Part of any servers job actually involves accepting some connections. Part of any admins job is not installing what you don't need, and allowing what you do.
If you read my sig, why do you think this is even worth mentioning? There's no contradiction in pointing the results of tests out, even if there are reasons for every one of them.
Go and install Solaris 10. Use an external machine and run nmap followed by Nessus targeting your new Solaris system. Use the defaults for everything (Solaris, nmap, and Nessus).
Interesting, eh?
Note: If you don't have access to a Nessus server or Linux, you can use almost any machine to run a scan yourself. Here's a simplified version of what to do;
1. Get Knoppix and boot it; http://knoppix.org
2. When the desktop appears, run the Nessus server;
'Start' (the K in the lower left)
System (note _DO_NOT_ use the Nessus on this menu yet!)
Security
Nessus
3. Wait. This will take a few minutes and you may not see anything. If you want to be sure, come back in 5 minutes.
4. Run the Nessus client;
K
System
Nessus (note _NOT_ the one under the Security menu)
5. The username should be knoppix.
6. The password field should be blank. Enter knoppix for the password.
7. Select the Target tab. Put in the IP address or DNS name of the target
machine.
8. Start scanning. Keep in mind that any firewalls or NAT devices between you
and the target machine may give back bad results.
I stopped reading after being accused of being a troll. Thanks alot. Guess what explitive I'm thinking of?
Re:Even modern linux distros need to be sanitized
on
Is Your OS Tough Enough?
·
· Score: 4, Insightful
Look at all of the software and services running on a modern linux distro - FC3 for example. I have spent a great deal of time shutting off everything I really don't need and erasing piles of useless rpms installed by the distro (its 2005 - I don't need talk). Any software you don't use or services you do not need are just potential security holes.
While I agree, I was stunned looking at the results of a Nessus scan (default) after completing a default install of Solaris on Sparc (E450). Wow. 9 known security holes and a bunch of services on by default and listening on open ports.
Sure, it's not Windows-bad, though it wasn't what I expected in the latest revision of Solaris (I've used a previous version of SunOS and have installed Solaris 8 & 9 on both x86 and Sparc hardware). Fedora Core does a much better job by default -- though I agree FC3 needs to be purged to make it clean and fully trustworthy.
...but pretty soon Solais 10 is going to be a big competitor to Linux on laptops, especially the 64-bit AMD ones.
I just installed Solaris 10 on an Enterprise 450 (from scratch not an upgrade) and it's about as barebones and hostile as 9 or 8. The only difference is that Gnome can be chosen for the desktop...though it's not nearly as nice as Fedora let alone Ubuntu. The video also looks horrible.
It's not a clean and simple configuration either. A Nessus scan of the system shows 9 known security holes (not potential warnings) and a bunch of services running that aren't necessary. I'm keeping it off the network till I can lock down the system properly.
Solaris 10 is not a Linux killer. Keep in mind, though, that I have no axe to grind against Solaris. As far as I'm concerned it's unix...just like the *BSDs or the Linux distros. It's not great for a novice admin nor is is good for a regular user. Sun dropped the ball.
The text was nearly all a quote from the linked site.
CMM is often abused. It's also ignored by the group bringing in the consultants that simply want "you guys to fix it". That said, it's good stuff when used as it should be. It's structure instead of chaos...neither good nor bad by itself.
I haven't used PRINCE2, though swap in CMM levels and you're basically at the same place.
I'm a fan of CMM, though it's rarely used properly; either limited to a checkbox on a contract or used in an impractical heavy handed way.
Chalk it up to human nature. I do like the 'kill project or any part of the project that no longer meets the goals' attitude of PRINCE2, though. It would get rid of quite a few bits of deadwood.
I'm just starting to deal with CMMI as it is a requirement for a project I've just started. (AFAICT: It's in the contract specifically to allow the customer (a government agency) a consistant way to oversee multiple contracting companies and other projects they don't directly control.)
The CMMI models improve upon the best practices of previous models in many important ways. CMMI best practices enable organizations to do the following:
more explicitly link management and engineering activities to business objectives
expand the scope of and visibility into the product life cycle and engineering activities to ensure that the product or service meets customer expectations
incorporate lessons learned from additional areas of best practice (e.g., measurement, risk management, and supplier management)
implement more robust high-maturity practices
address additional organizational functions critical to its products and services
more fully comply with relevant ISO standards
SCAMPI incorporates the best ideas of several process-improvement appraisal methods. The SCAMPI A method is being used successfully by many organizations. The emerging SCAMPI B and C methods will extend the suite of SCAMPI methods. The method implementation guide for government supplier selection and contract monitoring also builds on SCAMPI in the acquisition arena.
IBM was a rat bastard company ready to meet it's ultimate demise around 1990. Nobody trusted or liked them...except for the fact that IBM was huge.
Then, early in the 90s the stock crashed to about 1/3 of it's 1980s price. And stayed there. That woke the shareholders up who decided that the IBM institution had to be obliterated if anything of the share value could be saved.
Since then, they have gone through multiple reforms. Early on, many of those changes did not improve profits at all. In some ways they became weaker.
Yet...over the last 8 years...I would put IBM in the 'mostly good' category because they decided not to be rat bastards anymore and to do less dammage and more good. A side benifit to this change is that they regained stock value and they didn't end up getting sold for the IBM name alone.
Nobody likes a jerk or a bully -- and it doesn't help the bully very long either. Eventually all bullies either loose friends and increase the bullying (and payoffs and threats) or become nice and benifits from the mutual friendship. That's one of the reasons why a dictatorship is efficient only for a small set of goals that the dictator has while being very wasteful for other goals of society.
IBM like a reformed bully who doesn't want to go back to the old days. There are benifits of not clubbing other kids for lunch money and instead bringing extra gum to share.
The IBM of today does not compete with IBM's customers and is not making plans to grow into IBM's customer's spaces. That's one of the main reasons nobody feels threatened by IBM.
It's amazing how we criticise M$ for not being open and IBM for tring to be open.
There is a substantial difference between the two.
For the most part....
When IBM opens a project they are on the same footing as any other person, group, or corporation. Anyone can either fork or take over the project if IBM drops the ball or attempts to take the project in a direction somebody else does not want.
When Microsoft 'opens' a project, it's in a glass case. You can see it, though you can't touch or can only submit changes back to Microsoft. At best, Microsoft offers truely open parts for a few incomplete projects that are closely tied to other propriatory Microsoft products. They do not provide fully usable and portable projects.
While these statements are generalities, the fact is that there is nothing on the scale of Eclipse comming from Microsoft. Additionally, IBM has stated they aren't going to use the pattent club to destroy open projects while Microsoft does not make such assurances and even gives reason to believe they will sue projects that they feel infringe out of existance.
I put Sun in between IBM and Microsoft. The good thing is that Sun is making moves that it wants to out IBM IBM.
An emulator is "a device that is built to work like another" (says the Google dictionary link). So what's WINE then - it's a software program that isn't Windows, but allows you to run programs that require Windows....sounds a lot like an emulator to me.
Is Windows CE an emulator of Windows 2000 or XP? For that matter, is Windows ME an emulator of Windows 2000 -- or bisa versa?
I'll await your answer before bringing out the Cluestick(tm) brand clue stick.:)
Regardless of calendaring software of choice, a tool continuously syncs calendar data to server on internet. This is helpful for work calendars. The sync is two-way so my Lotus Notes or Outlook calendar at work can be maintained from home.
What's wrong with the ical protocol? I subscribe to a couple calendars, allowing me to see national holidays as well as the current release schedules for a few projects. If I published my personal or work calendar, others could subscribe to one or both.
Your app needs to support it, though that's not a problem for Mozilla or Sunbird for all platforms. For Linux/BSD/... use Evolution or KOrganizer. OSX has multiple apps including the with the iCal app itself. Windows has Windates and EventSherpa.
Why am I not hearing about Lotus Notes on linux? Did something change while my back was turned?
Another answer: Notes was a big deal before web apps. Now, there's no reason to deploy a single application that is intended to do it all.
Keep in mind, while this is not the only reason, if one app needs to be upgraded on the backend, if it's a stand-alone tool making a mistake with it won't take down the whole company. (Insert remark about doing proper planning and testing for any upgrades.)
There was no unusual port to be found via the portscanner-- the Arkeia client was listening on a documented port and since it was installed intentionally, this open port would be considered normal.
The fact that a port was open would be enough to investigate what it was, why it was open, and if the service was properly secured. Anyone who stops and says "OH, it's just the backup software" should not be an admin.
The Nessus security scanner only looks for known vulnerabilities and again would not have helped here.
I don't rely on tools to do my job for me, though the three I mentioned would have given any admin that uses them a heads up that they need to pay attention.
It's very frustrating when you find previously unknown and undocumented features in software that you have purchased.
Well, for this situation finding a potential problem is easy: Port scan,security scanner. Two things that you should be doing on every network enabled device.
The time consuming part comes with the follow up where you
check the results of the scans on the local machines and determine if you trust that the exposed services are being handled by secure apps. If in doubt, use an encrypted tunnel or yank the service -- whatever is appropriate. (If neither is an option, determine the danger and try and deal with it as best you can.)
Along with that, setting up a filter to check for supposedly unused ports can catch some clever developers.
Not perfect (it doesn't handle piggybacked dynamic connections on port 80 for example), though it is a good initial test.
The sites mentioned in the article (you did RTFA didn't you?) where hit and miss for creating a pop-up in Firefox and Mozilla, but none of them popped-up in Konqueror (Konqueror 3.3.2)
Drudge Report -- www.drudgereport.com -- was able to force popups in Konq 3.2.2 for me. Haven't tried 3.3.2. Annoying...though the only reason I went there was to see if it could force a popup.
I'm not religious, though I'm facinated by the steadfast certianty that folks who are talk about what the religion they practice means to them. (For simplicity, I'll state things as absolutes...though I don't think that anything below is absolutely correct. FWIW.)
Here's a bit of an explanation. It's a bit chaotic, so please forgive me. See if it fits what you've discovered on your own. Either way, food for thought...
Here's what I figured out (see the explanation below for more): religious beliefs are based on conscience.
No big deal, right? Let that soak in for a moment. It gets much more complex. If you've studied anthropology, much of this will make sense fairly quickly. If not, you might need to come back to it later. It took me ~15 years on and off after college to figure out this stuff!
To most people, having a soul is roughly the same as having a conscious; souless people have no conscience. Souls come from God/god, thus they are part of God/god;
God = soul = conscience
So, if someone is kind, they have a soul since kindness is a trait of people who are aware of others and have sympathy for them; people who have a conscience... and kind people must believe in God/god since souls come from God/god... even if they aren't religious or know what this god is.
If the person is religious and acts like a real rat bastard, they may be justified and allowed because they are religious and thus have a soul and a conscience as a manifestation of God/god. It doesn't matter if this doesn't make any sense in real life... because... the tribe forgives or at a minimum absolves the bastard for defects in character. If they can't, they throw the bum out of the group and consider that they are 'lost'; no soul or conscience.
That's the reason why telling someone that you don't follow what they believe god-wise will get one of a couple reactions; disbelief (if they like you) or anger/fear. Atheists tend to get this the most since they flat out don't consider God/god credible.
If you state any of these things, you've just told religious people that you have no conscience, have no soul, and aren't from God! Sprout antennas if you want...it wouldn't get you any stranger treatment!
(Corrilary: If you are well outside of the person's group and religious group you are more likely to be tollerated (or pittied), unlike groups that have a very very close similarity. Part of the reason is that ignorance is acceptable, while informed defiance is not.)
Any discussion of religious practice and morals/actions are wrapped up in the person's view of themselves and of those around them. The deity never contradicts these two; what the person thinks is right or the group the person associates themselves with thinks is right almost always matches how they would describe what God follows. If they hate fags, so does God!
Talking about details is entirely beside the point. Academics and serious researchers get wrapped up in these and loose focus on how people behave and talk when they describe God/god.
People almost never talk about details when referring to religious issues. The stories are constructs to hang ideas on; that the stories can be traced to other religions or communities doesn't matter. They need a structure to hang morals on. Good or not, it's handy to have those stories.
Consider this to be a form of tribalism. Note that I am not slamming religious people as backward thick foreheaded cavemen. Even to this day, everyone is in a tribe (or two). They just don't refer to the groups as a tribe or if they do they joke about it. These tribes are not radically different from the small tribes that are vanishing in all corners of the world except that they travel around more.
Thanks. I hammered it out after a couple gripe sessions with friends; I'll mention you like it when we have a beer sometime in the next week or so. (About 1-2 people a month comment positively on it. Every few months someone argues with me over it because they don't quite get it!)
But can you turn off what you don't need in Windows?
Almost. Microsoft is unfortunately an oddity in this case, so the rule breaks down with them.
While it is a bad design that you can't turn off everything that can be abused in Windows, in some cases what you can disable is specific to the version of Windows (ex: 'Simplified Sharing' can be disabled in XP Pro but not (easily?) in XP Home - http://support.microsoft.com/default.aspx?scid=kb; EN-US;307874 ). I can only see that as another unfortunate example of engineering by marketing not by actual need.
In those narrow cases, you do what you have to; firewalls are necessary to work around what I consider to be design defects and Microsoft sees as important assets; after all they keep putting these services and other features in Windows even when it's been shown to be a real world problem.
Still, I'm stunned anyone insists on arguing that adding layers on top of existing systems is a sane way of dealing with security defects -- or other defects -- like these. If there's a way to remove or at a minimum really and truely disable a feature that is a potential attack vector, I'll do it. Windows, Linux, Solaris, HPUX, IOS,... whatever.
In general, the rule works; 'rules are sage advice to the wise and are followed blindly only by fools'. (Though, I wish I were wise more often!)
"... the driver for Linux on the desktop is not cost savings, but easier support.
Isn't this still Cost Savings, when you don't need to hire as many admins?
If the only cost is the # of admins, yes. I'm curious what the other factors are. (I can guess, though I'd like to hear what Cisco says and the article is fairly short.)
Slashdot Mirror
OK. Done.
If you read my sig, why do you think this is even worth mentioning? There's no contradiction in pointing the results of tests out, even if there are reasons for every one of them.
Interesting, eh?
Note: If you don't have access to a Nessus server or Linux, you can use almost any machine to run a scan yourself. Here's a simplified version of what to do;
1. Get Knoppix and boot it; http://knoppix.org
2. When the desktop appears, run the Nessus server;
'Start' (the K in the lower left)
System (note _DO_NOT_ use the Nessus on this menu yet!)
Security
Nessus
3. Wait. This will take a few minutes and you may not see anything. If you want to be sure, come back in 5 minutes.
4. Run the Nessus client;
K
System
Nessus (note _NOT_ the one under the Security menu)
5. The username should be knoppix.
6. The password field should be blank. Enter knoppix for the password.
7. Select the Target tab. Put in the IP address or DNS name of the target machine.
8. Start scanning. Keep in mind that any firewalls or NAT devices between you and the target machine may give back bad results.
I stopped reading after being accused of being a troll. Thanks alot. Guess what explitive I'm thinking of?
While I agree, I was stunned looking at the results of a Nessus scan (default) after completing a default install of Solaris on Sparc (E450). Wow. 9 known security holes and a bunch of services on by default and listening on open ports.
Sure, it's not Windows-bad, though it wasn't what I expected in the latest revision of Solaris (I've used a previous version of SunOS and have installed Solaris 8 & 9 on both x86 and Sparc hardware). Fedora Core does a much better job by default -- though I agree FC3 needs to be purged to make it clean and fully trustworthy.
I just installed Solaris 10 on an Enterprise 450 (from scratch not an upgrade) and it's about as barebones and hostile as 9 or 8. The only difference is that Gnome can be chosen for the desktop...though it's not nearly as nice as Fedora let alone Ubuntu. The video also looks horrible.
It's not a clean and simple configuration either. A Nessus scan of the system shows 9 known security holes (not potential warnings) and a bunch of services running that aren't necessary. I'm keeping it off the network till I can lock down the system properly.
Solaris 10 is not a Linux killer. Keep in mind, though, that I have no axe to grind against Solaris. As far as I'm concerned it's unix...just like the *BSDs or the Linux distros. It's not great for a novice admin nor is is good for a regular user. Sun dropped the ball.
OK.
Erm...that's not even close to my line of reasoning. Go back and read again.
CMM is often abused. It's also ignored by the group bringing in the consultants that simply want "you guys to fix it". That said, it's good stuff when used as it should be. It's structure instead of chaos...neither good nor bad by itself.
I'm a fan of CMM, though it's rarely used properly; either limited to a checkbox on a contract or used in an impractical heavy handed way.
Chalk it up to human nature. I do like the 'kill project or any part of the project that no longer meets the goals' attitude of PRINCE2, though. It would get rid of quite a few bits of deadwood.
From the Carnegie Mellon CMMI web site;
The CMMI models improve upon the best practices of previous models in many important ways. CMMI best practices enable organizations to do the following:
more explicitly link management and engineering activities to business objectives
expand the scope of and visibility into the product life cycle and engineering activities to ensure that the product or service meets customer expectations
incorporate lessons learned from additional areas of best practice (e.g., measurement, risk management, and supplier management)
implement more robust high-maturity practices
address additional organizational functions critical to its products and services
more fully comply with relevant ISO standards
SCAMPI incorporates the best ideas of several process-improvement appraisal methods. The SCAMPI A method is being used successfully by many organizations. The emerging SCAMPI B and C methods will extend the suite of SCAMPI methods. The method implementation guide for government supplier selection and contract monitoring also builds on SCAMPI in the acquisition arena.
IBM was a rat bastard company ready to meet it's ultimate demise around 1990. Nobody trusted or liked them...except for the fact that IBM was huge.
Then, early in the 90s the stock crashed to about 1/3 of it's 1980s price. And stayed there. That woke the shareholders up who decided that the IBM institution had to be obliterated if anything of the share value could be saved.
Since then, they have gone through multiple reforms. Early on, many of those changes did not improve profits at all. In some ways they became weaker.
Yet...over the last 8 years...I would put IBM in the 'mostly good' category because they decided not to be rat bastards anymore and to do less dammage and more good. A side benifit to this change is that they regained stock value and they didn't end up getting sold for the IBM name alone.
Nobody likes a jerk or a bully -- and it doesn't help the bully very long either. Eventually all bullies either loose friends and increase the bullying (and payoffs and threats) or become nice and benifits from the mutual friendship. That's one of the reasons why a dictatorship is efficient only for a small set of goals that the dictator has while being very wasteful for other goals of society.
IBM like a reformed bully who doesn't want to go back to the old days. There are benifits of not clubbing other kids for lunch money and instead bringing extra gum to share.
The IBM of today does not compete with IBM's customers and is not making plans to grow into IBM's customer's spaces. That's one of the main reasons nobody feels threatened by IBM.
There is a substantial difference between the two.
For the most part....
When IBM opens a project they are on the same footing as any other person, group, or corporation. Anyone can either fork or take over the project if IBM drops the ball or attempts to take the project in a direction somebody else does not want.
When Microsoft 'opens' a project, it's in a glass case. You can see it, though you can't touch or can only submit changes back to Microsoft. At best, Microsoft offers truely open parts for a few incomplete projects that are closely tied to other propriatory Microsoft products. They do not provide fully usable and portable projects.
While these statements are generalities, the fact is that there is nothing on the scale of Eclipse comming from Microsoft. Additionally, IBM has stated they aren't going to use the pattent club to destroy open projects while Microsoft does not make such assurances and even gives reason to believe they will sue projects that they feel infringe out of existance.
I put Sun in between IBM and Microsoft. The good thing is that Sun is making moves that it wants to out IBM IBM.
Is Windows CE an emulator of Windows 2000 or XP? For that matter, is Windows ME an emulator of Windows 2000 -- or bisa versa?
I'll await your answer before bringing out the Cluestick(tm) brand clue stick. :)
I listen to them on the way to and from work. Podcasts have replaced talk radio for me.
They are quite practical, and skipping over a bad one is simple...unlike over the air radio where there may only be 2 stations worth listening to.
Can't read a transcript and drive at 60mph/100kph...not safely. In either case, don't you have enough to read already when you aren't driving?
What's wrong with the ical protocol? I subscribe to a couple calendars, allowing me to see national holidays as well as the current release schedules for a few projects. If I published my personal or work calendar, others could subscribe to one or both.
Your app needs to support it, though that's not a problem for Mozilla or Sunbird for all platforms. For Linux/BSD/... use Evolution or KOrganizer. OSX has multiple apps including the with the iCal app itself. Windows has Windates and EventSherpa.
Another answer: Notes was a big deal before web apps. Now, there's no reason to deploy a single application that is intended to do it all.
Keep in mind, while this is not the only reason, if one app needs to be upgraded on the backend, if it's a stand-alone tool making a mistake with it won't take down the whole company. (Insert remark about doing proper planning and testing for any upgrades.)
There are a couple boot CDs with Asterix installed on them. Search for them if you are interested.
Not counting Doom 3, what benifits are there to a 256MB card over a 128MB one?
The fact that a port was open would be enough to investigate what it was, why it was open, and if the service was properly secured. Anyone who stops and says "OH, it's just the backup software" should not be an admin.
Nessus already looks for issues with Arkeia. What makes you so sure that it wouldn't find this specific issue right now -- and if not now, how about next week?
I don't rely on tools to do my job for me, though the three I mentioned would have given any admin that uses them a heads up that they need to pay attention.
Well, for this situation finding a potential problem is easy: Port scan, security scanner. Two things that you should be doing on every network enabled device.
The time consuming part comes with the follow up where you check the results of the scans on the local machines and determine if you trust that the exposed services are being handled by secure apps. If in doubt, use an encrypted tunnel or yank the service -- whatever is appropriate. (If neither is an option, determine the danger and try and deal with it as best you can.)
Along with that, setting up a filter to check for supposedly unused ports can catch some clever developers.
Not perfect (it doesn't handle piggybacked dynamic connections on port 80 for example), though it is a good initial test.
Drudge Report -- www.drudgereport.com -- was able to force popups in Konq 3.2.2 for me. Haven't tried 3.3.2. Annoying...though the only reason I went there was to see if it could force a popup.
"how do I quieten down all those cars and busses and trucks?"
Padding. Padding on the walls. Lots and lots of calming and soothing padding.
Just ask the guys in the nice white coats. They'll tell you anything you want to hear.
I'm not religious, though I'm facinated by the steadfast certianty that folks who are talk about what the religion they practice means to them. (For simplicity, I'll state things as absolutes...though I don't think that anything below is absolutely correct. FWIW.)
Here's a bit of an explanation. It's a bit chaotic, so please forgive me. See if it fits what you've discovered on your own. Either way, food for thought...
Here's what I figured out (see the explanation below for more): religious beliefs are based on conscience.
No big deal, right? Let that soak in for a moment. It gets much more complex. If you've studied anthropology, much of this will make sense fairly quickly. If not, you might need to come back to it later. It took me ~15 years on and off after college to figure out this stuff!
To most people, having a soul is roughly the same as having a conscious; souless people have no conscience. Souls come from God/god, thus they are part of God/god;
So, if someone is kind, they have a soul since kindness is a trait of people who are aware of others and have sympathy for them; people who have a conscience ... and kind people must believe in God/god since souls come from God/god ... even if they aren't religious or know what this god is.
If the person is religious and acts like a real rat bastard, they may be justified and allowed because they are religious and thus have a soul and a conscience as a manifestation of God/god. It doesn't matter if this doesn't make any sense in real life ... because ... the tribe forgives or at a minimum absolves the bastard for defects in character. If they can't, they throw the bum out of the group and consider that they are 'lost'; no soul or conscience.
That's the reason why telling someone that you don't follow what they believe god-wise will get one of a couple reactions; disbelief (if they like you) or anger/fear. Atheists tend to get this the most since they flat out don't consider God/god credible.
If you state any of these things, you've just told religious people that you have no conscience, have no soul, and aren't from God! Sprout antennas if you want...it wouldn't get you any stranger treatment!
(Corrilary: If you are well outside of the person's group and religious group you are more likely to be tollerated (or pittied), unlike groups that have a very very close similarity. Part of the reason is that ignorance is acceptable, while informed defiance is not.)
Any discussion of religious practice and morals/actions are wrapped up in the person's view of themselves and of those around them . The deity never contradicts these two; what the person thinks is right or the group the person associates themselves with thinks is right almost always matches how they would describe what God follows. If they hate fags, so does God!
Talking about details is entirely beside the point. Academics and serious researchers get wrapped up in these and loose focus on how people behave and talk when they describe God/god.
People almost never talk about details when referring to religious issues. The stories are constructs to hang ideas on; that the stories can be traced to other religions or communities doesn't matter. They need a structure to hang morals on. Good or not, it's handy to have those stories.
Consider this to be a form of tribalism. Note that I am not slamming religious people as backward thick foreheaded cavemen. Even to this day, everyone is in a tribe (or two). They just don't refer to the groups as a tribe or if they do they joke about it. These tribes are not radically different from the small tribes that are vanishing in all corners of the world except that they travel around more.
Thanks. I hammered it out after a couple gripe sessions with friends; I'll mention you like it when we have a beer sometime in the next week or so. (About 1-2 people a month comment positively on it. Every few months someone argues with me over it because they don't quite get it!)
Almost. Microsoft is unfortunately an oddity in this case, so the rule breaks down with them.
While it is a bad design that you can't turn off everything that can be abused in Windows, in some cases what you can disable is specific to the version of Windows (ex: 'Simplified Sharing' can be disabled in XP Pro but not (easily?) in XP Home - http://support.microsoft.com/default.aspx?scid=kb; EN-US;307874 ). I can only see that as another unfortunate example of engineering by marketing not by actual need.
In those narrow cases, you do what you have to; firewalls are necessary to work around what I consider to be design defects and Microsoft sees as important assets; after all they keep putting these services and other features in Windows even when it's been shown to be a real world problem.
Still, I'm stunned anyone insists on arguing that adding layers on top of existing systems is a sane way of dealing with security defects -- or other defects -- like these. If there's a way to remove or at a minimum really and truely disable a feature that is a potential attack vector, I'll do it. Windows, Linux, Solaris, HPUX, IOS, ... whatever.
In general, the rule works; 'rules are sage advice to the wise and are followed blindly only by fools'. (Though, I wish I were wise more often!)
Isn't this still Cost Savings, when you don't need to hire as many admins?
If the only cost is the # of admins, yes. I'm curious what the other factors are. (I can guess, though I'd like to hear what Cisco says and the article is fairly short.)