UCSB Bans Windows NT/2000 in the Dorms

nick58b writes "The people in charge of the networks for all of the on-campus dorms at UCSB banned the use of Windows NT and 2000 on their networks citing security and network problems associated with them. While there are problems with NT/2000, Windows 98 and ME computers are still permitted. Students using these are "recommended" to upgrade to XP Home Edition. In other news, sales of Windows XP are way up at the campus bookstore."

What a scam

[jameslore]

Permitting Win98 and denying Win2k? For all it's faults, it's not as bad as the 9x series of exploits. Plus with Win2k up to SP3, it's likely more secure than XP.

Methinks someone wants to make some money...

Re:What a scam

[octalgirl]

From a public school perspective, Win2k was a nightmare. Forget security, we didn't even get that far. If someone so much as tried to 'install on first use' the equation editor, administrator password was required. Or configuring their own Outlook (after they had been doing it themselves for years)- impossible - and they called that zero-admin? Sure, make everyone else the administrator and you won't have to do anything anymore.

Norton corporate script wouldn't run (admin pass again); trying to install one single lab printer so every student who sat at that computer would always see the same printer, impossible without scripts or pushing profiles. This increases the amount of training required for students to use the equipment, or takes a net admin away from LAN/WAN support and puts them in script/profile land. An english teacher just wants to bring a class in without any hassle or setup. Our legacy or propriety software apps - most wouldn't run without admin pass. And why the hell would we want to teach a bunch of students about CTRL-ALT-DEL to logon? I remember when Microsoft used to brag that was a great security feature. Do they really think everyone is ready to handle their own server? Just crazy. We stayed with 98 on desktops and used Win2K on servers. We are finally moving into XP, which is much easier to handle, and much easier to train 5000 users on.

Re:What a scam

[delta407]

From a private school perspective, Win2k is great. I don't know how you deployed software, but I don't leave anything to "install on first use" -- it's on the hard drive, on the network, or not available. (Microsoft makes tools that let you customize, say, the Office install; no serial number needed, no I Agree on the license agreement, and no Clippy if you so desire.) As far as configuring Outlook 2000, it can be done as a normal user, with the exception of "mode" (Internet or Corporate) which has to be done as administrator but can be done in the base system image. (You do image your clients, right?)

I don't know what product you're talking about, but Norton AntiVirus Corporate deploys cleanly (via Group Policy) without issues to speak of. The lab printer scenario is a little more complicated, but if you don't want roaming profiles, you can set a mandatory profile and give users a network home. The mandatory profile can include the printer. As far as legacy or proprietary apps go -- open regedt32 or Windows Explorer and change the permissions until it's happy. Then, change your deployment system to do that automatically: problem solved. Don't like Ctrl-Alt-Del? Disable it via Group Policy.

I don't like Microsoft, but things are far more usable under Windows 2000 than most people would think. Get some network imaging software, reasonably standard desktop hardware, and a Windows 2000 domain with appropriate Group Policy entries. It's really not that bad.

Blown well out of proportion

[shoemakc]

The univeristy doesn't declare certain types of machines illegal, they just refuse to support them. I'd wager that very few, if any machines destined for college shipped with w2k pre-installed. This means owners of w2k machines either were knowledgable enough to install it themselves, or knew someone who was. Chances are they'll go to their savy friend for support, and not brave the lines at IT.

This isn't nearly the same situation as computers that shipped from Dell or gateway with no admin password set. That's something that could be easily overlooked. In these cases however, chances are the same people who installed w2k knew enough to at least put in a simple password.

And I think we can all agree at this point that a properly patched W2K Pro installation is just as secure (if not more so) as even a properly patched XP one. This really just has to be the case of college IT administrators being wooed by MS hype.

How about requiring updated systems instead?

[cbreaker]

Throwing the book at Windows NT and 2000 is a pretty cheezy way to prevent network problems. And Windows XP won't make these problems go away.

The "problems" they mentioned were both IIS "flaws" which have been corrected for some time now. Any other flaws exploited will also most likely be present on Windows XP Home, which has IIS as well (called Personal Web Server; incidently you can install a version of it for Win9x as well.)

"But how would they be able to tell if you have the latest service pack installed," you ask? I say, "The same way that they will be checking to see what OS you're using."

This kind of thing is almost expected at a University that is dominantly Macintosh. I worked at Brown University, and it was the same way. The general idea is: Mac = Secure, easy, perfect, flawless and PC = Impossible, buggy, useless. And all this because Apple has always pushed their machines on the schools.

Then all these students get out into the workplace and say "Uhh... where's the Macs?"

Re:I'll be the first to say it...

[kmellis]

They don't suggest those OSs because they would be even less secure in these student's hands than NT/2K was. The issue isn't one of the essential security of a particular operating system. The issue is that NT and 2K, in contrast to Win9x and XP, include some networking services, by default, that are relatively insecure, by default. It's not practical to attempt to get these relatively naive users to secure their OSs. Also, along with better security defaults on shares and IIS and other things, XP is more aggressively (naturally) supported by MS in maintaining its security via bug-fixes and patches--and they do so via a very aggressive transparent version of their auto-update mechanism. In practical terms, XP Home or Pro is going to be much more secure as installed on this campus residential network than many other OSs. Not because it's "better", and not because it's inherently more secure than other OSs, including NT/2K or a UN*X. It just is because that's how it plays out in this particular slice of the real world.

My problem with this is mostly financial. Obviously, they can restrict usage to their network any darn way they please. But there are inevitably going to be students who simply don't have the money to upgrade from NT/2K to XP. They're imposing a burden on those students that they should try to ease in some manner.

A good alternative would be a carefully crafted Linux distribution that they pre-configure and make secure according to their needs, and make it available on a CD-ROM. Again, though, even if the security issues were resolved with such a distribution (which would be relatively easy), they would still have to face the costs associated with supporting these naive users using Linux--which would probably be more trouble than it's worth. Thus, they simply say, "Use XP".

Keep in mind that in some sense, these types of administrators have less control over their networks than corporate admins do. They don't own the licenses to the OSs--they expect the students to supply their own OS. This gives them a lot less control over what's on their network. They don't have a right to lock the machine's configurations down to control security. They probably don't want to have too much involvement with the student's machines, since that would imply a corresponding degree of liability on their part for how the student is using it (meaning: doing illegal things). It's pretty easy for them to identify the OS that a student is using, so their solution (requiring XP) has the biggest benefit for the least cost.

It is completely absurd for anyone to assume that they are doing this because they have a vested interest in seeing more copies of XP sold.

UCSB sysadmins just being lazy....

[MtViewGuy]

If the UCSB admins were smart they would have conveniently posted information about how to make Windows 2000 Profesional reasonably secure.

Things like installing Service Pack 3, setting accounts correctly, banning the use of personal web servers on a client machine, and mandatory installation of a good antivirus and/or firewall program would have saved the UCSB sysadmins a lot of headaches.

Re:It _IS_ a security/bandwidth problem

[jsse]

We are running a 1000+ organization but our solution is much better than banning older release of windows to force students upgrade at their own expenses.

First of all, remind them of the security policies, and the consequence of failure to compliant

Second, we do not rely on individual machines in our network to ensure OUR network security. We include in risk accessment that clients machines are subjected to be exploited, and have plans to deal with it.

To minimize and control the damage, we blocks off unauthorized ports across segments. Say they could open port 80 to be access within their own segment, but outsiders cannot have access to it. Now the virus outbreak would only affect their own segment.

Of course, they could apply for the opening of ports with proper justifications and management approval.

Third and most important, install Software Access Management software on all Windows boxes. SAM enables admin to perform license management and remote controlling. Users may complain about about it, but it's your choice to use Windows, you've options to use something else.

Do not think we'd relax restrictions to Linux and Mac, policies require that each box must be tested(and challenged, on password, services and ports opened) by our tiger teams from time to time.

Just my two cents.