Slashdot Mirror
Microsoft: RDP Vulnerability Should Be Patched Immediately
wiredmikey writes "Microsoft is urging organizations to apply the sole critical update in this month's Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday's release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon's AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month's Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio."
Safe, unless you are running bitcoin operations there.
Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.
Any other ports?
It's tunnels. All the way down.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
I've had a time or two at work where a remote admin needed desktop access to see what was wrong and correct it. Granted, if it were the linux box next to it they could have just SSH'd into it.
Right, so the average user gets treated to a random text based or any installer at boot and says "Hmm, never done that before...better throw it out and get one of those new Windows 8 computers!"
captcha: bricks
yes, bricks. what people will think of their computers after you put linux on it.
that's not an insult to linux...just most people don't even know it exists or wtf to do with it.
It could happen to Linux as well. But it doesn't.
Linux does have comparable remote-access protocols to RDP, all of which have had plenty of remote exploits in past. For example have a look at CERT advisories on SSH and X11. Don't even get me started on VNC, which is often not updated automatically because it's an installable add-on instead of a system component.
I think all of those have happened in Linux at some stage, with the exception of privilege escalation exploits in an IDE.
It just happens less and the number of exploits is reduced due to rapid updates, on average much better admin and version fragmentation from different distros.
What do you mean it "COULD" happen to linux. don't you follow the latest patch releases. IT DOES happen to linux every month as well, or did you think those patches we download and install every month are just for the fun of it?
just most people don't even know it exists or wtf to do with it
TFA is about admin management through RDP - not the lambda user around. Allowing a SSH (via a simple user) to connect to a server, and allow some text-based administration from the specialists is one thing, opening a GUI remote administration tool with menus and all that give hints on the howtos mess up with the machine is something else.
Slashdot, fix the reply notifications... You won't get away with it...
I've had trouble with a VNC bug in the past. I was using a boot CD to copy Windows security updates so I wouldn't have to hook up the unsecured freshly installed Windows to the net, and suddenly the mouse started moving in a very mechanical fashion and it started to type (exactly one character per second) a command which was obviously intended to go into a console window (but fortunately ended up in an open text document). I pulled out the ethernet cable to get my mouse and keyboard back and killed the VNC daemon; that solved the problem, but it was still freaky.
True. I use it for IMAP as well. SSH replaces every VPN solution out there.
Me thinks you need to do a little more research before posting. CERT or maybe secunia may be enlightening for you.
Ok, so there are some weaknesses / bugs and patches to be applied to Linux. There are, there were, and there will be. Always. But are we on the same scale here? We are talking about a remote administration GUI security hole ; that nice graphics and windows based environment that allows almost any brainless geek to damage the system from any angle, visually, like a game.
Slashdot, fix the reply notifications... You won't get away with it...
As if it isn't bad enough that an RDP worm is already spreading due to weak passwords. If users/admins are incompetent enough to use passwords fit for luggage you can only guess how many unprotected Internet facing RDP servers will be ravaged within the next few weeks. Don't get me wrong. I have seen situations that actually call for an Internet facing RDP, such as screaming sales execs behind third party firewalls that block egress GRE, 443, and 22, with the variety of IP addresses causing admins to play wack-a-mole in Webmin to allow individual IPs, but these admins have already patched. If a rogue Fawkes writes a worm for a Massive DDoS or particularly nasty payloads many of us will suffer. An exam should be required to run these services and it should be harder to get than a drivers license. Am I ranting?
WTF does SSH vs. GUI have to do with security? If anything, once exploited SSH would be less secure, because its easier to inject commands into a command prompt than it is to automate a GUI.
I believe the GP was referring to this story.
Write failed: Broken pipe
It's not the same thing. The problem is the tool in the first place. A GUI to perform admin of a remote server is dangerous. It makes the tool usable to a larger audience. Windows people are used to windowed environment. That has always been the case (at least in the 2000s). This makes the administration more comfortable, and easy to perform. When you don't know what to do, go through the menus and find what you need. That system has some drawbacks - the RDP problem is part of the price to pay.
Slashdot, fix the reply notifications... You won't get away with it...
???? and what the hell does a CLI vs GUI have to do with security in this case?
WOW! Are you detached from reality. Microsoft products are used because of market share and industry momentum. Bitch all you want about design and implementation, but the world isn't going to stop and replace everything with Linux/Unix as though it was some grand Moon Shot program. It will not happen. Get over it.
Life is not for the lazy.
And having a vulnerability in a GUI (RDP) protocol is somehow worse than having vulnerabilities in SSH how exactly?
Nothing stops you from using Windows Remote Management to do exactly the same thing with Windows.
So you are trying to tell me a system where many admins cannot write firewall rules and file ACLs is better then a system with a GUI for the same?
Windows has all the same security functions linux does and then some and can be made to be highly secure. It also has a command line that is more useful then the majority of inexperienced know. Admins who don't know how to/or care to maintain some of their systems exist on both camps. It is not the tool.
What you are saying is the same as saying impact wrenches are bad tools for mechanics because they are easy to use and strip bolts and all mechanics should all use torque wrenches instead.
120 characters ought to be enough for anyone
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer
Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?
Slashdot, fix the reply notifications... You won't get away with it...
Speaking as someone who's been doing this for fifteen years, your grasp of information security is appallingly bad. I operate a sizable deployment comprised of Linux, *BSD, and Mac systems. Judging by your last few posts, I sincerely hope you are not employed in a role where any of your duties are closely aligned with the protection of information assets.
Write failed: Broken pipe
And having a vulnerability in a GUI (RDP) protocol is somehow worse than having vulnerabilities in SSH how exactly?
Any fool can use the GUI, but with SSH at least you can be sure that you are being hacked and exploited by a fellow geek.
If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced.
Contrary to the popular belief, there indeed is no God.
Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.
Any other ports?
It's tunnels. All the way down.
Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. And MS should definitely think of adding IPSEC support one of these days (yes, I know). Of course people are probably less likely to bother, since unless you're French, RDP is fully encrypted (standard VNC only encrypts the password) and talking of passwords it allows them to be more than 8 characters long. You can even have a username too, if you use the right version and configure PAM (joke - there is no right version for that because it's a terrible idea security wise). It has also never had a bug where the client could tell the server it didn't support any of its authentication schemes and so the server simply let it connect without authentication.
In fact this is the first time I've heard of a potential serious vulnerability in Remote Desktop, so frankly this is not the area to be smug about.
Anyway this is a bit too MS positive for my liking, so I'll just add that TurboVNC + VirtualGL + VirtualBox = one fucking awesome free VDI implementation. Add SSH, OpenVPN or IPSEC to taste if you want (although VirtualGL handles SSH itself transparently if you want). Actually for remote admin purposes you only need the 1st part (unless it's a bunch of 3D workstations you're supporting). And possibly a new hobby to use to soak up all the time you used to waste waiting for the screen to refresh. I would also mention FreeNX, but a) I think it gets outperformed by the above and b) I am fucked if I'm setting that damned thing up again just to verify.
Oh yeah, one more neat trick - Virtualbox can run in headless mode on a box with no GUI (or with one, doesn't matter). In this mode it serves up the VM display using an extended version of RDP. The great thing is this doesn't just apply to Windows VMs - it can serve any OS it can run over RDP. Watch the look on your colleague's faces as you get them to fire up MSTSC and connect straight into Ubuntu. Or OS2, OSX, Win 3.1 etc.. etc.. You can even dump them into an EFI shell or the virtual BIOS. Literally minutes of laughs to be had. Oh yeah, you may need the non-open source extension pack for that. Also they're adding VNC in the next release. I have no fucking idea why.
And no, I have no idea why you're not allowed to use RDP encryption in France. I have no idea why they're not allowed to use deoderant either, come to think of it.
We are talking about people using exploits to abuse a protocol bug, whether it is a command line or a gui is irrelevant (regardless of how much I hate GUI based management). All a CLI offers is a little more obscurity and if that is something you think helps you during vulnerability exploits then step right this way I also have a bridge to sell you.
RDP is a GUI, SSH (for instance) is not. From wiki:
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer
Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?
I would suspect that someone who has the skill set required to "hack a computer" would not be slowed down much in his mischievous activity by an austere text based prompt..
lucm, indeed.
a system where many admins cannot write firewall rules and file ACLs is better then a system with a GUI for the same
Fortunately, "admins" who don't understand iptables or chmod (there are graphical aides anyway) are usually using something else, like Windows. I'm not saying Linux is safer, always and forever, I'm saying the way Linux is to be apprehended makes it more likely to be operated by skilled professionals. There are of course brilliant people Windows side, and both systems complexity is similar, but the thing is that the GUI layer makes it accessible to more people who think they understand the system since the graphical tool is visually convenient. It's like Javascript and C/C++. Some people program in Javascript - more accessible since the interpreter takes care of many things - and only know JS. They think they master programming. Do they? I don't think so - at least most of them.
Slashdot, fix the reply notifications... You won't get away with it...
Somebody finally fix the root of the problem and hack Microsoft's server to push out a Linux iso...
But if someone does hack the Microsoft server (I'm sure they have only one) and install Linux, Windows will disappear and wannabe geeks will have to find another easy target for their wannabe bashing
lucm, indeed.
Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. ....
Actually you can:
- cygwin on the Windows box
- sshd service under cygwin
- connect via ssh into your windows box
- tunnel through the ssh into port 3389 on the same box
- open Terminal Services client, connect to localhost:XXXX
Works like a charm for me.
Technology conforms to organizations and businesses, not the other way around. CLI has proven to suck absolute balls in consumer markets. It's why the GUI is so popular. People are *gasp* visual creatures.
try nomachine.com
Who cares? I'm a over-smug Mac user!
it is once again the second tuesday of the month. so... same old, same old.
No, I don't think it is easier. Why do you think windows and menus make things any more hackable?
Microsoft bought RDP from Citrix. Microsoft doesn't develop software, they buy/steal and redistribute it. For example Internet Explorer and Stax...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Ok, so let's take the problem from another angle: an admin installs a GUI to perform administration of his high value system from the Internet. Yes, the hack requires some strong knowledge, I must agree. But an admin who decides to install such convenient graphical tool is wrong in the first place. Such a RDP protocol is obviously more complex than a simple ssh, and is more likely to get cracked. What I'm trying to say, and this is the real problem, is that Windows admins are so used to GUIs that they miss other more secure alternatives. You said you hate GUI based management. The regular Windows admins hate the console based management.
Slashdot, fix the reply notifications... You won't get away with it...
I know you are not correct in that many web developers who develop on Linux try and maintain the equipment on their own. What they previously did on Windows they can no longer do. Linux is mainstream now and you no longer need to have any intelligence to run a LAMP server... and many of them run linux because they feel it makes them seem more "elite" then the windows server users they once were. Sadly, they install the complete CD with compiler and all and don't do the updates because they can't resolve the dependancy hell of their distribution.
120 characters ought to be enough for anyone
Who are all these admins doing stuff over RDP and why are they still employed? I've seen these installations myself but I simply cannot believe it. It's so dumb that it boggles the mind. Why would I need to login to a full display server to remotely administrate... anything? Oh, unless I'm on Windows where some applications cannot be used without the GUI. Lol. This is so pathetic. If you simply must use a GUI, just tunnel an X client over SSH and never worry about applying patches again- oh but wait, I forgot again that we're on Windows so you can't do that. Why anyone would rely on this backwards, insecure, cumbersome, and ultimately counter-productive bullshit is completely beyond me.
The dangerous people are not the admins that are using RDP. The dangerous people are the idiots that think that because they use an X client over SSH they don't have to worry about applying patches again.
So it does not surprise me that the fact that people rely on technologies that you don't understand is completely beyond you. Once you get real work experience, other than maintaining that FTP server for a non-profit or that Drupal server for Uncle Bob's tackle and bait shop, we can have this discussion again.
lucm, indeed.
Is this sarcastic or is this somehow really supposed to be reassuring?
You do know that they have point-and-click exploit kits, right? Ever heard of the term 'script kiddie'? Countless UNIX vulnerabilities have been packaged up into various graphical tools that non-experts can use to take advantage of vulnerable systems.
No, I don't think it is easier. Why do you think windows and menus make things any more hackable?
I know: someone using WinRunner or AutoHotKey could do brute-force hacking on a GUI!
This is brilliant, I must immediately check IRC (or Experts-Exchange) to see if there are scripts available to do that.
lucm, indeed.
Wow. Just wow.
Please don't tell me you're in any way shape or form responsible for IT security.
I hope you understand that graphical exploit kits do exist that target UNIX systems. This commenter pointed it out.
An attacker who knows what he is doing will attack both Windows and UNIX systems. One that doesn't will just use a tool that a skilled person wrote to "point and click" his way into a box regardless of what OS it is running.
Microsoft has been counting IE security holes as Remote Execution a long time, which actually requires user intervention at the client-side.
I'm rather surprised that it took this long before somebody found a possible breach in the RDP implementation.
The vulnerability is in the protocol, not that it is a remote GUI protocol. The fact it is a gui protocol is moot in this case - the attack allows someone (using a terminal, a gui, whatever) to send crafted packets to the RDP service (note, service) on a Windows machine that may allow them to run arbitrary code remotely, in just the same way that someone (using a terminal, a gui, whatever - see the consistency here?) to send crafted packets to XYZ service (note service) on a Linux/BSD/whatever machine that may allow them to run arbitrary code remotely.
The nice thing with this attack failed attempts supposedly result in a BSOD too :-)
Actually you are wrong. I am from Citrix so I know, RDP is developed by Microsoft, Citrix has its own proprietary protocol called ICA(Independant Computing Architecture) which is just a wrapper around RDP. Its true that RDP came from WinFrame which was a Citrix product but you are wrong in saying that Microsoft bought RDP from Citrix.
Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?
Only to the extent that GUIs are easier to use in general. They are not inherently more hackable than text prompts: text may give you a little extra obscurity, but that's not something that should be relied on in a security context.
+1 Testify, Brother! Too many non-windows admins IMHO have little idea of the capabilities of Powershell
They sentenced me to twenty years of boredom
Post with your real name and we'll talk to you, troll
They sentenced me to twenty years of boredom
Cheap (free), secure, easy. Pick 2.
They sentenced me to twenty years of boredom
Linux and its applications only dominate ANYWHERE because they're cheap/free. Granted, they work well enough for the market they're aimed at, but there's a lot more to the IT world than the internet.
They sentenced me to twenty years of boredom
Then why did you pick only 0.5 for Windows?
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
How insightful. I'd never have imagined to see a comment like this on Slashdot, thanks for contributing to the discussion!
Well, it's honestly not worth finding exploits for Linode or most other forms of Linux. (Not a flamebait.) Why bother trying to break into the computers of less than 1% of people.
(See, others can do it too!)
Can we get a "Macs don't get viruses!" guy to chime in? And maybe someone from Amiga or BSD?
Random Thoughts From A Diseased Mind (Not For Dummies)
Microsoft developed the original RDP technologies (before someone jumps in, not *all* RDP tech, just the ones involved in this timeline), and sold it off to Citrix, who dramatically improved it. MS then licensed it back from Citrix as an independent product and included it into Windows.
The worst thing about SSH vunerabilty exploits is you can sucessfully issue a batch of commands rooting the box... and even make ssh tunnels to remote resources like printers and DVRs and root them too... at least with an RDP exploit, its a PITA to script a large scale attack.
120 characters ought to be enough for anyone
Yeah, except for linode divulging the master admin password. That's a pretty awesome VPS provider you have there.
SSH has had several bugs - both design flaws and implementation flaws. Heck, even things like ntp servers have been exploited. Ssh is in no way "simple" (though it has been getting better at not having remote code execution flaws) and it can be misconfigured and used in very creative ways.
The "hate" here seems to be that it is actually possible to administer Windows conveniently using RDP and that there is something inherently wrong with that. Administering IT systems should not be black magic done in deep dungeons where mere mortals can't enter. Sure, it is wise to implement policies so that people are not going to easily screw up. GUI doesn't make any administration more secure on less secure, you can fail in unthinkable ways with or without gui tools...
By the way, X11 predates RDP and running graphical programs over network on UNIX machines has been common (including administration tools).
And btw, I do systems administration - on Linux and using console (and a few graphical tools like firefall builder) and on Windows using RDP to do stuff that is easily handled through GUI (one-time settings etc.) and through Powershell when automation is needed or tasks that would be hard or impossible in GUI. And I do not see my RDP usage no more a security risk than running ssh is (both environments have defined security policies with access rules / control, roles are used to separate privileges and users are not given unneeded privileges). I am screwed if my internet-facing sshd implementation has remote root exploit, as I am with RDP server. Or Apache. Or PostgreSQL.
I would think that most people who absolutely needed to remote into their machines over the Internet would use some kind of tunnelling to a jumpbox or remote access appliance to RDP to an internal server...
Insightful? For what? bragging your on an OS lower than the margin for error and therefor not worth a criminal's time. hey you should brag you are on OS/2, I bet it ain't needed a single patch in years! Meanwhile you can enjoy such fun recreational activities as 1.-hunting for fixes on forums every 6 months when the latest update deathmarch craps on 1 or more of your drivers, 2.- Having such wonderful documentation that is at best just a pile of CLI use flags, at worse a 'todo" file, 3.-having an "OS" that is just a hodge podge of programs written by a bunch of groups that have nothing to do with each other, so some follow Windows conventions, some mac, and some unix, 4.- having such wonderful QA that Dell has to run their own repos just to keep the OS from going "LOL I made a stinky!" on itself and killing the wireless, need i go on?
As for your much vaunted security? might want to look at some things, ready?
Get ready, here they come! BTW if you'd like a little more food for thought, what OS was 3 of the 4 CAs running that were compromised? take a look and see. Maybe they just had bad configs? Surely someone with knowledge would be safe right? Guess again and its not a fluke by any means.
ACs don't waste your time replying, your posts are never seen by me.
Script kiddie? You mean most so-called IS/IT security analysts after about 1995 or so?
You don't even need cygwin, you can use something more userfriendly, like putty.
That's what i do
Windows: So awkward to use, even the hackers will get mired in in the GUI.
Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.
FYI, there have been security flaws found in ssh servers in the past.
Maybe you're too inexperienced to know that.
Cheap, Secure, Easy, not Vaporware, pick any 2... ;-)
Capability based security systems could give cheap, secure, easy... but they are definitely vaporware at this point in time.
Linux does have comparable remote-access protocols to RDP, all of which have had plenty of remote exploits in past. For example have a look at CERT advisories on SSH and X11. Don't even get me started on VNC, which is often not updated automatically because it's an installable add-on instead of a system component.
You didn't get a chance to look at years on those advisories, eh?
In year 2002 everything was vulnerable. Literally.
In year 2012, one would expect that such critical component like RDP would be audited 100 times by Microsoft. Seemingly not.
First, I've never once seen a best practices document that says "put RDP on the Internet." Maybe one exists, or maybe there are special cases somewhere that allow for it, but to me it just seems stupid to connect a Windows machine directly to the Internet, or port-forward directly to one from the edge device.
Second, has anyone heard of an exploit for this that involves a prior uncovered exploit - basically you get some malware that "phones home" to an SSH server and opens a reverse tunnel back to the local RDP server? It seems to me that this would be one way they would do it.
There are applications (XServers) for windows that will allow you to do the X11 over SSH just fine.. sorry to burst your bubble...
Although they might get gummed up by the new ribbon interface in the menus. "Dammit, where did that button go?"
If this were Usenet, I'd killfile the lot of you.
Seems to have a lot more dependencies than SSH.
You basically need the admin to set up so many things correctly (so that stuff works) AND at the same time not secure it properly so that you can pwn them.
You can't log into Putty, it's a client not a server. I've used Copssh as an ssh server on a Windows machine. Am I unaware of a way to use PuTTY as a server?
You can definitely tunnel RDP, its built right into Windows and called Terminal Server Gateway. With that you can use client cert validation and tunnel in over SSL. Add some nice middleware and it will even allow you to use hardware password tokens (if you can afford them).
What people seem to be forgetting is that RDP alone is not really a "secure" communications channel for public networks. If you need high security, users should be VPNing into your LAN and then RDPing over that tunnel.
Nuclear war would really set back cable. - Ted Turner
Windows 8: Security through "where the hell did the Start menu go?"
Any insufficiently advanced magic is indistinguishable from technology.
Linux and its applications only dominate ANYWHERE because they're cheap/free
False. Many of us use Linux / UNIX for workloads and tasks that Windows won't run at all, or that run significantly slower using Windows. Scalability, downtime prevention, and consistent operation is unparalleled in the mainframe / mini segment which is *nix territory -- not Windows.
We spend a lot of money annually to keep our Linux systems supported, both from an employee cost as well as support / upgrades from the vendor, so I can assure you we haven't made this choice because it's cheaper software-wise. It's cheaper because we can do more with smaller systems, we have less downtime, and we spend less time tuning and maintaining Linux systems than we did using Windows.
http://www.putty.org/
The page is simple enough, I'll let you figure it out.
Note: I've never used it - yet.
Write boring code, not shiny code!
You don't. You use MMC or some custom vendor console (native and/or web). RDP is really only for special cases.
I'd never have imagined to see a comment like this on Slashdot
You must be kidding, or you must be new, or you must suffer from the Memento syndrom. There are plenty of posts like this one. They're usually from AC, and don't survive in the >-1 universe more than a couple of minutes. Or maybe you were looking after some karma? My post being an easy target, and you expected some recognition from your criticism, like the schoolboy proud to blame another student in front of the teacher, for something the teacher disapproves. Frankly, after a few hours of work, I look back at it and I agree that it may sound plain stupid. Or maybe because some readers took it that literally, I feel sad. My post was funnier than insightful. Or maybe more interesting than funny. Or, even, more informative than interesting. Because I still believe what I said, not meaning any flamebait or whatever. I have been a long time, and still am, in the computers business, and I meet, interview and work with IT people in different companies, various countries. I see how they behave. I see how they perform, and take a guess on how they will perform. There is a difference between the staff used to Windows and the staff used to Unix (same position). I'm not saying one is more clever than this other. Certainly not. I just believe that the Linux/Unix staff - I mean in companies, not the student at home - is usually more opened to different systems (including Windows) than the Windows staff. That "openess" allow them to find solutions either in engineering or in development faster and usually better. This is actually a general rule. The more you see/travel/visit/meet/eat/read/learn, the more likely you are to find interesting alternatives to a given "idea/problem". A neural network needs a lot of various information to be performant. Some Unix people go work on Windows, and they produce a valuable output. But the majority of the Windows staff has never worked on a Unix based OS. My post was establishing the base for that: Windows people are usually less keen to work on Unix, than Unix people on Windows. Yes, some Unix geeks are reluctant to work on Windows. But they could. Many of the Windows staff cannot (or don't want to) stand in front of a console, or have to deal with the network interfaces file, or the iptables. Why deal with iptables when a GUI does it for you? Right. Agreed. And the GUI is less likely to make a mistake (iptables is pretty complex after all). But someones who makes the effort of understanding iptables will stand better in front of other technical problems. This is merely an observation. You can take that the positive side: Windows people prefer a clean and nicely made GUI.
Slashdot, fix the reply notifications... You won't get away with it...
Nothing stops you from using Windows Remote Management to do exactly the same thing with Windows.
Windows applications may support a subset of remote management, but unfortunately there is often the case that one needs a desktop application to fully configure an app. On Linux the default is text file configs modifiable via CLI, whereas Windows' applications _expect_ you to have a GUI. Until that expectation changes, RDP will be the most powerful remote management available on Windows.
Now that your screed is over, would you care to address the actual statement you replied to; that Windows has the same security functions Linux does?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I thought the page would be simple enough that you could figure it out...
The SSHD program listed on that page is NOT related to the PuTTY project, it's managed by BitVise and has a $100/license cost associated with it for non-personal use.
So, PuTTY is still not a server.
Anyone who cares about security, would use vnc over SSH, and properly configure SSH as well.
Shut up, you sweat from a baboon's balls.
No, that's not how it works. Instead, the place where the Start button used to be serves as a kind of honeypot - the attacker reflectively clicks there within the first few seconds after entering the system, and then spends the rest of the session trying to figure out how to get out of Metro. ~
The subject has become somewhat of a catchphrase in my org.
The hidden subtext is that "None of this" would include the Internet, our business, or my paycheck.
--Joe
You are correct, my bad. Two other SSH servers for windows (that appear to be free) :
http://mobassh.mobatek.net/ - never heard of it
http://sshwindows.sourceforge.net/ - Based on Cygwin but doesn't require a full blown cygwin install.
Write boring code, not shiny code!
Crack is a hell of a drug.
> Linux and its applications only dominate ANYWHERE because they're cheap/free.
No. The vast majority of companies I've worked with paid for Red Hat and nearly all of them also paid for MySQL. Red Hat and Oracle have been around a long time. They wouldn't have if, as you claim, people didn't pay for their products.
Absolutely a flamebait (and modded as such). Why the fuck are you posting? You have nothing valuable to add, and no one gives a shit about your stupid Linux system.
The bitcoin incident wasn't related to a vulnerability in SSH, some root account at Linode had its credentials leaked. SSH was simply the protocol used by hackers to authenticate with genuine credentials.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
X over SSH is in fact easier to secure. It's obviously not easy to the point of never having to apply patches again, but it improves on RDP in a significant, nontrivial way: the GUI is decoupled from the network-facing service. The resulting small network-facing service is easier to audit and secure against attacks. It's important to appreciate the benefits provided by the Unix philosophy of one separate small program for each task.
So what if the users are less competent, doesn't make the software any worse just cos its used by less competent people.
RDP can optionally make the client's local drives and printers accessible on the server. This is quite convenient if you need a local copy of a file (that's too large to e-mail), or a printed report while on the road.
I think you've confirmed my argument - you could do all your stuff using Windows (except for software that has NO Windows equivalent) , but it would cost a truckload more $$$
They sentenced me to twenty years of boredom
Is this sarcastic or is this somehow really supposed to be reassuring?
I was aiming for +5, Funny - with a faint smell of insight-fulness while masquerading as informative
I think, I did rather well?
If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
Yeah, I'm sure those supercomputer geeks are a bunch of incompetent tightwads incapable of understanding the Windows ROI. What would the physics nerds at CERN know about math?
Help stamp out iliturcy.
Or winsshd, which is free for personal use. Their Tunnelier client is is always free and sets up a forwarded port and lets you rdp to the server you're connected to with a click.
Depends on the app. Exchange administration, for example, is PowerShell first. Anything the UI does is built on top of PowerShell cmdlets that can be called manually, and some settings don't even have UI.
Of course, there are a good many apps that are UI first, as well.
WTF does SSH vs. GUI have to do with security? If anything, once exploited SSH would be less secure, because its easier to inject commands into a command prompt than it is to automate a GUI.
This: I've spent all damn day doing roughly the following procedure for each of my Windows clients: /detectnow' and click OK.
* Connect into the client's WSUS server, enter username and password, get to desktop
* For Windows 2003, go to start, admin tools, WSUS
* Click the link for security updates and approve all, then click the link for important updates and approve all
* If they have multiple sites, repeat the first two steps for each site and then click the 'sync now' link
* Wait while the WSUS server(s) download the updates
* Once updates have downloaded, connect in to each internet accessible server that has RDP enabled and enter the username and password
* If it's a 2003 server: go to Start and click run. Type in 'wuauclt
* If it's a 2008 server: click the Start orb, search for 'Update', wait while it searches, click 'Windows Update', click 'check now'
* Wait for a few minutes for the Windows Update client to sync updates
* Click 'install' or whatever to start the install process
* Wait forever
* Reboot
* Wait longer
* Reconnect to all the servers, manually comb through the event logs to find out what failed.
Contrast that with my ability to patch my ~75 linux boxen during the SSH fiasco:
* cssh -c file_containing_my_list_of_servers
* Type 'apt-get update && apt-get dist-upgrade && logout' and hit enter
* Wait a few moments while updates are downloaded and installed using a single command
* Look at any terminal windows that remain open as the && logout won't run if there were errors
* Done
(If there's a kernel update or something, && logout can be replaced with && shutdown -r now)
I can easily spend all day updating and patching 50 Windows servers. I spend about 10 minutes in the morning patching 75 Linux boxes while the coffee brews.
And yes, I know there are all sorts of programs I can *buy* that make patching Windows easier--but try convincing people they need to pay more money for something in this economy. cssh is free.
I'm sure Microsoft will fix this soon by adding the incredibly-easy-to-remember powershell command: Windows-Updates -DownloadListNowFromMicrosoft -AlsoInstallThemUpdates -GetListOfServersFromLDAP -IMeanLDAPWithProprietaryExtensions -NoWaitIMeanActiveDirectory -YesIAmAuthorizedToAgreeToAllTheLicensesWithoutLookingAtThem -PleaseRebootTheServersWhenDone | ReportOnUpdatedServers -OutputToDOCX report.docx -YesIPaidForAnOfficeSuite -MaybeEmbedSomeActiveXStuffForOldTimesSake
There's no place like
Anyone who cares about security, would use vnc over SSH, and properly configure SSH as well.
In case anyone's wondering, here's how you 'properly' configure SSH: apt-get install openssh-server
Done.
There's no place like
http://www.putty.org/
The page is simple enough, I'll let you figure it out.
Note: I've never used it - yet.
I'd double-check that URL. The official site is and has always been: http://www.chiark.greenend.org.uk/~sgtatham/putty/
There's no place like
Many distros enable password login by default. If posible, this should be disabled as well.