Slashdot Mirror
UCSB Bans Windows NT/2000 in the Dorms
nick58b writes "The people in charge of the networks for all of the on-campus dorms at UCSB banned the use of Windows NT and 2000 on their networks citing security and network problems associated with them. While there are problems with NT/2000, Windows 98 and ME computers are still permitted. Students using these are "recommended" to upgrade to XP Home Edition. In other news, sales of Windows XP are way up at the campus bookstore."
Permitting Win98 and denying Win2k? For all it's faults, it's not as bad as the 9x series of exploits. Plus with Win2k up to SP3, it's likely more secure than XP.
Methinks someone wants to make some money...
I remember when I lived on campus I used to get a kick out of busting out with a "NET SEND ALL blah blah" command. Good way to annoy everyone with an NT box. Of course I'm sure this isn't the reason they banned NT/2k since it'll automatically pop up on XP boxes too. The funniest thing I did with NET SEND was to send out a message asking all the single ladies to IM my roommate.
Why did they not suggest GNU/Linux, FreeBSD, OpenBSD, etc? Everyone is almost certainly more secure than any out-of-the-box windows install (i say almost because i don't know if i'd trust a lindows install to be secure...)
I just don't get it. I was just at UMBC and they prohibit internet connections from anyone who doesn't have anti-virus software installed.
(you can still get on if you don't, but if they find out you lose your right to get online)
why not just suggest installing a more virus-resistant OS?
What comes first, finding a teacher or becoming a student?
We will always see through this kind of bullshit. The best we can do is to educate others without seeming too fanatical to be taken seriously.
The idiocy of some network admins never ceases to amaze me.
"Residents' computers were compromised with several well-known vulnerabilities and used for all manner of unfriendly purposes such as the installation of viruses like Code Red and Nimda on other residents' computers."
Oh, so you really meant to ban IIS, which is, after all, the software that contributed to most of these worms. Ironically, www.resnet.ucsb.edu is running IIS 5.0 on that very same evil Windows 2000 OS.
Want to know my guess at what happened? Since the admins weren't blocking web servers running on port 80 outside of ResNet, someone set up an IIS server and got nailed with Nimda, which then killed their ResNet web servers (assuming that they hadn't patched their web servers, which isn't much of a leap to make, considering they don't seem to understand the difference between Windows 2000 and IIS.)
"OpenSSL and Apache holes? Wow, let's ban Linux!" That's the same ridiculous leap they made in banning Windows 2000.
"While we understand that it is possible to run a secure Windows 2000 environment, past history has shown that this rarely happens on ResNet."
Nothing like insulting your users AND taking away their right to run a particular OS. You know, this IS an educational institution -- why don't you try educating them? Better yet, cut off ports that are spreading Nimda -- that'll make people figure it out really quickly.
This is ridiculous in every sense of the word, and I hope the students there organize and fight against this. If I lived there, I know I would be.
Simpli - Your source for San Jose dedicated servers and colocation!
Just for the record, I work for Residential Computing at UC Berkeley (the analog of Resnet at UCSB, except it's at Berkeley :), so you know I'm not completely talking out of my ass.
...
This has been a topic of discussion recently at our office mainly because there have been a tremendous number of security issues relating to Windows 2000 (not so much with NT since these are students, not corporate users). I personally think that the move is a little drastic, but it will be interesting to see how this pans out at UCSB (especially how they will enforce it).
There will be people talking about how secure/insecure Win2K is. Allow me to give a common trait to all of the compromised machines:
1) Blank Administrator Password
2) Unpatched Windows (i.e. no Service Packs installed)
In nearly ALL the compromised machines, the computer is not updated and has a blank Administrator password.
The easy solution: install SP3!
An easier solution: set an Administrator Password!
All really simple solutions that would prevent 99% of the issues we have encountered thus far.
So I said it was a security problem. How is it a bandwidth problem?
Allow me to point to the DarkIRC and Nimda security bulletins we have written up by our security.
So you've got a zombie, what do you do with it? A number of things:
1) use the compromised machine in a DoS attack
2) use it as a FTP server
3) use it as a IRC bot
A script kiddie can just use a machine on a fat bandwidth pipe at will to his liking. It's definitely NOT fun when the pipe is already clogged as it is with folks and P2P apps.
So there you have... if you don't think it's a problem, it IS a problem. There are too many calls about this to our helpdesk to have it be a minor issue that everyone else makes it out to be.
http://www.resnet.ucsb.edu
The site that is telling students they cannot use W2K is running IIS.
The student's machines get compromised, and resnet get's compromised so some Admin who would otherwise get fired for not installing HIS updates, scapegoats the student's.
Crap sysadmin and non technical management are the cause of this.
If they were so worried, wouldn't they be running Apache?
If voting were effective, it would be illegal by now.
The univeristy doesn't declare certain types of machines illegal, they just refuse to support them. I'd wager that very few, if any machines destined for college shipped with w2k pre-installed. This means owners of w2k machines either were knowledgable enough to install it themselves, or knew someone who was. Chances are they'll go to their savy friend for support, and not brave the lines at IT.
This isn't nearly the same situation as computers that shipped from Dell or gateway with no admin password set. That's something that could be easily overlooked. In these cases however, chances are the same people who installed w2k knew enough to at least put in a simple password.
And I think we can all agree at this point that a properly patched W2K Pro installation is just as secure (if not more so) as even a properly patched XP one. This really just has to be the case of college IT administrators being wooed by MS hype.
--an unbreakable toy is useful for breaking other toys--
Why is it that campus networks, where HIGHER education is supposed to be happening, that the networks are ran by complete half-wits. Doesn't anyone in a CS class know how to setup and maintain a network even a little better. And more importantly, aren't there student governments/councils that shoud be deciding these matters, not administrators. I still can't believe they're placing a ban on win2k, that's insane, and how the hell do they plan on checking the OS Ver anyways?
Ignore the "p2p is theft" trolls, they're just uninformed
I am a student here at UCSB and I agree with the resnet staff because win2k/nt systems can be more secure than win9x/me but in reality they are not. Considering only a few people use win2k and those few manage to be the ones with nimda/code red/etc. They also agreed that if you have to run win2k they you can aslong as you secure the system and talk to them about it. They even went as far as giving all of the students antivirus software ... but the students decided not to use it. I think XP is allowed because it would be hard for them to block XP Profesional without blocking the Home edition.
PS: I don't think UCSB is getting anything from Microsoft, because they agreed to run Linux on most of the servers here.
just my $.02
"I am a student at UCSB and the reason this is being done is because the average user in the dorms does not have the ability to properly secure NT or 2K from its default setup, while the default setup of XP has been deemed more secure."
Oh, boy. You just took that hook, line, and sinker, didn't you? What exploits are running around on a default version of Windows 2000 that would cause problems with your network?
Answer: NONE.
The culprit you're looking for is IIS, which is NOT installed by default on Windows NT Workstation or Windows 2000 Professional. If you install IIS from the Windows 2000 CD, you will be vulnerable until you download the patch -- but to install IIS, you must explictly insert the CD after Windows 2000 is installed, find IIS, and install it. (By the way, this problem could be eliminated other ways, such as not allowing servers on port 80.)
The IIS version that ships with the Windows XP Pro CD is not vulnerable. But to say Windows 2000 is vulnerable to a common remote root exploit out of the box is simply untrue. IIS 5.0 is the scapegoat you're looking for.
Simpli - Your source for San Jose dedicated servers and colocation!
Throwing the book at Windows NT and 2000 is a pretty cheezy way to prevent network problems. And Windows XP won't make these problems go away.
The "problems" they mentioned were both IIS "flaws" which have been corrected for some time now. Any other flaws exploited will also most likely be present on Windows XP Home, which has IIS as well (called Personal Web Server; incidently you can install a version of it for Win9x as well.)
"But how would they be able to tell if you have the latest service pack installed," you ask? I say, "The same way that they will be checking to see what OS you're using."
This kind of thing is almost expected at a University that is dominantly Macintosh. I worked at Brown University, and it was the same way. The general idea is: Mac = Secure, easy, perfect, flawless and PC = Impossible, buggy, useless. And all this because Apple has always pushed their machines on the schools.
Then all these students get out into the workplace and say "Uhh... where's the Macs?"
- It's not the Macs I hate. It's Digg users. -
That is, if you exist. Only thing I could find was this and the server was horribly slow so I couldn't get much info.
How about all of you get on over and set up a table outside the campus bookstore? I don't think I should have to explain why.
Is XP more secure than 2000 with SP3 or Windows NT with SP6(or is it higher now, don't use it)? I'll personally ridicule whoever claims that. Is XP more secure than NT/2000 with no service packs whatsoever? Yes.
Will it be any different when XP hits service pack 3 and nobody has it installed (or actually fewer than 2k boxes due to MS anti-piracy measures in their SP updates)? No.
The message is "you're too lazy to patch, so get the latest with the most patches pre-installed"
Kjella
Live today, because you never know what tomorrow brings
I mean really, why not just announce to the world that anything from 128.111.0.1 to 128.111.255.255 is probably now running XP?
This sentence should be parsed: Some other options are to (downgrade to Windows 98), (get a free operating system such as Linux).
Finally! A year of moderation! Ready for 2019?
I'm kinda pissed that slashdot completely neglected my submission of the same story (I submitted it 3 weeks ago), but I'll reprint what I said here here. Please give your comments, but I still stand by what I said.
. htm#policy
/ 020211opfoster.xml
8/30/2002 2:49:15 AM
I'm writing this to the people in charge of Resnet policy, but also to people using Resnet. An outright ban on Windows 2000 will prove to be a costly and ineffective policy for increasing the security of Resnet.
1. Software and Bugs
Windows 2000, like any operating system, is a complex bundle of computer code. Like Windows XP, GNU/Linux, or MacOS, people find bugs in the software from time to time. Certain malicious people try to exploit the bugs to damage networks, reputations, etc. Other people develop software patches to fix the bugs.
Oftentimes, bugs are found with application software, like web browsers, web servers, e-mail clients, and the like. The operating system is generally not at fault. In this case, it just so happened that problems with some Microsoft application software were found in 2001 and combined creatively to create a series of rather devastating worldwide attacks.
2. Who is to Blame
It is important to realize that Windows 2000 was not the vulnerable software in these cases. Rather, bugs in Internet Information Server and Internet Explorer were exploited; they were the cause of the widespread effectiveness of the worms called "Code Red" and "Nimda." In other words, there are computers running Windows 2000 that are not and never were susceptible to Code Red, and there are devices not running Windows 2000 that were susceptible. Similarly, there are plenty of computers not running Windows 2000 that helped spread the problem through the Nimda worm.
Thus, these problems cannot be blamed on Windows 2000. Where does the blame lie? Programmers are bound to make mistakes, especially in an environment where a for-profit company is trying to produce and sell a modern operating system. Since few pieces of software are ever bug-free, it is ultimately up to system administrators and everyday users to make sure that their systems are as secure as possible (or practical). One of the ways to help increase the security of a computer is to apply security patches once they are released.
3. Patching Problems
A properly maintained computer is like a properly maintained car. Using a two-year-old unpatched computer on the Internet is like driving a car too fast on a twisting mountain road during an ice storm on bald tires. Using such a system or driving such a car is asking for trouble.
The bug in IIS that made it vulnerable to Code Red was announced two months before Code Red. The bug in Internet Explorer used by the Nimda worm was announced a full 5 months before Nimda. Yet even today, nearly a year after these attacks, thousands of machines worldwide are still unpatched. In other words, they are either infected with Code Red, or vulnerable to it. Unfortunately, many of these machines are likely to remain unpatched forever.
With that in mind, we turn now to the proposed ban of Windows 2000.
4. What problems does it solve?
Windows XP is not vulnerable to Code Red and Nimda. So upgrading to Windows XP does protect against certain problems.
5. What problems doesn't it solve?
It does not change the fact that improperly configured or improperly managed systems are vulnerable. It does not protect against attacks that have yet to be developed. It does not help educate users about ways to make their systems more secure. It does not help users of other operating systems running vulnerable versions of Internet Explorer. It does not protect against the thousands of other vulnerabilities that plague other operating systems. It does not stop denial of service attacks and port scans (that for some reason were blamed on Windows 2000 by the Resnet web page).
6. What problems does it cause?
Bugs that were introduced during the development of Windows XP could conceivably outweigh the bugs that were patched during that time. It would be naive to think that every bug in Windows XP is also present in older Windows operating systems.
The Products Use Rights document for Windows XP now includes a clause saying that Microsoft may access and change the operating system and its components without your agreement, and in fact without your knowledge. Suggesting that users of Resnet upgrade to Windows XP puts them in a position where they agree to relinquish control of their computers. Incidentally, versions of Windows 2000 up to service pack 2 do not contain this clause.
The ban of an operating system creates a dangerous precedent. Nowhere in the Resnet Acceptible Use Policy has there been any mention of the ban of a specific software product. The AUP does state that users cannot interfere with others, or with the proper functioning of the network. However, anyone would be hard put to prove that Windows 2000 was the sole cause of any problems by virtue of any fundamental and uncorrectable security flaws.
7. What are the costs of the upgrades?
As always, these costs are generally borne by the end users. They must acquire and install the software and learn to use it. This costs time and money and doesn't appreciably increase the security of the network.
8. What are the alternatives?
Requiring that users patch Windows 2000 systems would take less time and money. Verifying that a system was patched by probing the computer for the Red Alert vulnerability is no more difficult than fingerprinting the OS and checking that it is not Windows 2000. Certainly, installing a patch is a less intensive operation than upgrading an operating system and dealing with any problems and incompatibilities that may arise, so support problems faced by the RCCs are fewer.
In conclusion, the proposed Windows 2000 ban is both costly and ineffective. It seems as if the Resnet staff has already decided on implementing this "solution," which is lamentable. As there has been no discussion of or opposition to the ban on this forum, I felt it was necessary to provide a different opinion.
9. Resources:
Resnet Policy:
http://www.resnet.ucsb.edu/information/win2k.html
http://www.resnet.ucsb.edu/information/use_policy
Code Red:
http://www.cert.org/advisories/CA-2001-19.html (exploit)
http://www.cert.org/advisories/CA-2001-12.html (bug)
Nimda:
http://www.cert.org/advisories/CA-2001-26.html (exploit)
http://www.cert.org/advisories/CA-2001-06.html (bug)
Windows XP PUR:
http://www.microsoft.com/licensing/resources
http://www.infoworld.com/articles/op/xml/02/02/11
--
"Extra Anus Kills Four-Legged Chick" -- Headline
If the UCSB admins were smart they would have conveniently posted information about how to make Windows 2000 Profesional reasonably secure.
Things like installing Service Pack 3, setting accounts correctly, banning the use of personal web servers on a client machine, and mandatory installation of a good antivirus and/or firewall program would have saved the UCSB sysadmins a lot of headaches.
http://www.microsoft.com/windowsxp/home/howtobuy/u pgrading/matrix.asp
i thought it was interesting how they specifically said to upgrade to xp home. microsoft specifically says xp home has to be upgraded from 98/me, and NT/2k can only go to xp pro. so ucsb consultants are gonna help people FFR or what?
am i right?
or did someone already say this...
I'm the Online Editor for the Daily Nexus (the newspaper site that article links to). We've been Slashdotted, LOL. Thanks guys.
The site is still up and running though. Thank god I rewrote the site's PHP code, otherwise, we'd actually be down.
What if I do not want the spyware of sp3/WinXP or give ms the right to install apps without my permission on my pc?
....not to mention the sp3 EULA states that ms may install aditional software packages and change the EULA without my knowledge! Change the license without notifying me?
I strongly advise anyone who has installed w2k on several pc's to not install media player 7 or sp3. Why? I am afraid ms will accuse me of pirating and will have the power to deactive my os or install god knows what on my system. ALso hackers could use this to pretend their virii are microsoft upgrades. I know xp mainly does product activation but the eula'a are getting more and more similiar and are sharing much of the media player updates and code. Media player is key for Microsoft's palladium strategy. I no longer use my older machine which now uses linux but ms can still accuse me and be the judge and jury over any copyrighted dispute between my pc's. This is true even though I have one valid license for win2k pro. Go read the EULA? It states that ms can kill the license of your os at any time for no reason!
Why should I risk being hacked or bend over to the almighty gates? It really pisses me off that I am held hostage here. Be gald I do not go to your school. I have a very valid case why I should not switch to XP and would certianly bring it up to the deans. Even if ms will noy do any of things mentioned in the euls or deactive my copy of windows, I still will not upgrade out of principal. Security be dammed.
http://saveie6.com/
We all know that Win2k is a hell of a lot more secure than win98/ME and probably just as secure as XP....that aside...
Why don't they do what my university did.....if your machine was detected trying to propogate nimda or code red, the smart switches disabled your jack. Getting it re-enabled meant calling Information Services Division and proving that you had cleaned up and protected your machine (downloading and installing the free copy of Norton Antivirus they provided).
It really seems to be a good system. Plug in an unregisterd NIC - blam - jack turned off and MAC address added to a blocked hosts list. Plug in a hub with more than one machine behind it...jack turned off. Run an unauthorized web server...jack turned off, mac address added to blocked hosts list. etc. etc. etc.
I'm suprised other large institutions don't do the same thing. It sounds like it would save a lot of headaches.
I'm out of my mind right now, but feel free to leave a message.....
The University of Notre Dame is doing basically the same thing. Though they do not cite security reasons, they have stopped all support of Win9x. And if anyone thinks the schools and M$ are not in bed, then take a look at the increase in academic pricing. Windows used to be $25 (as well as Vis. Studio, et al) but now they've gone to $45. Funny how that happens as soon as they mandate the upgrade to a new OS. And WinXP is just as vulerable to all the worms that 2k is (for the most part). For example, I accidentally left a share open for no more than one hour and the open folder was filled with Nimda. In other news our LUG is planning an install fest in the near future.
KCL, UK ban linux, stating You may not run any Unix operating system since they can represent a serious risk to network integrity. Any student found running a Unix system (e.g. Linux) connected to the College network will have that system disconnected.
I tried emailing them a corrected version, but their email address was down - so much for network integrity.
"You are encouraged to run a Unix based operating system since they dont
suffer serious risks to network integrity like Nimda, Code Red and Outlook
Worms. Any student found running any insecure system (e.g. most windows
boxes) connected to the College network will have that system disconnected."
Confusingly they do allow the unix based Mac OSX.
to just do what they do at the University of Maryland and block Netbios and SMB? Seems like it would be more difficult (and costly) for them to just force people to upgrade to XP when a number of security vulnerabilities also exist for that. Sure blocking these services isn't a catch-all solution, but neither is forcing people to use a newer yet still buggy version of Windows.
Windows 9x/Me is permitted but NT/2000 is not? So I guess security reasons can be ruled out.
Will work for bandwidth
The key factor here is that they are banking on the fact that Win9X will crash frequently enough as to be "offline" more often then not. You can't exploit what you can't see.
So much about objectivity of various security issues...
Well, I guess the answer is obvious.
Good news for anyone whose handle is in some form of l33t sP34k and has been looking for a good place to try all the exploits described in BugTraq.
However, if I were a CS student there and got that notice, I'd be looking hard into transferring as of the next semester.
Getting an education in the area of computing is hard enough without having to use a network where the admins have admitted in writing that they are clueless.
I suspect they're going to live to regret this. Unless they really enjoy cleaning up messes.
Tech Public Policy stuff
That's all this amounts to. They run around scared with half or less of the knowledge and understanding required to make such decisions. And even in light of the information, they go with their knee-jerk reactions rather than a scientific approach.
...anyway... off the subject...
All of this taking place in an institution of higher learning? It's just amazing. I can imagine this happening very easily in some corporate setting, but not in schools. I guess the number of the enlightened isn't as large as I once suspected.
FUD rules the day once again.
Personally, in addition to my Linux boxen, I like my Windows2000 machine. After service pack 3, I can now use my video camcorder again to do video editing... (now if I can just bring myself to erasing all this useless porn to clear spact to do so...) Before I get blasted with "why not use Linux?!" first I'll just say I'm a lazy bastard and I just don't have the urge to read the thousands of HOWTOs associated with whatever is required to do the same with Linux. I think I'll switch to Mac OSX before I try it with Linux.
It's scary and creepy the way some people think. It reminds me of the last time I was ruled out from having a job at my last interview. In this case, I listed Linux, HP/UX and AS/400 as other operating systems I am capable of administering to. They proudly touted "we're a Microsoft only shop here" as if that were some great accomplishment -- a badge of honor. All I could think was "oh, so you only know how to do your job with a mouse running 'wizards' to accomplishing the things MS thinks you want to do."
I heard there is black magic on the WindowsNT and Windows2000 and so I do not allow such magic on my network. Get thee back Devil2000!! Get thee back!!!
While MS OSes are notably insecure, I wonder what the University's policy is towards OTHER insecure OSes - like a Linux box that isn't secured properly. Do they run audits and checks against every Linux machine on their network to verify against known hacks ? It seems to me like they should, if only to be consistent.
How the hell did this fud get modded up to +5? This is complete garbage.
You're looking at this like a typical office nightmare, the geek wannabe that knows just enough to be difficult. You only see two differences on your desktop, and decide to proclaim loud and long that this is the only difference. Idiot.
The console interface backend is completely different. I mean totally. Through NT5.0, the GDI had a direct interface to console display hardware. Now it's all abstracted through an RDP pipe. This is what allows you to connect directly to the console remotely with an RDP client. It also lets you have sound, printers, etc, on the same client. You can skin it. Sure you can do this with PCAW or VNC, but they are MUCH slower and not as flexible.
What the HELL do you mean that you can't lock a workstation? Maybe you forgot how to? I do it dozens of times a day. Perhaps I can teach you with my next round of primary school students? Killing explorer is hard? Eh? Just the same. The only way it can bring down a workstation is if you have some garbageware or bad video driver installed. Doesn't sound like MS's problem to me (either they'll make it more secure and people will whine about monopolistic practices and taking everything over, or they open it up more and people blame them for third party crap they choose to install).
People like you make me wish there was some sort of basic internet usage license. Sigh.
funny munging
Here is a fun little prank that I did back when I was in school (1993-1997):
.login). Anyway, one day at the beginning of the semester, I was feeling a bit mischevious. I was in one of the larger labs and it was packed to the gills with students trying to register. I logged on to the REGISTER account and did something that was similar to ctrl-z suspending and suspended the registration app. Now I had a command prompt. Next, I used the VMZ equivalent of write(1) (...gosh, what was it?) and sent a message out to everybody else using the REGISTER account--literally hundreds of students...
:)
When I was a freshman at Vanderbilt University, we used the campus VAX to register for classes. It worked like this: you would go to one of several large computer labs on campus and log onto the VAX as user REGISTER (or something). Once you logged in, the registration program would fire up automatically (via the VMS equivalent of
ALERT: THE REGISTRATION SYSTEM WILL BE CLOSING IN 30 SECONDS. PLEASE MAKE YOUR FINAL CLASS SELECTIONS AT THIS TIME.
The first thing that happened when I sent the message was several hundred PCs beeping loudly all at the same time. And immediately after that...you should have seen the looks of panic on all those sorority girls' faces!
Read the link; they don't just refuse to give tech support to users of Win2k, they block Internet access to Win2k machines. So, in other words, Win2k is illegal on ResNet.
I work for ResNet at the University of Rochester and we recomend that all incomming students with PC's buy them with either Windows 2000 or Windows XP Professional. We specifically would not like them to have XP Home as then they will not be able to VPN into the wireless network as well as other things. While we don't like Windows ME, we still allow users who already have it to continue to use it and will support it if any problems arise. In fact, if you have Linux and can't get the internet to work, we will help you out to the best of that consultants abilities. It's silly to limmit what operating systems users can use, especially for security reasons. When we had an outbreak of Klez and Nimda last year, we licensed Trend Micro for the entire campus and setup an online install for all students and then had the RA's do a hall program telling everyone who didn't already have an up-to-date antivirus to load Trend which updates itself automatically.
Instead of telling people they can't use an OS cuz it's insecure (even if it's not), they should educate their users on how to make it secure and then deal with those who are still at risk.