information Server and Internet Explorer were exploited; they were the cause of the widespread effectiveness of the worms called "Code Red" and "Nimda." In other words, there are computers running Windows 2000 that are not and never were susceptible to Code Red, and there are devices not running Windows 2000 that were susceptible. Similarly, there are plenty of computers not running Windows 2000 that helped spread the problem through the Nimda worm.

Thus, these problems cannot be blamed on Windows 2000. Where does the blame lie? Programmers are bound to make mistakes, especially in an environment where a for-profit company is trying to produce and sell a modern operating system. Since few pieces of software are ever bug-free, it is ultimately up to system administrators and everyday users to make sure that their systems are as secure as possible (or practical). One of the ways to help increase the security of a computer is to apply security patches once they are released.

3. Patching Problems

A properly maintained computer is like a properly maintained car. Using a two-year-old unpatched computer on the Internet is like driving a car too fast on a twisting mountain road during an ice storm on bald tires. Using such a system or driving such a car is asking for trouble.

The bug in IIS that made it vulnerable to Code Red was announced two months before Code Red. The bug in Internet Explorer used by the Nimda worm was announced a full 5 months before Nimda. Yet even today, nearly a year after these attacks, thousands of machines worldwide are still unpatched. In other words, they are either infected with Code Red, or vulnerable to it. Unfortunately, many of these machines are likely to remain unpatched forever.

With that in mind, we turn now to the proposed ban of Windows 2000.

4. What problems does it solve?

Windows XP is not vulnerable to Code Red and Nimda. So upgrading to Windows XP does protect against certain problems.

5. What problems doesn't it solve?

It does not change the fact that improperly configured or improperly managed systems are vulnerable. It does not protect against attacks that have yet to be developed. It does not help educate users about ways to make their systems more secure. It does not help users of other operating systems running vulnerable versions of Internet Explorer. It does not protect against the thousands of other vulnerabilities that plague other operating systems. It does not stop denial of service attacks and port scans (that for some reason were blamed on Windows 2000 by the Resnet web page).

6. What problems does it cause?

Bugs that were introduced during the development of Windows XP could conceivably outweigh the bugs that were patched during that time. It would be naive to think that every bug in Windows XP is also present in older Windows operating systems.

The Products Use Rights document for Windows XP now includes a clause saying that Microsoft may access and change the operating system and its components without your agreement, and in fact without your knowledge. Suggesting that users of Resnet upgrade to Windows XP puts them in a position where they agree to relinquish control of their computers. Incidentally, versions of Windows 2000 up to service pack 2 do not contain this clause.

The ban of an operating system creates a dangerous precedent. Nowhere in the Resnet Acceptible Use Policy has there been any mention of the ban of a specific software product. The AUP does state that users cannot interfere with others, or with the proper functioning of the network. However, anyone would be hard put to prove that Windows 2000 was the sole cause of any problems by virtue of any fundamental and uncorrectable security flaws.

7. What are the costs of the upgrades?

As always, these costs are generally borne by the end users. They must acquire and install the software and learn to use it. This costs time and money and doesn't appreciably increase the security of the network.

8. What are the alternatives?

Requiring that users patch Windows 2000 systems would take less time and money. Verifying that a system was patched by probing the computer for the Red Alert vulnerability is no more difficult than fingerprinting the OS and checking that it is not Windows 2000. Certainly, installing a patch is a less intensive operation than upgrading an operating system and dealing with any problems and incompatibilities that may arise, so support problems faced by the RCCs are fewer.

In conclusion, the proposed Windows 2000 ban is both costly and ineffective. It seems as if the Resnet staff has already decided on implementing this "solution," which is lamentable. As there has been no discussion of or opposition to the ban on this forum, I felt it was necessary to provide a different opinion.

9. Resources:

Resnet Policy:
http://www.resnet.ucsb.edu/information/win2k.html
http://www.resnet.ucsb.edu/information/use_policy. htm#policy

Code Red:
http://www.cert.org/advisories/CA-2001-19.html (exploit)
http://www.cert.org/advisories/CA-2001-12.html (bug)

Nimda:
http://www.cert.org/advisories/CA-2001-26.html (exploit)
http://www.cert.org/advisories/CA-2001-06.html (bug)

Windows XP PUR:
http://www.microsoft.com/licensing/resources
http://www.infoworld.com/articles/op/xml/02/02/11/ 020211opfoster.xml

At my place it is other way round.

[PineGreen]

At my department, it is other way round. There is special document on XP that goes:

Windows XP is beginning to appear on new machines, and is also being
installed on some old systems within the Laboratory. There are some
security issues with Windows XP that are not obvious to inexperienced
users, and there is a Lab policy at present that any Windows XP machine
MUST be installed/configured by someone with a high degree of experience
if it is to be used on the network. For the * Group, we have agreed
with the C* IT-Dept that all Windows XP systems will be installed
or checked by one of us to make sure that the known problems are being
dealt with.

So much about objectivity of various security issues...