Looking Back At Windows Security In 2003

thebatlab writes "Help Net Security has an interesting look at security in Windows during 2003, with various blurbs from related parties at Microsoft as well as security 'bigwigs' such as Russ Cooper. It's interesting to read the comments from external parties, as they tend to be very reasoned comments and don't simply attack away over recent 'indiscretions' and 'security lapses' Microsoft has had over the year."

Re:Hey, Sherlock....

[AntiOrganic]

Or how about just applying the patch that's been freely available for six months?

*glares at manager*

Re:Slashdottism

[zulux]

You did enable the built-in firewall before connecting your machine to the internet, didn't you?

All Windows XP computers are vulerable to Blaster during bootup.

Even if you have the Windows firewall turned on.

Windows XP doesen't ahve a firewall in place while the computer is booting - only after a full boot is the firewall policy pushed down to the network interfaces.

SP2 will include a "block everything" firewall policy during bootup, and you can have a firewall policy over all network connections - including new connections that you may install.

but for now - Put your XP behind a real network operating system like OpenBSD.

Re:Myth: Linux is more secure than Windows NT.

Reality: Windows actually has serious design issues. Neither is perfect. The quality of your admins has way more to do with ultimate security.

On your specific points:

• Agreed that NT has access controls on every object. However they are not visible and not used very much by end users and administrators. The UNIX ones are simple and very easy to understand. Here you have the choice between complicated (you do know the difference between discretionary and inherited rights filters?) and pervasive (every object) versus simple and pretty much only on files (which almost every OS object is anyway).

  Many (if not most) Windows programs get it wrong. Heck even Microsoft has been released games that can only be played if logged in as administrator.

  Linux does let you do delegation, but that is mostly left as a user space implementation issue. That is the purpose of setuid/setgid, group memberships, sudo etc.

• The Windows acceditation is a crock. It is in a non-networked environment with no floppy disk or CD drive. Show me anyone who deploys that way. Here are some relevant articles: Win2K evaluation IBM/Suse evaluation. I have one specific question: if the Windows architecture is so fantastic, why did the NSA choose Linux to acheive their goals? Why did Microsoft claim that fundamental design flaws in Windows were the reason they couldn't release the Windows code? (And we won't even go into the ability of any process in a desktop session being able to send messages to any other process which is probably the flaw Microsoft alludes to).
• And you deploy Microsoft patches immediately without worrying that they will break the other products you run and use? You can get Linux advisories from whatever distro you use. There are also services like CVE. At least with Linux you can choose to fix things yourself. With Microsoft, you are stuck with whatever amount of time and problem severity they determine. If they don't want to fix something for 6 months, there is nothing you can do about it.
• SCE is nice, but is only needed because the whole OS has so many places where ACLs are applied. And it doesn't do things like registry access control (you have to use regedit) or the filesystem. So you do have to use a number of tools, and understand everything. In Linux you have to understand chmod. In either case, a clueless admin will do way more harm than the OS you picked to run.