UCSB Bans Windows NT/2000 in the Dorms

nick58b writes "The people in charge of the networks for all of the on-campus dorms at UCSB banned the use of Windows NT and 2000 on their networks citing security and network problems associated with them. While there are problems with NT/2000, Windows 98 and ME computers are still permitted. Students using these are "recommended" to upgrade to XP Home Edition. In other news, sales of Windows XP are way up at the campus bookstore."

I'll be the first to say it...

[dalutong]

Why did they not suggest GNU/Linux, FreeBSD, OpenBSD, etc? Everyone is almost certainly more secure than any out-of-the-box windows install (i say almost because i don't know if i'd trust a lindows install to be secure...)

I just don't get it. I was just at UMBC and they prohibit internet connections from anyone who doesn't have anti-virus software installed.

(you can still get on if you don't, but if they find out you lose your right to get online)

why not just suggest installing a more virus-resistant OS?

Ugh.

[SlashChick]

The idiocy of some network admins never ceases to amaze me.

"Residents' computers were compromised with several well-known vulnerabilities and used for all manner of unfriendly purposes such as the installation of viruses like Code Red and Nimda on other residents' computers."

Oh, so you really meant to ban IIS, which is, after all, the software that contributed to most of these worms. Ironically, www.resnet.ucsb.edu is running IIS 5.0 on that very same evil Windows 2000 OS.

Want to know my guess at what happened? Since the admins weren't blocking web servers running on port 80 outside of ResNet, someone set up an IIS server and got nailed with Nimda, which then killed their ResNet web servers (assuming that they hadn't patched their web servers, which isn't much of a leap to make, considering they don't seem to understand the difference between Windows 2000 and IIS.)

"OpenSSL and Apache holes? Wow, let's ban Linux!" That's the same ridiculous leap they made in banning Windows 2000.

"While we understand that it is possible to run a secure Windows 2000 environment, past history has shown that this rarely happens on ResNet."

Nothing like insulting your users AND taking away their right to run a particular OS. You know, this IS an educational institution -- why don't you try educating them? Better yet, cut off ports that are spreading Nimda -- that'll make people figure it out really quickly.

This is ridiculous in every sense of the word, and I hope the students there organize and fight against this. If I lived there, I know I would be.

Re:Ugh.

[NeuroKoan]

They actually did ban linux. My freshmen year (4 years ago) my roommate and I had to petition to get a "unix-like operating system" on the network. But if they "caught us doing any of that hacking stuff" we'd be shut off and kicked out of the dorms. Funny thing is, we were hacked and we did our best to fend off the attack before we just shut off the system for a few hours (and reset all the passwds). :) We actually had the linux box up for about 3-4 weeks before they noticed.

UCSB has all sorts of stupid rules. One of my favorites was that no more then 1 IP per person per room... (which was way too easy to get around...)

When I applied for a job there, they turned me down for not having enough technical knowledge, but I didn't feel like it was a good time to tell them about how easy it was to bypass all their "safeguards".

Re:Ugh.

[York+the+Mysterious]

1) There are not enough PARCs (Peer Advisor for Residential Computing: the students that get ppl up on the net) to have them go around securing ppls boxes all day long

2) When schools try to educate students on how to secure their computers they tend not to listen. You might listen as a computer geek, but I can tell you right now that 99% of the people in my dorm building could care less about installing Windows 2000 SP3. I dont see this as UCSB saying that XP is more secure than 2000 because I believe that XP SP1 vs 2000 SP3, 2000 will win hands down. I believe that UCSB is realizing that 90% of students dont install patches and by having students run XP they are getting machines with 2 years less security holes plus an auto updating system to ensure that patches are regularly installed (assuming students ok the patches).

3) Why dont they just block the ports. Two things here. I was at a school with 350 machines that were regularly updated with security patches. Every box in the building had an image with the latest version of every app reimaged once a week. Even with this an a Cisco PIX firewall and NAT we still got hit by Nimda. All it took was one stupid student opening up an attachment and the thing flew by administrative shares. Blocking ports doesn't always help. Second thing I'm not sure how UCI (the UC system's ISP) works by 4C (The CA State College's ISP) is really tough about blocking ports. If the school blocks the port for Kazaa or Half Life the school loses their internet connection. Pretty tough, but they have strong feelings that the internet should not be censored. I agree with them even if it makes things difficult somethings.

Do I think this is a crazy decision: yes

Do I see why they did it: yes

What the!?

[malxau]

In other words,

• We consider granting exemptions but we won't.
• There are ways to fix Win2k but we won't tell you.
• We force an upgrade, but accept no financial responsibility.
• You need to 'upgrade' from Win2k Pro to XP Home?
• You're required to log on as 'administrator' and there's a security hole (duh!)?

This must be about money. There's just no logical reason UCSB could possibly come to this conclusion...

resnet.ucsb.edu is using IIS on W2K

[Perdo]

http://www.resnet.ucsb.edu

The site that is telling students they cannot use W2K is running IIS.

The student's machines get compromised, and resnet get's compromised so some Admin who would otherwise get fired for not installing HIS updates, scapegoats the student's.

Crap sysadmin and non technical management are the cause of this.

If they were so worried, wouldn't they be running Apache?

Hey UCSB Linux Users Group!

[unsinged+int]

That is, if you exist. Only thing I could find was this and the server was horribly slow so I couldn't get much info.

How about all of you get on over and set up a table outside the campus bookstore? I don't think I should have to explain why.

Probably lack of patching...

[Kjella]

Is XP more secure than 2000 with SP3 or Windows NT with SP6(or is it higher now, don't use it)? I'll personally ridicule whoever claims that. Is XP more secure than NT/2000 with no service packs whatsoever? Yes.

Will it be any different when XP hits service pack 3 and nobody has it installed (or actually fewer than 2k boxes due to MS anti-piracy measures in their SP updates)? No.

The message is "you're too lazy to patch, so get the latest with the most patches pre-installed"

Kjella

im confused

[tofutti]

http://www.microsoft.com/windowsxp/home/howtobuy/u pgrading/matrix.asp i thought it was interesting how they specifically said to upgrade to xp home. microsoft specifically says xp home has to be upgraded from 98/me, and NT/2k can only go to xp pro. so ucsb consultants are gonna help people FFR or what? am i right? or did someone already say this...

Re:What a scam

[Dalcius]

Sorry if this is redundant, and I hope to God it doesn't get lost in the crowd.

I'm hardly familiar with remote-exploit holes in Windows. Can anyone enlighten me on why 98 is so insecure by default? =\ I'd be interested in any links or whitepapers or whathaveyou.

As to holes relating to the fact that all programs have 'root' access, that's obvious, but most folks seem to run their windows boxen as admin anyway, so I still don't see why 98 is worse off.

My impression is, the more complex (e.g. the more services) Microsoft software gets, the more holes the size of mac trucks will be present. I would think XP would be the worst out of the lot at this point (well, besides an unpatched NT4 server, hehe).

Am I way off?

Why not....

[Dynedain]

We all know that Win2k is a hell of a lot more secure than win98/ME and probably just as secure as XP....that aside...

Why don't they do what my university did.....if your machine was detected trying to propogate nimda or code red, the smart switches disabled your jack. Getting it re-enabled meant calling Information Services Division and proving that you had cleaned up and protected your machine (downloading and installing the free copy of Norton Antivirus they provided).

It really seems to be a good system. Plug in an unregisterd NIC - blam - jack turned off and MAC address added to a blocked hosts list. Plug in a hub with more than one machine behind it...jack turned off. Run an unauthorized web server...jack turned off, mac address added to blocked hosts list. etc. etc. etc.

I'm suprised other large institutions don't do the same thing. It sounds like it would save a lot of headaches.

This Is Happening All Over

[the_mystic_on_slack]

The University of Notre Dame is doing basically the same thing. Though they do not cite security reasons, they have stopped all support of Win9x. And if anyone thinks the schools and M$ are not in bed, then take a look at the increase in academic pricing. Windows used to be $25 (as well as Vis. Studio, et al) but now they've gone to $45. Funny how that happens as soon as they mandate the upgrade to a new OS. And WinXP is just as vulerable to all the worms that 2k is (for the most part). For example, I accidentally left a share open for no more than one hour and the open folder was filled with Nimda. In other news our LUG is planning an install fest in the near future.

Re:The wool has been pulled over your eyes...

[BlackHawk-666]

I have seen many Windows 2000 Pro machines with a blank admin password. It's not FUD, it's fact. That may be bacause when people are prompted to set the password they can accept the default which is blank...hard to remember since I haven't done an install for a few months. Also, IIS is installed by default on Server and Advanced Server, but not on Professional.

No no YOU read it again

[CurbyKirby]

They also agreed that if you have to run win2k they you can aslong as you secure the system and talk to them about it.

Actually, no. See the resnet page, which says

Exceptions will not be granted for reasons other than academic necessity.

See also the Resnet forum thread where a user says

I am a computer science major and have more than 15 GBs of SDKs, source code, compilers, and Homework that would take weeks to restore to a point where i can use it again. I do want to upgrade to windows XP, but i can not sacrifice the time necessary to do so. And regarding the request for an exception, i did request it, and was denied, desipite my knowledge.

They even went as far as giving all of the students antivirus software ... but the students decided not to use it.

How is this related to Windows 2000 being fundamentally broken? Are you saying that only Windows 2000 users neglected to install their anti-virus software? Is this because they were using Windows 2000 instead of another OS? Otherwise, that statement is not relevant.

I think XP is allowed because it would be hard for them to block XP Profesional without blocking the Home edition.

XP is allowed because there are certain problems in Windows 2000 which do not exist in Windows XP. Nothing more, nothing less. See the above links. Banning one and recommending another hurts the network in general at least as much as it improves certain aspects of security.