Slashdot Mirror
UCSB Bans Windows NT/2000 in the Dorms
nick58b writes "The people in charge of the networks for all of the on-campus dorms at UCSB banned the use of Windows NT and 2000 on their networks citing security and network problems associated with them. While there are problems with NT/2000, Windows 98 and ME computers are still permitted. Students using these are "recommended" to upgrade to XP Home Edition. In other news, sales of Windows XP are way up at the campus bookstore."
Permitting Win98 and denying Win2k? For all it's faults, it's not as bad as the 9x series of exploits. Plus with Win2k up to SP3, it's likely more secure than XP.
Methinks someone wants to make some money...
This is such a bizarre regulation. I can't for the life of me understand why they would want the students to us XP Home in favor of 2000/NT. As others have said, the Home edition of XP is if anything less secure than Windows 2000, except for the fact that it excludes IIS. If i remember correctly, XP Home does not even support domain based networking instead using workgroups only.
I can't help but feel like there are other motives here than "securing the network." I don't think it's Linux cheerleading either. Linux is potentially a much much larger security risk when it's configured incorrectly.
they're trying to sell winxp at the shop....
The univeristy doesn't declare certain types of machines illegal, they just refuse to support them. I'd wager that very few, if any machines destined for college shipped with w2k pre-installed. This means owners of w2k machines either were knowledgable enough to install it themselves, or knew someone who was. Chances are they'll go to their savy friend for support, and not brave the lines at IT.
This isn't nearly the same situation as computers that shipped from Dell or gateway with no admin password set. That's something that could be easily overlooked. In these cases however, chances are the same people who installed w2k knew enough to at least put in a simple password.
And I think we can all agree at this point that a properly patched W2K Pro installation is just as secure (if not more so) as even a properly patched XP one. This really just has to be the case of college IT administrators being wooed by MS hype.
--an unbreakable toy is useful for breaking other toys--
Why is it that campus networks, where HIGHER education is supposed to be happening, that the networks are ran by complete half-wits. Doesn't anyone in a CS class know how to setup and maintain a network even a little better. And more importantly, aren't there student governments/councils that shoud be deciding these matters, not administrators. I still can't believe they're placing a ban on win2k, that's insane, and how the hell do they plan on checking the OS Ver anyways?
Ignore the "p2p is theft" trolls, they're just uninformed
Throwing the book at Windows NT and 2000 is a pretty cheezy way to prevent network problems. And Windows XP won't make these problems go away.
The "problems" they mentioned were both IIS "flaws" which have been corrected for some time now. Any other flaws exploited will also most likely be present on Windows XP Home, which has IIS as well (called Personal Web Server; incidently you can install a version of it for Win9x as well.)
"But how would they be able to tell if you have the latest service pack installed," you ask? I say, "The same way that they will be checking to see what OS you're using."
This kind of thing is almost expected at a University that is dominantly Macintosh. I worked at Brown University, and it was the same way. The general idea is: Mac = Secure, easy, perfect, flawless and PC = Impossible, buggy, useless. And all this because Apple has always pushed their machines on the schools.
Then all these students get out into the workplace and say "Uhh... where's the Macs?"
- It's not the Macs I hate. It's Digg users. -
My problem with this is mostly financial. Obviously, they can restrict usage to their network any darn way they please. But there are inevitably going to be students who simply don't have the money to upgrade from NT/2K to XP. They're imposing a burden on those students that they should try to ease in some manner.
A good alternative would be a carefully crafted Linux distribution that they pre-configure and make secure according to their needs, and make it available on a CD-ROM. Again, though, even if the security issues were resolved with such a distribution (which would be relatively easy), they would still have to face the costs associated with supporting these naive users using Linux--which would probably be more trouble than it's worth. Thus, they simply say, "Use XP".
Keep in mind that in some sense, these types of administrators have less control over their networks than corporate admins do. They don't own the licenses to the OSs--they expect the students to supply their own OS. This gives them a lot less control over what's on their network. They don't have a right to lock the machine's configurations down to control security. They probably don't want to have too much involvement with the student's machines, since that would imply a corresponding degree of liability on their part for how the student is using it (meaning: doing illegal things). It's pretty easy for them to identify the OS that a student is using, so their solution (requiring XP) has the biggest benefit for the least cost.
It is completely absurd for anyone to assume that they are doing this because they have a vested interest in seeing more copies of XP sold.
They are banning W2k because it is more server-centric...and as such is more vulnerable than say WinXP, which is a desktop variant. Which makes Win2k a great target for virus writers. The reason being, these servers almost always have some sort of broadband and are always high-spec. This means that the virus can spread most effectively/efficiently when it exploits NT/2k...
I am certainly not saying they are right, but that having been said...
Some enterprising Linux vendor should immediately send a team of reps to this school (tomorrow morning if possible) to give away free copies of their newest version with Open Office and free support for everyone (Mandrake anyone?). It will cost them some money, but look at it this way, every student that switches will be a Linux advocate when they reach the corporate level (they already dislike M$'s desktop variant...or they wouldn't be running NT/2k). And they will probably always use that distro when possible.
If the UCSB admins were smart they would have conveniently posted information about how to make Windows 2000 Profesional reasonably secure.
Things like installing Service Pack 3, setting accounts correctly, banning the use of personal web servers on a client machine, and mandatory installation of a good antivirus and/or firewall program would have saved the UCSB sysadmins a lot of headaches.
We are running a 1000+ organization but our solution is much better than banning older release of windows to force students upgrade at their own expenses.
First of all, remind them of the security policies, and the consequence of failure to compliant
Second, we do not rely on individual machines in our network to ensure OUR network security. We include in risk accessment that clients machines are subjected to be exploited, and have plans to deal with it.
To minimize and control the damage, we blocks off unauthorized ports across segments. Say they could open port 80 to be access within their own segment, but outsiders cannot have access to it. Now the virus outbreak would only affect their own segment.
Of course, they could apply for the opening of ports with proper justifications and management approval.
Third and most important, install Software Access Management software on all Windows boxes. SAM enables admin to perform license management and remote controlling. Users may complain about about it, but it's your choice to use Windows, you've options to use something else.
Do not think we'd relax restrictions to Linux and Mac, policies require that each box must be tested(and challenged, on password, services and ports opened) by our tiger teams from time to time.
Just my two cents.
That's not good thinking. Joe User installing Linux would most likely install Apache, wu-ftpd (which is swiss cheese), sendmail (good for spammers) and all sorts of other goodies.
You, sir, are misinformed. Unless Joe User goes and hunts down a really old version of any common distro, or deliberately selects a "Server" installation (which is the equivalent of Joe User installing Win2K Adv Server with default settings), neither apache nor sendmail would be installed, and *especially* not wu-ftpd. The default desktop installs of even not-very-recent versions of Red Had, Mandrake, and Suse do not install these services.
What if I do not want the spyware of sp3/WinXP or give ms the right to install apps without my permission on my pc?
....not to mention the sp3 EULA states that ms may install aditional software packages and change the EULA without my knowledge! Change the license without notifying me?
I strongly advise anyone who has installed w2k on several pc's to not install media player 7 or sp3. Why? I am afraid ms will accuse me of pirating and will have the power to deactive my os or install god knows what on my system. ALso hackers could use this to pretend their virii are microsoft upgrades. I know xp mainly does product activation but the eula'a are getting more and more similiar and are sharing much of the media player updates and code. Media player is key for Microsoft's palladium strategy. I no longer use my older machine which now uses linux but ms can still accuse me and be the judge and jury over any copyrighted dispute between my pc's. This is true even though I have one valid license for win2k pro. Go read the EULA? It states that ms can kill the license of your os at any time for no reason!
Why should I risk being hacked or bend over to the almighty gates? It really pisses me off that I am held hostage here. Be gald I do not go to your school. I have a very valid case why I should not switch to XP and would certianly bring it up to the deans. Even if ms will noy do any of things mentioned in the euls or deactive my copy of windows, I still will not upgrade out of principal. Security be dammed.
http://saveie6.com/
to just do what they do at the University of Maryland and block Netbios and SMB? Seems like it would be more difficult (and costly) for them to just force people to upgrade to XP when a number of security vulnerabilities also exist for that. Sure blocking these services isn't a catch-all solution, but neither is forcing people to use a newer yet still buggy version of Windows.
Windows 9x/Me is permitted but NT/2000 is not? So I guess security reasons can be ruled out.
Will work for bandwidth
Well, I guess the answer is obvious.
Good news for anyone whose handle is in some form of l33t sP34k and has been looking for a good place to try all the exploits described in BugTraq.
However, if I were a CS student there and got that notice, I'd be looking hard into transferring as of the next semester.
Getting an education in the area of computing is hard enough without having to use a network where the admins have admitted in writing that they are clueless.
I suspect they're going to live to regret this. Unless they really enjoy cleaning up messes.
Tech Public Policy stuff
That's all this amounts to. They run around scared with half or less of the knowledge and understanding required to make such decisions. And even in light of the information, they go with their knee-jerk reactions rather than a scientific approach.
...anyway... off the subject...
All of this taking place in an institution of higher learning? It's just amazing. I can imagine this happening very easily in some corporate setting, but not in schools. I guess the number of the enlightened isn't as large as I once suspected.
FUD rules the day once again.
Personally, in addition to my Linux boxen, I like my Windows2000 machine. After service pack 3, I can now use my video camcorder again to do video editing... (now if I can just bring myself to erasing all this useless porn to clear spact to do so...) Before I get blasted with "why not use Linux?!" first I'll just say I'm a lazy bastard and I just don't have the urge to read the thousands of HOWTOs associated with whatever is required to do the same with Linux. I think I'll switch to Mac OSX before I try it with Linux.
It's scary and creepy the way some people think. It reminds me of the last time I was ruled out from having a job at my last interview. In this case, I listed Linux, HP/UX and AS/400 as other operating systems I am capable of administering to. They proudly touted "we're a Microsoft only shop here" as if that were some great accomplishment -- a badge of honor. All I could think was "oh, so you only know how to do your job with a mouse running 'wizards' to accomplishing the things MS thinks you want to do."
I heard there is black magic on the WindowsNT and Windows2000 and so I do not allow such magic on my network. Get thee back Devil2000!! Get thee back!!!
While MS OSes are notably insecure, I wonder what the University's policy is towards OTHER insecure OSes - like a Linux box that isn't secured properly. Do they run audits and checks against every Linux machine on their network to verify against known hacks ? It seems to me like they should, if only to be consistent.
How the hell did this fud get modded up to +5? This is complete garbage.
You're looking at this like a typical office nightmare, the geek wannabe that knows just enough to be difficult. You only see two differences on your desktop, and decide to proclaim loud and long that this is the only difference. Idiot.
The console interface backend is completely different. I mean totally. Through NT5.0, the GDI had a direct interface to console display hardware. Now it's all abstracted through an RDP pipe. This is what allows you to connect directly to the console remotely with an RDP client. It also lets you have sound, printers, etc, on the same client. You can skin it. Sure you can do this with PCAW or VNC, but they are MUCH slower and not as flexible.
What the HELL do you mean that you can't lock a workstation? Maybe you forgot how to? I do it dozens of times a day. Perhaps I can teach you with my next round of primary school students? Killing explorer is hard? Eh? Just the same. The only way it can bring down a workstation is if you have some garbageware or bad video driver installed. Doesn't sound like MS's problem to me (either they'll make it more secure and people will whine about monopolistic practices and taking everything over, or they open it up more and people blame them for third party crap they choose to install).
People like you make me wish there was some sort of basic internet usage license. Sigh.
funny munging
Read the link; they don't just refuse to give tech support to users of Win2k, they block Internet access to Win2k machines. So, in other words, Win2k is illegal on ResNet.
I work for ResNet at the University of Rochester and we recomend that all incomming students with PC's buy them with either Windows 2000 or Windows XP Professional. We specifically would not like them to have XP Home as then they will not be able to VPN into the wireless network as well as other things. While we don't like Windows ME, we still allow users who already have it to continue to use it and will support it if any problems arise. In fact, if you have Linux and can't get the internet to work, we will help you out to the best of that consultants abilities. It's silly to limmit what operating systems users can use, especially for security reasons. When we had an outbreak of Klez and Nimda last year, we licensed Trend Micro for the entire campus and setup an online install for all students and then had the RA's do a hall program telling everyone who didn't already have an up-to-date antivirus to load Trend which updates itself automatically.
Instead of telling people they can't use an OS cuz it's insecure (even if it's not), they should educate their users on how to make it secure and then deal with those who are still at risk.
Simple restriction of services on Windows 2000 (like mandating "No IIS servers permitted") could remove most of the current exploits. This is a network administration issue that has obviously been solved by using a crutch instead of educating students and enforcing policies.
Weak, and pathetic.
UCSB should take some time to establish proper guidelines for use of Windows 2000 on the networks and create acceptable use policies that permit them to take action if there is negligence involved. How do the administration plan on handling FreeBSD, Linux, QNX, PocketPC, and MAC OS-X users...? Back of the Bus?