Slashdot Mirror
Looking Back At Windows Security In 2003
thebatlab writes "Help Net Security has an interesting look at security in Windows during 2003, with various blurbs from related parties at Microsoft as well as security 'bigwigs' such as Russ Cooper. It's interesting to read the comments from external parties, as they tend to be very reasoned comments and don't simply attack away over recent 'indiscretions' and 'security lapses' Microsoft has had over the year."
...where to get a definitive list of security holes in Windows (not Office or other add-ons) for the month of December?
"What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny"."
Do you think that that giving your user name and password to strangers might be a bit suspect too?
Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure.
Windows "out of the box" is as wide open as the goatse.cx guy.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I'm sorry, but we've been told to disable preview-pane at work because yet another round of virii struck that used our internal servers as spam relays.
For Outlook issues alone (forget about slammer - though how could you!) Microsoft earns the big security rasberry of the year. PPHbth!!!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's interesting to read the comments from external parties, as they tend to be very reasoned
-SNIP-
Yeah, and if I poke you in the eye with a sharp stick every morning, you'll get used to it. It might even appear "reasoned".
There's a new worm out there that exploits a security hole still in Windows 2k/XP from when it was released.
It has the capability to shut down applications, goes right through anti-virus software (even the latest patches!!!), and gives total control of the victim computer to the creator of the worm.
An attempt by the powers that be to shut down it's source of updates was thwarted by various government agencies and the worm itself.
Unfortunately there is no patch to get rid of the W32.MS.AutoUpdateRequired worm.
It sucked!
<bows>
It is pitch black. You are likely to be eaten by a grue.
j00 w3r3 h4xx0r3d!!!!!!
I'm amazing. You aren't. SUCK IT
Perhaps you've heard of a company called Cisco, they make a thing called a Pix, which is probably the most popular hardware firewall product.
As opposed to what exactly?
Firebased computer walls? (In soviet russia?)
Windows Security is an oxymoron. Just like the French fish who cleaned everything from Finding Nemo.
A hole in Windows was announced today. Thats great, as soon as Windows Update tells me there is a fix available, I'll click and reboot to apply it.
/me, goes to website, they list some long inexplicable explanation of the hole. Link to some .tar.zip.gz.bz2 file (this saves bandwidth). Just run it through tar -xvzjf and it will automagically extract. Run make clean; make superclean; make reallyfuckingsureyourclean; make install; (whoops, su; make install) and boom! its installed.
A hole in Linux was announced today. Developers released a patch in 34.36 minutes flat after hearing the news. Download and update today!
"Administrators cannot delegate administrative privileges: a user who needs any administrative capability must be made a full administrator, which compromises best security practices." man sudo
I dual-boot Linux with W98SE. Recently, after quite a while of using it and getting the W98 more and more "dirty" I decided to install the update. System got so unstable that I couldn't open Explorer without crashing. "Time for reinstall", I thought. Format, install, config, everything runs smoothly. Windows Update, system starts crashing really bad. Maybe I did something wrong? Format, reinstall, update. Crash. So now I run "vanilla" W98SE, without ANY updates, just pure CD install. The only protection is my firewall on a Linux box. Sucks, but what should I do? This way it can keep running for several hours, and with screensavers and power management disabled, for several days in a row. With patches, crashes notoriously. Keep it secure? How? By unplugging the net or the power supply??
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
You are in a maze of twisted little posts, all alike.
And how do you propose this virus would spread?
Linux isn't quite the easy target that Windows is. Almost every Linux box is completely different when compared to another. Not everyone is using the same mail client, there are several different browsers that may or may not be used, and several different daemons that may or may not be available or exploitable.
You just can't easily write a virus that will infect a massive number of Linux machines.
Note that I'm not saying Linux machines are impervious to viruses; just that I'd be shocked if there was any Linux virus that infects more than a handful of machines.
What's inside of it? Magic packet-smashing Gnomes?
It basically says it all when an exploit that had been patched for months succeeds in bringing the internet to a crawl.
An In-Depth look Into Windows Security in 2003
by Mirko Zorz - Monday, 22 December 2003.
When it comes to security predictions for next year, basically everyone says it's going to be worst than this year despite the increased spending on security and some progress made when it comes to security awareness. Let's take a look at some interesting happenings that made the news during 2003 when it comes to Microsoft security and perhaps you'll be able to judge for yourself what 2004 will bring.
The experts that voice their opinion for this article are Russ Cooper (Surgeon General of TruSecure Corporation/NTBugtraq Editor), Ed Skoudis (a security geek who is focused on computer attacks and defenses, author of "Counter Hack" and "Malware: Fighting Malicious Code") and Arne Vidstrom (a security researcher and author of many security tools for Windows).
It's January and things don't look good
Just as we were getting used to writing 2003 instead of 2002 in our letters, here comes the Slammer worm and all hell brakes loose as thousands of computers are infected worldwide.
This, however, was not Microsoft's fault since a patch was available several months ago before the worm was unleashed. This has put the issue of irresponsible users into the spotlight while others said the reason why some servers weren't patched is because administrators are worried about the side-effects that come with a patch.
Russ Cooper said: "Firstly, SQL patches have been notoriously difficult to install, so I would argue that despite the availability of a patch, its lack of installation was not entirely the user's fault. Further, MSDE (Microsoft SQL Desktop Engine) inclusion in 3rd party software had never been tracked by Microsoft. This resulted in many people being vulnerable to Slammer who never knew they needed a patch. The method the SQL group has used to handle the SQL vs. MSDE issue have been very poor, with KB articles typically only being found by searching for SQL rather than MSDE. Finally the SQL Server Resolution Service, the service targeted by Slammer, isn't even mentioned in the SQL 7.0 documentation either as being present, installed, or enabled by default."
Lessons learned according to Cooper: "What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny". There's little reason to expose the SSRS to the Internet without any restrictions. Some hosting providers have argued that their customers required access to the service and, therefore, they exposed it directly to the Internet. While this might seem reasonable, the additional cost of locking down such connection points to, at least, an identifiable IP address range surely couldn't put them out of business compared to the risks they put the entire Internet at. Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure. Knowing what you're installing, and installing only what you know, are crucial to achieving baseline security. The habit of simply accepting the defaults and no additional steps is yet another reason problems like this occur."
"Another aspect of "Default Deny" is the enforcement of *Outbound* rules as well as inbound. Habit says that inbound is what we fear, yet outbound is left entirely untouched. Slammer demonstrated just how harshly such a policy can affect the Internet. There was no reason for those systems to initiate connections outbound on UDP 1434, even if we accept there was a need to allow the inbound connections from other infected hosts. Ergo, had such rules been in place, machine
Slashdot: The antidote to well reasoned comments.
Hello, new sig.
Windows Security. That's like... Military Intelligence? Jumbo Shrimp? Microsoft Works?
Free your ecomony and enact the FairTax
"Microsoft have had their share of vunerabilities over the last year but not significantly more than linux has..."
Hello? What alternate universe are you living in? We spent a good chunk of our summer and fall chasing MS-BLAST infected computers. We had to detach computers from the network before upgrading them to XP, because if we didn't they'd get hit before we could patch them.
Perhaps you are playing semantic games - perhaps in absolute numbers there haven't been "that many" Windows exploits. But in terms of wasted IT time; in terms of network downtime; in terms of severity of attack there is just NO comparison. Our Linux, Solaris, and OS X boxes have required almost none of our time.
#DeleteChrome
okay AC, there is a plethora of reasons that windows is on 90% of all desktops.
- apple screwed the pooch by being overly proprietary back in the early 80's. they were just too damn expensive for mass penetration.
- compaq cloned the PC, got its bios to boot, etc...
- lotus 1-2-3 (any one remember when your spreadsheet program fit on a floppy!!) this program alone accounted for the mass igration to the PC architecture.
- ibm being dipshits about ms-dos. they could have had the rights for chump change.
- os/2 was the defacto desktop. ibm wanted a shitload of money (something like $200+ in the early 80's) microsoft came in with windows for 1/10 the price.
- microsoft did thing like give faulty errors with dr-dos when you tried to run windows on top of it. (keep in mind, windows ran on top of dos as late as ME) this has been long since documented.
- microsoft played the bundling game, gave away its office suite for next to nothing compared to others. remember when wordperfect and lotus were the standards? (remember, in word97, you can map every keystroke in wordperfect AND lotus123.)
- monoplistic practices...covered a time or two
- piracy. i, and probably everyone i kow got a "free" copy of office. don't think for a second that microsoft really cared that joe and jane homeowner were somehow "pirating" (giggle, giggle) office. well, if business knew you could get it at home "free", they knew they HAD TO pay for it, so, well, if you use office at work, you can bet employees can get it at home, and that eliminates any others from competition
technological merit does not always, or even often, win out. there are numerous reasons. hell, in 1949, we had a state fo the art bomber, the YB-49. it could fly farther, faster, stealthier, etc. and, check this out, it was a flying wing. based on a design from the horten bros. in germany. discovered after the war, and developed by jack northrup. but, stu symington (sec of defense) was buddy buddy with convair guys, and we ended up with B-36. then the B-47, then the B-52. 36 was a piece of shit, 47 almost as bad, and the 52 is a workhorse. long story short, when B-2 rolls out, who is there to receive a LONG overdue praise. jack northrup. oh yeah, the VHS vs. Beta thing too.My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
How many worms did you have to clean off your Linux systems last year?
Linux may not be much more secure than Windows but at least my Linux boxes don't go spreading malicious code around my office faster than I can patch 'em. In fact, I don't remember ever patching in Linux box in 2003. Hrmmm, I wonder why that is..
At least with Linux I don't have to worry about security unless I put it in a production environment. Then I only need to worry about keeping up-to-date with patches.
My Linux desktop doesn't get viruses, send viruses, or take out office routers. I wish I could say the same for my Microsoft products.
Well as for apt-get or yum you cant compare those to windows update at all. First of all apt-get/yum updates every single application installed while windowsupdate doesnt even update Microsofts own products outside IE or MS-Windows. Had it covered atleast MS own products but it really is limited. Tried running windowsupdate from a script? Apt-get/yum is way ahead of windowsupdate in any way i can think of. And it doesnt cost you more than hardware to put your own apt repository up.
Why would anyone need exchange? Did you want a mail server or did you want Exchange in specific? You do realize that what you are saying is that you want the brand and not the function in itself? There are tons of ways to accomplish the same things Exchange does and most often much better and with cheaper hardware. If its one thing exchange does it is eating cpu cycles.
"For firewall we kept windows because the software we currently use performs much better on windows than Linux"
Well, duh? Sygate runs pretty lousy on linux too.
HTTP/1.1 400
Yes, they may have. But unlike Windows, all of the linux software had patched versions out within a matter of hours. You are correct, however, in that it's up to the admins to apply the patches, but in my experience, linux admins are a lot more vigilant about this sort of thing.
Also, no linux "virus" ever filled my inbox with hundreds of huge attachments claiming that I needed to update Windows or see the latest cool screensaver.
Oh, and if you're using firewall "software" in linux, you're doing something wrong. All you need is a little knowhow and iptables (or even ipchains), and you'll see that machine FAR outperform any non-kernel-based solutions.
Do you really need reason for beer? Wingman Brewers
On your specific points:
Many (if not most) Windows programs get it wrong. Heck even Microsoft has been released games that can only be played if logged in as administrator.
Linux does let you do delegation, but that is mostly left as a user space implementation issue. That is the purpose of setuid/setgid, group memberships, sudo etc.
In areas like the construction industry, insurance companies take a very hard-nosed attitude towards various types of risky practices-and the difference in risks between those practices are reflected in insurance premiums. It would be straightforward to apply similar techniques to organizational security-but I suspect what we have here is a case of managerial resistance. The management types just don't want their practices closely scrutinized-they like things the way they are now. What I see, is a lot of folks taking enormous risks with other people's money.
ACLs are a powerful feature BUT really need to have very strict documentation defining whats been done in an organisation.
The Orange Book evaluated standalone systems only. I like my Internet ! This C2 stuff is generally discussed as marketing aid and ignores the fine details of the underlying criteria. What is certified is not "Windows NT" but a very precise combination of hardware and software.
The exclusion of Linux is because the whole program for evaluation requires a Vendor. There is no vendor for Linux. If anyone wants to get a TTAP Evaluation facility to do such an evaluation then why not the DoD themselves. The SELinux would be a good start plus the 2.6.X kernel capabilities and with the ACLs that are now part of Linux.
Windows admins must also evaluate each report that comes out. With Linux (the kernel) there is just a single Linux repository - with a distrbution there is also a single repository (of that distro). Same as Windows.
Configuring Windows security is also no mean feat either especially not in an AD environment. Lets face it both Linux and Windows can be made to be complex. The advantage that Linux has NOW is that Novell have bought SuSE. Novell has the best trust model of all. I imagine (well I hope) that some of the ease-of-use of Novell will be integrated into SuSE and then by default fall into Linux userspace routines. Fact is not much at a kernel level needs to now be changed on Linux. With 2.6 its fairly well ready to rock.
"requires an administrator to be an expert in the intricacies of the operating system and how components interact"
Yes, someone who is NOT an expert is hardly qualified to be an administrator now are they?
"Linux only provides access controls for files and directories. In contrast, every object in Windows NT, from files to operating system data structures, has an access control list and its use can be regulated as appropriate. Linux security is all-or-nothing. Administrators cannot delegate administrative privileges: a user who needs any administrative capability must be made a full administrator, which compromises best security practices. In contrast, Windows NT allows an administrator to delegate privileges at an exceptionally fine-grained level."
Are you on crack? EVERYTHING is a file or directory on a linux system. There ISN'T a registry to hack. The most powerful and popular solutions for all tasks on linux also have built in ACL's for fine tuning access. Not to mention iptables which is a one stop kernel level firewalling and routing solution with flexibility windows never dreamed of with even 3rd party tools.
There is only ONE full administrator on a linux system, root. Any other service and it's configuration files will be owned by a group, members of said group can administrate it. Since EVERYTHING including hardware devices is a file on linux you can fine grain control access to every piece of software and/or hardware you like on the system. By setting permissions on the correct file you can even deny a user the ability to move an icon on their linux desktop.
"Linux has not supported key security accreditation standards. Every member of the Windows NT family since Windows NT 3.5 has been evaluated at either a C2 level under the U.S. Government's evaluation process or at a C2-equivalent level under the British Government's ITSEC process. In contrast, no Linux products are listed on the U.S. Government's evaluated product list."
Government accredits are meaningless, microsoft had to hack minimal posix compliance into windows before they could bribe their way in. The only reason it was allowed at all was that windows was already being used widely (at least in the US, don't follow the brits) and it's VERY expensive to go through the process.
"Linux system administrators must spend huge amounts of time understanding the latest Linux bugs and determining what to do about them. This is made complex due to the fact that there isn't a central location for security issues to be reported and fixed. In contrast, Microsoft provides a single security repository for notification and fixes of security related issues."
And yet somehow with a single command line I have all the fixes for the bugs that were discovered this morning. And windows update only has the bugs that were discovered 3 months ago with a couple exceptions.
As I said, we got a message from corporate HQ telling us to turn off Preview and also not to click on stuff that does not come from people we know (more likely the outbreaks were from people clicking on things they should not). They had to get themselves off a few blacklists it seems as a result...
This is not a small company either, around 3000 people. Yes, we do have admins that know what the hell they are doing. Sometimes, stupid users click on links or bring in laptops and that is it.
The thing is, even if a UNIX admin is doing a poor job you aren't as likely to see a "wildfire" spread of infection, more like a slow burn.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I just hope that in the next few weeks we won't see a disaster like the Slammer worm.
That, in a nutshell, destroys the entire article. The end user shouldn't be forced to "hope" that bad things won't happen to their computers. Any vendor that instills so much lack of confidence in their products doesn't deserve the benefit of the doubt.
I don't doubt it would be possible to create an effective virus for Linux.
I agree with everything you stated. It's the diversity that makes Linux (and other operating systems) less vulnerable to such massive attacks. But everyone learns from their mistakes, even Microsoft (albeit slowly sometimes).
Currently, if you purchase a copy of XP and install it with neworking capabilities (even dialup), there is a good chance you won't get as far as Windows Update before you're rooted. I went through that a couple of months ago -- got the "Windows is Shutting Down" dialog before the Windows Update page could load. I knew how to abort the shutdown and patch the problem, and I really should have enabled the firewall first -- but joe average doesn't (and shouldn't have to) know this.
However, I also recall the Honeypot project having similar experiences with RedHat 6.2; because of a remote-root exploit (I think), the machine was hardly online a few minutes before being rooted. If I remember correctly (it was a long time ago), 6.2 was the latest retail RedHat release at the time.
Jump to now: RedHat now enables less services by default (but still has a record number of suid-root binaries...), and really pushes you to enable iptables at install time before any network interface is brought up. Likewise, SP2 for XP will be doing some things right, and I'm sure this will carry over to Longhorn and future versions.
I say: bravo on both sides. Firewalls enabled by default (like "opt-in" instead of "opt-out"), and taking security into consideration with every decision (as RedHat and Microsoft both are learning to do, though many others *cough*OpenBSD*cough* have known this for a while)...
NGWave - Fast Sound Editor for Windows
http://news.netcraft.com/archives/2003/12/19/sun_d iscontinuing_cobalt_linux_servers.html
according to that link, quite a few cobalts out there. And since i work for sun i can attest that most people running them are fairly clueless. and they arent exactly up-to-date either.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
I do not see any security. As Gates/Balmer have said "it would be far too expensive to fix Windows" Besides by fixing Windows, the forced $upgrade$ incentive would go away. The problem with the MS software model is that if you make it too good no one will upgrade. Like banks and OS2, IBM focused on getting the security right, look what happened!
OH THE SHAME I fell off the wagon and use sigs again!
Microsoft puts itself in a catch-22 with this one.
Microsoft released a patch, yes. There are two people who wouldn't install it: those who don't have a clue about being a sysadmin (MCSE) and those who know MS's history of distributing broken patches.
The first group (mostly made of MCSE-only admins) are either too ignorant to install patches timely or are too stupid to know that your SQL server has no need to be internet-accesible. IIRC the only way to get slammer was to have your unpatched SQL server live to the world, something that anyone even slightly security concious wouldn't have done. Unfortunately, MS markets themselves as the easy delpoyment/any idiot can admin. So, they market themselves to idiots, then blame the idiots for not taking care of their servers. Umm... sure.
Secondly is the smart group who knows better than to deploy ANY MS patch without testing it. Having a patch 2 months before the worm hits is fine and good, but often times testing a patch takes that long. In the case of slammer these are the guys who know to keep their SQL servers behind the firewall. Slammer was mostly due to group #1. In the case of IIS and other internet services, however, a patch may not be deployed in a timely manner.
Combine MS's past of releasing broken patches with their careful marketing to idiots and you see how easily this crap happens.
There is no reasonable defense against an idiot with an agenda
:wq
Believe it or not, I have not had to clean up any worms from my Windows machines last year.
Why? Because my network has a firewall. Then my machine has a firewall. And I run a virus checker. And I keep reasonably up to date with patches. And no, it's really not a big deal.
In our last audit, guess what we found. Windows 2000 servers on the audited networks were patched. Linux machines were not patched for recent holes. Why? The metality that Linux is secure out of the box. We showed how the audited network's firewall (running Linux, because it's k00l and the admin was a linux zealot) was rooted in 15 seconds using a familiar recent exploit.
Maybe so, but you haven't mentioned any.
The quality of your admins has way more to do with ultimate security.
Can't argue with that.
Agreed that NT has access controls on every object. However they are not visible and not used very much by end users and administrators.
Much like *properly* setup sudoers, groups and file ownerships/permissions.
The UNIX ones are simple and very easy to understand.
That's because they're so primitive. Not to mention some of them aren't really logical - like needing read *and* execute permissions to list the contents of a directory.
Here you have the choice between complicated (you do know the difference between discretionary and inherited rights filters?) and pervasive (every object) versus simple and pretty much only on files (which almost every OS object is anyway).
Properly setting up a combination of sudo, groups and file permissions and ownerships is a monumental task and an administrative nightmare. Not saying ACLs are a walk in the park, but when you're finished with sudo & co you've got an ugly hack around a fundamentally broken design, when you're finished with ACLs you've got an elegant and maintainable solution.
The Windows acceditation is a crock. It is in a non-networked environment with no floppy disk or CD drive.
That's because, IIRC, being without a network and floppy drive were *requirements* of the accreditation - IOW, *no accredited OS* could have had them.
(And we won't even go into the ability of any process in a desktop session being able to send messages to any other process which is probably the flaw Microsoft alludes to).
This was fairly well rebutted at the time - applications can be written so that this can't occur.
In Linux you have to understand chmod.
This is ridiculously (and irresponsibly) oversimplified. You have to understand group participations, file ownerships, permissions, SUID, GID, sticky permissions and the subtly different ways some file permissions can act on different platforms. This is before worrying about things like limitations on how many groups a user can be in and other weird things that only happen on some platforms. Not to mention the inescapable fact that on most unixes, practically all important services and administrative tasks have to spend some time with the unlimited priviliges of UID 0.
If you somehow manage to penetrate *without* an account, you'll still have to deal with system accounts having a home directory of /dev/null, and some creative usage of things like chattr [1], chmod, and tripwire. Oh, and check out "man last[1]".
Thus your machine is reasonably atypical even for a managed linux box, let alone one being used as a single-user desktop for an ignorant end user like the average Windows machine.
Not to mention most of that won't help you if a worm somehow convinces you to run it (the way 99% of them are spread). A worm doesn't need root permissions to edit your .bashrc, wipe out your home directory or mail itself to every email address it can find in on your machine.
My conclusion: whoever attacked the Debian and GNU machines had a damn good chance of succeeding.
We aren't trying to compare against the Debian machines, we're trying to compare against the typical Windows box - directly connected to the internet, unmanaged and under the control of an ignorant end user.
IMHO the single best way to spread malware in linux would be to compromise a distro or source project. I can't see malware affecting end users in a large way otherwise - there's too many variables.
As I said, it's very rare to find linux machines without tools like mail and bash - which is really all a worm needs to propogate. If you can edit your .bashrc script, so can a worm to start itself off every time you login. If you can start a program that listens on an unprevileged port, so can a worm. If you can "ping -f", so can a worm. If you can accidentally erase every file in your home directory, so can a worm. If you're running something like ssh-add on login to prompt you for an SSH password, a worm can fake it and capture your password.
Anything a normal user can do, a worm can do. Everything a worm needs to do, a normal user can do. Every tool (and usually far, far more) a worm needs to do its work, is installed on the average linux box.
I personally don't think Linux will be in widespread enough use to really get hit hard by a worm for a few years yet, but it *will* happen eventually (same for OS X).
Let me ask you this: how can you restrict privileges to the RPCSS service?
Well?
I'm still waiting for an answer.
The answer is that you cannot restrict privileges to the RPCSS service. It must run as SYSTEM, the NT equivalent of root. Although ACLs can be applied to the SYSTEM account, they can be bypassed easily as SYSTEM can insert code to run at IA32 ring zero.
Let us then see how many services run by default under the SYSTEM account in a Windows machine: well, that's all of them, isn't it?
Why don't we try a little experiment. Lets take a ridiculously trivial service, one that can be written in minutes: the Messenger service.
Now let's take Messenger and run it under a different account so we can apply access controls to it. What does it do?
Well, now what does this mean? Perhaps I did not give the Messenger service a privileged enough account? Nope. Perhaps I need to restart the computer rather than starting the service directly? Nope.
The problem is that Messenger runs as a thread under svchost.exe, as it is an RPC service "built into" the various other crap there. Is this a fine-grained security model?
Note also that when you attempt to have a service start under different credentials (should you ever attempt this as I very seldom see it), you must type the account's password. Perhaps this is a security feature so that one cannot install a service which then grants the user elevated privileges? Nope.
In order to change credentials in NT ("obtain a security token"), you must supply the account's password. When you have a service run under a different account, that password that you type in is saved somewhere as it must be supplied in order to obtain different credentials. Where is it saved? Beats me. How is it stored? Probably "encrypted" using some machine-specific information; however, it must be decrypted upon launch of the service, so the password must be recoverable (without undue computation, eg, it is not hashed).
Linux system administrators must spend huge amounts of time understanding the latest Linux bugs and determining what to do about them.
...
Configuring Linux security requires an administrator to be an expert in the intricacies of the operating system and how components interact.
Again, let me pose a question to you, as I assume you see yourself as a competent NT administrator:
How do you disable DCOM without restricting RPC? You cannot consult google, but must discover the answer on your own.
Obvious response: firewall.
Well, a firewall isn't the answer. Say box X needs to talk to box Y using DCE RPC. You cannot insert any firewall I know of between X and Y which stops DCOM but allows through other RPC programs as no firewall I know of works at this level of the stack. You could perhaps put something like a snort box in between X and Y that allows for user-programmable packet inspection, but please don't tell me that's "easy to set up and administer".
Correct response is documented here. But a competent NT administrator such as you knew that, of course.
Let's tackle the equivalent problem on a Unix machine: we have an RPC service that we want to disable. Well, which one do we want to disable? NFS? Stop nfsd from launching. YP? Stop ypbind from launching. Mountd? Stop mountd from launching. You get the idea.
How do you stop a daemon from launching? Tru
Concerning the C2 level certification, the only microsoft products that have this certification are Microsoft SQL Server 2000, Win NT 4.0 and Win NT 3.5 according to microsoft itself
But anyway, these certifications are bogus, since the products are evaluated "against the Trusted Computer System Evaluation Criteria (TCSEC) and its interpretations" also called the Orange Book. However, the Orange Book applies to standalone machines and operating systems! Wow. great.
This standard clearly has no meaning anymore in modern computer security (if it ever had one).
Skilf