Slashdot Mirror

← Back to Stories (view on slashdot.org)

Longhorn Server's "Improved" Security

Posted by ryuzaki0 on from the articulate-vegetable dept.

An anonymous reader writes, "The 'most secure Windows ever' may be very secure from hackers and malware — but what do you do when Longhorn Server lets you install the OS, set up Active Directory, and initialize the domain without once asking you even to create an administrator password? From the article: 'What happened to Windows Server? Where did all of the stringent security checks and ultra-protection of Windows Server 2003 go? Windows Server 2000 was quite insecure, and Windows Server 2003 turned over a new leaf... But it seems Microsoft is more than willing to flip that page back — even Windows Server 2000 required an Administrator password at the very least.'" Inevitably, Dave Barry's years-old quote comes to mind: "Microsoft has a new version out, Windows XP, which according to everybody is the 'most reliable Windows ever.' To me, this is like saying that asparagus is 'the most articulate vegetable ever.'"

24 of 151 comments (clear)

  1. Don't see how it matters really by also-rr · · Score: 3, Funny
    There are CIOs just lining up to sign the purchase authority forms as we speak.

    Ohhh, new windows? And this one has transparency! That's going to make the spreadsheets* fly!

    *sigh*

    *By which they mean databases. Or possibly Word. Who knows the mind of a CIO?
    --
    Think of the Children; Sleep with your Sister
    1. Re:Don't see how it matters really by vtcodger · · Score: 3, Funny
      ****By which they mean databases. Or possibly Word. Who knows the mind of a CIO?***

      CIOs have minds? Who knew?

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
  2. How Kind of You by eldavojohn · · Score: 5, Insightful

    In the summary you linked to the text "most secure Windows ever" where the title of the Slashdot article is "Microsoft Says Vista Most Secure OS Ever." You'll notice that the former doesn't really cause my blood to boil because I don't care which Windows is more secure. The latter, however, prompts 440 comments and the tag "lol" to appear.

    You see, one is a logical statement because one would hope that newer OS's become more secure than their ancestors, while the other results in "You have offended my operating system of choice, prepare to die..."

    --
    My work here is dung.
    1. Re:How Kind of You by enharmonix · · Score: 3, Funny

      You keep using that word. I do not think it means what you think it means.

  3. default password by gEvil+(beta) · · Score: 4, Funny

    I heard a rumor that the default admin password is "chair"

    --
    This guy's the limit!
    1. Re:default password by entrylevel · · Score: 5, Funny

      You just FUCKING KILLED any hope of this being the most secure Windows ever!

      --
      Karma: Incomprehensible (Mostly affected by posting at +5, reading at -1, and metamoderating everything unfair.)
    2. Re:default password by PPH · · Score: 5, Funny

      If you try 'chair', it will be thrown as an exception.

      --
      Have gnu, will travel.
    3. Re:default password by querist · · Score: 2, Funny

      I thought throwing chairs was the rule, not the exception.

  4. Should I tag this.... by Omnivorax · · Score: 2, Funny

    ...both "fud" and "notfud", to save everyone else the trouble?

  5. Microsoft always says... by zwilliams07 · · Score: 2, Funny

    "Most secure ever."

    Then about 10 minutes later there about 30 pieces of malware, and 120 holes in the system.

  6. Asparagus by justinbach · · Score: 4, Funny
    To me, this is like saying that asparagus is 'the most articulate vegetable ever.'"
    I think I'd want to check with the corn on that one--after all, aren't they the ones with *ears*?
    *ducks*
    --
    I left my wallet in El Sigundo!
  7. Did you know? by Anonymous Coward · · Score: 5, Informative

    Accounts with blank passwords CANNOT be used as a network credential EVER! No remote service. No terminal server. No shares. No printer. No nothing! Since XP SP1.

    Maybe not the brightest thing in a beta install (will this be in production?). But you would have to have local physical access to the server terminal to exploit this security hole.

  8. Bummer by HangingChad · · Score: 2, Funny

    You mean asparagus isn't the most articulate vegetable ever? Dang, guess that means I'll have to send back that plaque I ordered for the Articulate Vegetable Awards show.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  9. Re:If this is true... by From+A+Far+Away+Land · · Score: 3, Informative

    Don't forget that it includes PVP DRM, meaning Microsoft can compell your monitor not to show video unless it's sure that you've bought a comercial video disc.

    --
    Oh You POS
  10. This is a beta OS. Everything can and will change. by postbigbang · · Score: 3, Informative

    Lots of testers and researchers give VERY LOW SCORES when passwords aren't treated like they ought to be. What with machines that can do 100,000+ dictionary attacks per second, busting weak passwords is comparative childs play.

    So it's a bit specious to lob this at Microsoft, when the operating system isn't even due to be at RC for as much as a year. If you use this in production environments, you're not very wise.

    Not that I particularly like Microsoft, but fair is fair-- this is far from release code.

    --
    ---- Teach Peace. It's Cheaper Than War.
  11. Re:If the author is creating a new domain in Longh by Utopia · · Score: 3, Informative

    I should also point out that by default the machine administrator account is disabled.
    So no amount of password-cracking software will let you log-in as admin.

  12. Right, this is a question of physical security by brokeninside · · Score: 5, Insightful
    Physical access to a machine already gives a local attacker everything they need to change the admin password. If it's a Linux box, it's simply a matter of booting into single user mode. If it's a Windows box, it's simply a matter of using any of half a dozen freely available utilities.

    But if there is no admin password, the server cannot authenticate the Administrator account from across the network. This essentially means that by default Administrator is a physical access only account. I don't see how that is startling insecure. In fact, it's a step in the right direction.

    1. Re:Right, this is a question of physical security by toadlife · · Score: 2, Informative

      Nope.

      By default, an account with a blank password cannot be used with "runas".

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  13. Sounds like a bug in the installer by PPGMD · · Score: 3, Insightful
    IMO it simply sounds like a bug in the installer, the Windows 2000 and 2003 both asked for you to set the default administrator password during the install, sounds like someone forgot to put that in the install options. It's an early beta, with 6 months or more until release, bugs like these often happen.

    If it makes it's way into the shipping product at least how it's described I'll eat my own hat.

  14. Well, on the other hand... by Jugalator · · Score: 3, Insightful

    Any admin that have such a non-existant sense of security that he/she don't bother setting any admin password, regardless if the setup routine force the admin to do it or not at some point, has pretty much doomed the overall security of that system anyway. An admin that need to be nannied through every aspect of setting up a server, including such basic things as controlling the passwords are OK, shouldn't really touch a live server somehow related to network connectivity.

    --
    Beware: In C++, your friends can see your privates!
  15. Chair by Fallen+Mongoose · · Score: 2, Funny

    Now there's a word you don't hear people throwing around as much these days.

  16. I *really* hate to come out swinging for MS... by Dputiger · · Score: 3, Interesting
    But I have to, as far as the Dave Barry quote goes, especially since it wasn't even related to the story being linked. I've used every Windows OS going back to 2.0, and run my main system on 95, 98SE, ME (briefly, and just to see if it was really that bad), 2K, and XP. I've done tech support for both businesses and consumers, I've built systems for people, and I've reviewed computer hardware for years--and in the process of doing all that, I've seen a lot of Windows installations on a lot of different hardware, from brand-new to dying of old age.

    There are a lot of things I don't like about Microsoft, and there are a lot of areas where I think their products could be improved and streamlined--but I think a lot of people (both here and elsewhere) throw out disparaging remarks about XP in certain areas just because it's fashionable, or convenient, especially about system stability. XP may have had its kinks early on, but I'd say its been incredibly stable / reliable since at least SP1. I reboot my home rig, on average, maybe once a month--and that's typically a choice, not a forced situation. I've had one hard crash / reboot situation in the past 6 months. It's not just a system that sits idle all day, either--I work from home, game, and do all my multimedia / browsing, IM'ing, etc, all from the same box. Now yes, if you start to factor security updates into the "reliability" equation, WindowsXP starts to look a bit less shiny. If you assume that "WindowsXP" also means "WindowsXP + IE6", that's even worse...but hey, that's why I use Firefox.

    People can argue that they hate the XP GUI--that's opinion. You can argue it's bloated, or you hate WGA, or Product Activation, or whatever, and you can argue about security issues all day long. But measured in terms of basic reliability--no BSODs, no inexplicable driver failures or failed device detection, and no random reboots--XP blows the doors off any of the Win9X products, and is arguably better than 2K in some performance and multimedia areas. (Hyper-Threading is the one area where I distinctly remember XP outperforming 2K--other areas I'd have to dig for at the moment).

    I'm all for calling a spade a spade, but part of doing that fairly means admitting when a company gets something right--and anyone still pretending that Microsoft hasn't made huge strides in stability, reliability, features, and performance since the Win9X days needs to go out and actually try to set up (and then modify) a 98SE box. I've had to do so recently, and it's not a pretty picture. I still remember how to jump through all the various hoops, but that doesn't mean I miss them.

  17. Speculations by bruno.fatia · · Score: 2, Insightful

    Everybody just keep speculating about Vista and Longhorn server, why don't you just leave Microsoft alone for once and wait for them to lose some money with defective OS? Gee..

  18. Re:Remember the Audience by Ajehals · · Score: 2, Insightful

    You are giving the admins - even some of the non attachment clickers a lot of credit... - This is an OS Small and medium business' use because it "just works"(tm) ad because windows admins are cheap. Its almost completely configurable by wizard for Christs sake, and the wizards do not include everything that you may need to look at from a security point of view.

    Now I am not suggesting that everything should be configured in at a CLI or eve that the admin should just be presented with a load of MMC snapins and no guidance, but the ease with which an apparently working server can be set up and configured is worrying - especially if security related tasks are not included in the wizards...

    I have come across enough 2k/2k3 server admins who do not understand the OS at all and don't really understand what they are doing with it, they are sort of learning as they go (in production environments). This is not because they are stupid (inexperienced, ill qualified certainly.. but nor stupid) but because they were "good" at using windows and just scaled up, all the nice step by step wizards meant they didn't have to bother with learning anything more complex or in depth. In effect there are a huge number of windows admins out there who are really power users, and who really do need their hand holding fully, or need to come across an OS where everything is of by default, and to turn it o you need to have an understanding of what you are doing, or in the very least have to do some research..

    Just - additionally these tend to be the admins who are unaware of and do not take advantage of whole segments of their OS's capabilities (Active Directory / Group Policy / Scripting / RIS / DFS etc.. (its been a while sorry if the names have changed..)) ad ed up convincing even less knowledgeable management to buy software that either puts a shiny front end over an existing feature (the multitude of AD Management suits that do nothing to enhance manageability) - or that replicates functionality (like software deployment) without using the component that is present - leading the company into even more of a lock in situation, but now with multiple products...

    Ad yeah I know you get what you pay for, and I know its down to management etc.. but Windows server is *deceptively* easy to manage...

    --------

    just as a side note on your "hopefully aren't dopey attachment clickers" comment - I do penetration testing and security audits on a fairly regular basis, one of the simple tests we used to run was emailing an executable attachment that simply wrote a file to disk (or some such activity - initially we had it display warnings etc... then found the silent ones more interesting..) ad what we found was that most of the IT admins that received it (initially somewhere in the 60% area) virus scanned it and then executed it - this was when it came from a legitimate company address with a note saying that "X received this and needs it to do Y"... on a number of occasions admins executed it whilst logged into their personal machines with domain level admin accounts (which they should never have been logged in as anyway...).

    On a couple of occasions instructions in a mail from a random email address and with spuriously written c0NTent advising the user to rename the attached .doc to .exe and report back to a fictitious person were actually carried out - and repeatedly by the same guys - all because the AV thought it was OK.

    Ad this is after awareness training and having a laugh about who got caught out last time. So no admins are not necessarily and better at not clicking attachments as common users - they just have less of an excuse

    (Not sure I got my point across - brain is not working...)