Not sure what you mean by this. Outlook is an executable. Executables dont in and of themselves have admin rights. They can be run by a user that has admin rights, or smarter yet, but one that does not have admin rights.
Thats not strictly true on the Windows side of your argument.
A non-priv'd user could install any application into their own home directories, so long as the application does not require the ability to write to the HKLM or system directories.
But this is an application thing, not an OS thing. There are plenty (though a small minority) of applications that dont need to be installed at all. Just drop the flat of the app anywhere you have write access, and run it from there.
As an example, I run Eclipse that way in my daily job.
The problem is that many applications make assumptions about where the app executables belong, or need to register COM objects globally. (This latter part is not strictly necessary anymore, with some changes in XP SP2.)
3. Use Opera for your browser (or FireFox if you must), and dont use IE.
4. Dont turn off the windows firewall, its fine in its default state for home user.
Those four trivial things, and you dont need to worry about any of the stuff you listed. Spyware and Viruses have no effect (for the vast majority of cases) if you're not running as an account with local administrative privileges.
Can you be more specific? What you say you've tried doesnt make much sense... why would you use runas to run an app as the same login you're already using?
And accessing a specific path as an alternate user?
c:\>runas.exe/user:lauser cmd.exe
Now you have a shell running as the lauser account. Or if you want a GUI front end, then:
c:\>runas.exe/user:lauser "iexplore.exe c:\windows\system32" (assuming iexplore.exe is in your path)
or easier still, just right-click on the Internet Explorer icon and choose RunAs. Enter your local admin user & pass, and you're good to go.
Exchange is reasonable as a mail server, and particularly for laptop users using Outlook 2003, you have one of the best online/offline/webmail combinations out there. Very compelling for laptop users who are mobile often.
However, there is alot of movement against using Exchange as a document management or general purpose storage engine (ie, Public Folders).
The preferred setup is to use Sharepoint in combination with Exchange and Office 2003. And to be honest, Sharepoint does a pretty good job at this, allowing deeply delegated administration, WYSIWYG editing of pages, plus you can write custom web parts to run on top of it if you're so inclined.
And sharepoint is included with Windows 2003 Server, so you can just run it on the same machine as running your OWA for Exchange, and it wont cost you anything extra.
If you're willing to deploy the full MS stack its pretty compelling, and the integration amongst the parts is very nice.
There are also plenty of very reasonably priced consultants that will come in and do a one-time setup of Exchange plus Sharepoint, so that its well configured from the start. And at that point, the products are all very reliable, and pretty much just require the occasional patching (which windows will do for you if you want it to) and backups.
If your boss is committed to Exchange, and you arent religiously against an MS stack, take a look at Sharepoint in addition to Exchange.
You should look at the Focus Follows Mouse options in TweakUI (part of power toys) on XP.
You can turn the whole option on or off, and allows you to turn 'raise on focus' on or off as you choose, and also to set the delay time for the focus to whatever you want.
As you say, Raise On Focus is terrible... and most people will want to increase the delay on the Focus Follows Mouse otherwise just moving your mouse across the screen will unexpectedly light a bunch of windows you're passing. But its a simple checkbox to turn this off on Windows.
I've tried the various virtual desktop systems for Windows, but the thing that always was a dealbreaker was that all of them I've ever tried randomly re-order the apps in my start bar. This is totally unacceptable. I want things in the order on my start bar that I want them, so I dont have to hunt for what I want, its always in the same place (for those times when I'm in mousing mode).
Oh yes, and the easiest way as all is just to spin off a new shell process (explorer.exe or iexplore.exe, depending how you have your machine configured) with runas under the admin process. Then type Control Panel in the address bar, or navigate there using the folder view, and drill down into Printers, and delete the printer.
So there you go, 3 different ways to do what you want, 2 command line, and one via the gui.
(and dont forget about prnmngr.vbs' siblings: prnport.vbs and prndrvr.vbs for managing printer ports and printer drivers, respectively)
Or if you really like WMI programming, pick the language of your choice and manage them directly via WMI.
Combine either of these (plus I'm sure there are others that I dont know about) with either RunAs.exe or RaiseMyRights, depending on whether you need the removal to be done globally or for that non-priv'd profile.
At worst, it requires you to create a separate account for that person which is in the local administrators group. That way its auditable, and you can keep logs of who used their la account when.
Or, if you want people to have non-admin accounts, and still get new software, then you have an IT staff to install them using their admin accounts.
Can you support this assertion with any tangible evidence?
Windows has had Terminal Services support in the kernel since NT4 Terminal Services, and the ability to do a unix style command line shell for an arbitrary number of simultaneous remote users since 3.5.
NT has always, since day one, had process isolation, proper file system ACLs (something many Unix based systems still dont have). NT doesnt distinguish between local and remote consoles, allows both at the same time. And NT can be run fully headless, without even having a screen, mouse & keyboard attached.
Now Microsoft _does_ place some non-technical restrictions on the number of simultaneous users. But thats not a technical limitation of the system, thats just a business decision about how to tier their products.
Can you give a specific example or argument to support your assertion?
The problem with this argument is that it assumes that without humans, the climate would never change. It makes the assumption that where we were 50 years ago is 'perfect'.
Even if humans had never arrived on this planet, you'd still see periodic major shifts in the climate.
So, even assuming that human activities have a measureable effect on the climate, and assuming its possible/reasonable to completely eliminate CO2 and the like, you wont stop the climate from changing.
Humanity will adapt, thrive and prosper regardless of things like this.
Here in the US we'd call that high-density housing and its only where you're stuck if you can't afford any better.
Human beings were not designed to be packed together like sardines, they dont function well. At 12+ houses per acre, the houses are so close together that you can stand in one place and touch two houses at the same time. It means if you raise your voice or burp loudly your neighbor can hear it.
Thats not a civilized way to live.
A good middle-class (possibly towards the upper end of middle class) home is 2500 square-feet on 1 acre. Standard dense tract housing is 4+ homes on an acre.
And I really dont get the wasteland comment. Just because the human density is low doesnt mean its an unpleasant part of the country. In fact, the more lush and beautiful the land is in your area, the more of it you'd want to have for your own and separate you from your neighbor.
"The problem is that people don't think logically about cars. Look at the advertising. It's about sex and machismo. Auto makers spend billions of dollars every year on pressing your buttons to make you want, desire and need to prove yourself by driving a big, fast, expensive car."
Garbage.
I drive a new Dodge Ram (half-ton) quad-cab w/ a 5.7L Hemi. (As an interesting bit of trivia, it's one of the more efficient engines out there of its size, achieving 1hp per cubic inch).
It gets 10mpg in the city, 14-20mpg on the highway, depending how fast I drive (50-55mph = 20mpg, 75-80mph = 14mpg).
Also, since its a new car with a modern engine, it puts out very low emissions.
I chose that vehicle for pure logic:
1. It's big inside. I have plenty of room for both my arms and my legs aren't constricted.
2. It's tall. I can see over all the people driving their tiny-cars.
3. It's powerful. A vehicle with alot of power makes me happy. It brings me pleasure and happiness. It also has utility, as it makes it trivial to pull my trailer & quads behind it (or whatever I want to pull, up to the limits of a half-ton).
4. It's 6000 lbs of steel. This means in many accidents, I'm maximizing the likelihood of me and mine getting out alive. In fact, I've had several people rear-end me, and while it tends to destroy the front-end of their cars, the combined rear-ends is barely detectable on my rear bumper and hitch.:)
5. It's 4WD. Kind of hard use your prius to take your quads up into the mountain, or go mud-bogging in the river after a rain.
6. It makes me happy. I enjoy driving it, and purchasing some simple pleasures is one of the reason why I work hard and make money.
The problem I have with comments like yours is that its really not logic you're talking about, its values. Just because I have different values than yours, it doesnt mean that mine are illogical.
Different people value different things. Just because some of you see vehicles as pure utilitarian transportation, doesnt mean everyone views them that way. I value pleasure and power and utility in my life (which is different than yours). Trying to centrally plan what is in everyone's 'best interest' based on a very limited viewpoint will only hurt everyone in the long run.
The first one is MSDN AA (Academic Alliance), and has absolutely nothing to do with this discussion. Unless you're a college/university, or a student receving MS software through the MSDN AA program, then this has absolutely nothing to do with this discussion.
The second one in no way stops you from publishing benchmarks, they just require full disclosure, so that it is reproducible.
Windows allows no remote access to an account that has a blank password, so this user/pass combo gives you absolutely nothing.
Windows Firewall considers all wifi interfaces to be untrusted by default.
As I said, this gives you absolutely nothing more than some other guy sitting at Starbucks who is also connected to T-Mobile. That guy is also on the same subnet, and using the same SSID, and therefore the same local access to the person's computer.
But it still doesnt give you any special access to the system.
And for corporate machines, where the real value is, they're going to have strong passwords enforced by GP, going to have good firewall rules setup, and will be using a certificate-based VPN to talk to the corporate network.
Again I ask, where is the vulnerability? This is not an obscure issue, this is a non-issue.
And how exactly do they 'connect to your machine and install vbscript'??
Just being on the same subnet doesnt give you the Magical-Auto-Granting-Of-Local-Admin-Username-And- Password (TM).
The only way this would work is if there was no firewall on the machine, or the firewall considered the APIPA subnet a trusted network. Then the person would have to have an easily guessable local admin user/pass combo. Then the attackee would have to leave their wifi on for long enough for this to happen when there is no signal.
Sounds like I may have mis-interpreted some of your original post then, as I didnt see the reference to Type at all.
I think what I'm trying to argue against is the assumption that just because administration is different on windows, that its necessarily worse.
There's a completely different philosophical approach to administration on windows. The assumption is that if you want to do anything more than just push buttons on the GUI, that you're writing a full fledged script/program. There's no real middle ground, like there is on Unix (ie, shell scripting).
Part of this I'm sure is that for Windows, there's much, much less of settings stored in text files. You have the registry, text files, other types of binary files, etc. And because of this, you very often have to interact with a subsystem through a COM object provided by the subsystem creators. That would be harder to do with pure command line tools, outside of a scripting environment.
This is offset somewhat in my opinion, but the fact that system administration in windows is so blazingly simple, if you have any sort of background in programming at all. Even if you dont, as long as you have some minimal ability to learn it, you're okay, because there is an endless amount of sample scripts and 'problems solved' by other people on the web, many of them hosted on MS websites.
And once you've done some windows scripting for administration, the learning you have on one subsystem tends to carry over to all the others. So its the same pattern, style, and methodology no matter where you go. Whether its SQL Server, Exchange, AD, Desktops, etc etc etc, its all the same, and all of your scripts can re-use the same libraries, and work the same.
Just because its a different style and philosphy from Unix doesnt mean its worse, it just means its different. Some things are worse, some things are better.
Most of the better in Unix revolves not around the shell scripting abilities or atomic tools, but rather the fact that just about everything is stored in a record-oriented text file.
I'd say that much (but not all) of what you can do in a single-line on a unix shell (ie, using pipes and redirects), you can also do in Windows, more or less. But the tools are less polished, they're less well known, and there's much less of a culture around them. So practices revolving around these dont often flow from senior admins to junior ones.
Put a very experienced, very competent windows sysadmin with a scripting for administration background on a Unix machine for the first time, and in many ways it going to feel primitive and painful, just like you felt.
Anyway, overall, I'd agree that in many ways, Unix administration is simpler... but there's not much of a step up in complexity and difficulty from unix shell scripting to wsh scripting on windows, and the power in the latter on the windows platform is unlimited. There's really not much you cant do, and even the really hard stuff isnt all that terribly hard.
What you describe is exactly what happens in a windows shop with competent admins.
Anyone who does all (or most) of their administration via the gui is not, almost by definition, very competent.
You write scripts to do the work you need to do, and then run the scripts against every server in the domain (or whatever subset you need).
You over time build up a script library of all the little point solutions you've come up with, and often you end up re-using these across different problems.
And since its all just windows, compatibility is a sure thing, and your scripts are portable across time and systems and domains.
And you can do this without ever installing Cygwin or SFU.
This is one of the problems with unix admins making judgements from insufficient information. Just because you dont do automated, scripted, and remote administration on windows the same exact way as on Unix, doesnt mean that you have to do everything in the GUI.
Windows is extensively, intimately, and pervasively manageable via scripts. Its just a different style of scripting than what you would do with a bash shell. Some of its a bit less elegant, since everything is not 'a file', but its quite powerful.
Since windows 2000, there isnt really (that I've ever been aware of at least) anything you cant do via scripting.
In fact, a good measure of a windows sysadmin's competency is how much of their job they can do from their couch, at home, in their underwear.
Scripting.FileSystemObject (the COM component you're referring to) is what you use when you need programmatic access to a file and its conents.
The common use is to read (or write) through a file, one line at a time. If all you need to do is dump the contents of the file, you do:
type filename
And if you really need to do it inside a script, then you simply write yourself a function to do this, and stick it your script library. Then its done once, and you just re-use it.
Here, I'll spend 3 minutes and write one now, and then its done forever, for the times when you need this, but the command-line type command isnt suitable.
Note that the following procedure is a bit verbose, more than you'd need to, but this is the 'right' way to do it.
The simplest kind is called NLB (Network Load Balancing), which is used heavily to make easy web farms. It's a shared-nothing approach, where all the machines participating have a deterministic algorithm to decide which machine will respond, without communicating about it.
There's also Component Load Balancing, which you can think of as a mid-tier application-services level clustering. It's mostly used where you have a mid-tier set of COM+ serviced components, and you want to 'scale-out' that mid-tier.
Then there's what MS calls 'Server Clusters', which is what many people think of when the word clustering is used. This can be active/active, active/passive, or N+1. This is what you normally see when people talk about clustering a SQL server, or Exchange Server.
HPC (High Performance Computing) or Compute Clusters are a fourth kind of thing. This is often used to divide and conquer on very large research problems, or rendering farms (to make Shrek, for exmple). MS has traditionally not had anything in this space.
This fourth item is what TFA is talking about, the first three have been in windows for many years.
For at least the smartcard+PIN, you're not understanding how the technology works.
The PIN does you no good whatsoever without the card (more exactly, without the crypto and unique IDs on the chip), just like the card does you no good without the PIN.
Collecting PINs is utterly useless, and doesnt get you squat.
The RSA SecureID fobs (and similar from other companies) is effectively as strong, albeit by a different technique.
So even if you do a successful MITM attack, all you can do is use the response from the bank's challenge that the user sends. This will only work for one web session, and is not ever replayable.
Even this can be mitigated by things like requiring additional challenge/responses... one for login, and one for any outbound transactions.
Slashdot Mirror
Not sure what you mean by this. Outlook is an executable. Executables dont in and of themselves have admin rights. They can be run by a user that has admin rights, or smarter yet, but one that does not have admin rights.
Thats not strictly true on the Windows side of your argument.
A non-priv'd user could install any application into their own home directories, so long as the application does not require the ability to write to the HKLM or system directories.
But this is an application thing, not an OS thing. There are plenty (though a small minority) of applications that dont need to be installed at all. Just drop the flat of the app anywhere you have write access, and run it from there.
As an example, I run Eclipse that way in my daily job.
The problem is that many applications make assumptions about where the app executables belong, or need to register COM objects globally. (This latter part is not strictly necessary anymore, with some changes in XP SP2.)
You dont need any of that stuff on a windows box.
1. Turn on automatic updates.
2. Run as a non-privileged user.
3. Use Opera for your browser (or FireFox if you must), and dont use IE.
4. Dont turn off the windows firewall, its fine in its default state for home user.
Those four trivial things, and you dont need to worry about any of the stuff you listed. Spyware and Viruses have no effect (for the vast majority of cases) if you're not running as an account with local administrative privileges.
Yes, its asking for the credentials of an account that has admin privileges, same as for Windows.
Can you be more specific? What you say you've tried doesnt make much sense ... why would you use runas to run an app as the same login you're already using?
/user:lauser cmd.exe
/user:lauser "iexplore.exe c:\windows\system32"
And accessing a specific path as an alternate user?
c:\>runas.exe
Now you have a shell running as the lauser account. Or if you want a GUI front end, then:
c:\>runas.exe
(assuming iexplore.exe is in your path)
or easier still, just right-click on the Internet Explorer icon and choose RunAs. Enter your local admin user & pass, and you're good to go.
How exactly are things failing for you?
Exchange is reasonable as a mail server, and particularly for laptop users using Outlook 2003, you have one of the best online/offline/webmail combinations out there. Very compelling for laptop users who are mobile often.
However, there is alot of movement against using Exchange as a document management or general purpose storage engine (ie, Public Folders).
The preferred setup is to use Sharepoint in combination with Exchange and Office 2003. And to be honest, Sharepoint does a pretty good job at this, allowing deeply delegated administration, WYSIWYG editing of pages, plus you can write custom web parts to run on top of it if you're so inclined.
And sharepoint is included with Windows 2003 Server, so you can just run it on the same machine as running your OWA for Exchange, and it wont cost you anything extra.
If you're willing to deploy the full MS stack its pretty compelling, and the integration amongst the parts is very nice.
There are also plenty of very reasonably priced consultants that will come in and do a one-time setup of Exchange plus Sharepoint, so that its well configured from the start. And at that point, the products are all very reliable, and pretty much just require the occasional patching (which windows will do for you if you want it to) and backups.
If your boss is committed to Exchange, and you arent religiously against an MS stack, take a look at Sharepoint in addition to Exchange.
You should look at the Focus Follows Mouse options in TweakUI (part of power toys) on XP.
... and most people will want to increase the delay on the Focus Follows Mouse otherwise just moving your mouse across the screen will unexpectedly light a bunch of windows you're passing. But its a simple checkbox to turn this off on Windows.
You can turn the whole option on or off, and allows you to turn 'raise on focus' on or off as you choose, and also to set the delay time for the focus to whatever you want.
As you say, Raise On Focus is terrible
I've tried the various virtual desktop systems for Windows, but the thing that always was a dealbreaker was that all of them I've ever tried randomly re-order the apps in my start bar. This is totally unacceptable. I want things in the order on my start bar that I want them, so I dont have to hunt for what I want, its always in the same place (for those times when I'm in mousing mode).
Oh yes, and the easiest way as all is just to spin off a new shell process (explorer.exe or iexplore.exe, depending how you have your machine configured) with runas under the admin process. Then type Control Panel in the address bar, or navigate there using the folder view, and drill down into Printers, and delete the printer.
So there you go, 3 different ways to do what you want, 2 command line, and one via the gui.
Well, lets see.
r a&rls=en&q=delete+OR+remove+%22local+printer%22+wi ndows+commandline+OR+%22command+line%22&btnG=Searc h
w indows/xp/all/proddocs/en-us/prnmngr.mspx?mfr=true
A 10-second google search returns:
http://www.google.com/search?hl=en&lr=&client=ope
So you can use the same DLL that the GUI calls behind the scenes:
http://support.microsoft.com/kb/q189105/
Or you can use the built-in prnmngr.vbs that ships with xp:
http://www.microsoft.com/resources/documentation/
(and dont forget about prnmngr.vbs' siblings: prnport.vbs and prndrvr.vbs for managing printer ports and printer drivers, respectively)
Or if you really like WMI programming, pick the language of your choice and manage them directly via WMI.
Combine either of these (plus I'm sure there are others that I dont know about) with either RunAs.exe or RaiseMyRights, depending on whether you need the removal to be done globally or for that non-priv'd profile.
No, it does not.
At worst, it requires you to create a separate account for that person which is in the local administrators group. That way its auditable, and you can keep logs of who used their la account when.
Or, if you want people to have non-admin accounts, and still get new software, then you have an IT staff to install them using their admin accounts.
The hosts file does not live in userland. The hosts file is read-only to everyone who isnt part of the Administrator group.
It is read-only by default.
Only users who belong to the Administrators group can modify that file.
Where people get burned is by running as a local admin for their day to day work, which is dangerous and silly.
Can you support this assertion with any tangible evidence?
Windows has had Terminal Services support in the kernel since NT4 Terminal Services, and the ability to do a unix style command line shell for an arbitrary number of simultaneous remote users since 3.5.
NT has always, since day one, had process isolation, proper file system ACLs (something many Unix based systems still dont have). NT doesnt distinguish between local and remote consoles, allows both at the same time. And NT can be run fully headless, without even having a screen, mouse & keyboard attached.
Now Microsoft _does_ place some non-technical restrictions on the number of simultaneous users. But thats not a technical limitation of the system, thats just a business decision about how to tier their products.
Can you give a specific example or argument to support your assertion?
The problem with this argument is that it assumes that without humans, the climate would never change. It makes the assumption that where we were 50 years ago is 'perfect'.
Even if humans had never arrived on this planet, you'd still see periodic major shifts in the climate.
So, even assuming that human activities have a measureable effect on the climate, and assuming its possible/reasonable to completely eliminate CO2 and the like, you wont stop the climate from changing.
Humanity will adapt, thrive and prosper regardless of things like this.
12 homes per acre?? Thats insanity.
Here in the US we'd call that high-density housing and its only where you're stuck if you can't afford any better.
Human beings were not designed to be packed together like sardines, they dont function well. At 12+ houses per acre, the houses are so close together that you can stand in one place and touch two houses at the same time. It means if you raise your voice or burp loudly your neighbor can hear it.
Thats not a civilized way to live.
A good middle-class (possibly towards the upper end of middle class) home is 2500 square-feet on 1 acre. Standard dense tract housing is 4+ homes on an acre.
And I really dont get the wasteland comment. Just because the human density is low doesnt mean its an unpleasant part of the country. In fact, the more lush and beautiful the land is in your area, the more of it you'd want to have for your own and separate you from your neighbor.
"The problem is that people don't think logically about cars. Look at the advertising. It's about sex and machismo. Auto makers spend billions of dollars every year on pressing your buttons to make you want, desire and need to prove yourself by driving a big, fast, expensive car."
:)
Garbage.
I drive a new Dodge Ram (half-ton) quad-cab w/ a 5.7L Hemi. (As an interesting bit of trivia, it's one of the more efficient engines out there of its size, achieving 1hp per cubic inch).
It gets 10mpg in the city, 14-20mpg on the highway, depending how fast I drive (50-55mph = 20mpg, 75-80mph = 14mpg).
Also, since its a new car with a modern engine, it puts out very low emissions.
I chose that vehicle for pure logic:
1. It's big inside. I have plenty of room for both my arms and my legs aren't constricted.
2. It's tall. I can see over all the people driving their tiny-cars.
3. It's powerful. A vehicle with alot of power makes me happy. It brings me pleasure and happiness. It also has utility, as it makes it trivial to pull my trailer & quads behind it (or whatever I want to pull, up to the limits of a half-ton).
4. It's 6000 lbs of steel. This means in many accidents, I'm maximizing the likelihood of me and mine getting out alive. In fact, I've had several people rear-end me, and while it tends to destroy the front-end of their cars, the combined rear-ends is barely detectable on my rear bumper and hitch.
5. It's 4WD. Kind of hard use your prius to take your quads up into the mountain, or go mud-bogging in the river after a rain.
6. It makes me happy. I enjoy driving it, and purchasing some simple pleasures is one of the reason why I work hard and make money.
The problem I have with comments like yours is that its really not logic you're talking about, its values. Just because I have different values than yours, it doesnt mean that mine are illogical.
Different people value different things. Just because some of you see vehicles as pure utilitarian transportation, doesnt mean everyone views them that way. I value pleasure and power and utility in my life (which is different than yours). Trying to centrally plan what is in everyone's 'best interest' based on a very limited viewpoint will only hurt everyone in the long run.
You should read your own links.
The first one is MSDN AA (Academic Alliance), and has absolutely nothing to do with this discussion. Unless you're a college/university, or a student receving MS software through the MSDN AA program, then this has absolutely nothing to do with this discussion.
The second one in no way stops you from publishing benchmarks, they just require full disclosure, so that it is reproducible.
Well, lets see.
Probably the easiest way to avoid having Internet Connection Sharing on is to not turn it on in the first place.
ICS is not on by default, so you've turned it on, and now you're complaining that its turned on?
Go to Control Panel -> Network Connections, and right click on your wireless link, and choose Properties.
Click on the advanced tab, and then uncheck 'allow other network users to connect through this computer's internet connection'.
Note that you have to do this through a local admin account, you wont see the Advanced tab at all from your regular unpriv'd account.
Windows allows no remote access to an account that has a blank password, so this user/pass combo gives you absolutely nothing.
Windows Firewall considers all wifi interfaces to be untrusted by default.
As I said, this gives you absolutely nothing more than some other guy sitting at Starbucks who is also connected to T-Mobile. That guy is also on the same subnet, and using the same SSID, and therefore the same local access to the person's computer.
But it still doesnt give you any special access to the system.
And for corporate machines, where the real value is, they're going to have strong passwords enforced by GP, going to have good firewall rules setup, and will be using a certificate-based VPN to talk to the corporate network.
Again I ask, where is the vulnerability? This is not an obscure issue, this is a non-issue.
And how exactly do they 'connect to your machine and install vbscript'??
- Password (TM).
Just being on the same subnet doesnt give you the Magical-Auto-Granting-Of-Local-Admin-Username-And
The only way this would work is if there was no firewall on the machine, or the firewall considered the APIPA subnet a trusted network. Then the person would have to have an easily guessable local admin user/pass combo. Then the attackee would have to leave their wifi on for long enough for this to happen when there is no signal.
Where exactly is the security concern in this?
Sounds like I may have mis-interpreted some of your original post then, as I didnt see the reference to Type at all.
... but there's not much of a step up in complexity and difficulty from unix shell scripting to wsh scripting on windows, and the power in the latter on the windows platform is unlimited. There's really not much you cant do, and even the really hard stuff isnt all that terribly hard.
I think what I'm trying to argue against is the assumption that just because administration is different on windows, that its necessarily worse.
There's a completely different philosophical approach to administration on windows. The assumption is that if you want to do anything more than just push buttons on the GUI, that you're writing a full fledged script/program. There's no real middle ground, like there is on Unix (ie, shell scripting).
Part of this I'm sure is that for Windows, there's much, much less of settings stored in text files. You have the registry, text files, other types of binary files, etc. And because of this, you very often have to interact with a subsystem through a COM object provided by the subsystem creators. That would be harder to do with pure command line tools, outside of a scripting environment.
This is offset somewhat in my opinion, but the fact that system administration in windows is so blazingly simple, if you have any sort of background in programming at all. Even if you dont, as long as you have some minimal ability to learn it, you're okay, because there is an endless amount of sample scripts and 'problems solved' by other people on the web, many of them hosted on MS websites.
And once you've done some windows scripting for administration, the learning you have on one subsystem tends to carry over to all the others. So its the same pattern, style, and methodology no matter where you go. Whether its SQL Server, Exchange, AD, Desktops, etc etc etc, its all the same, and all of your scripts can re-use the same libraries, and work the same.
Just because its a different style and philosphy from Unix doesnt mean its worse, it just means its different. Some things are worse, some things are better.
Most of the better in Unix revolves not around the shell scripting abilities or atomic tools, but rather the fact that just about everything is stored in a record-oriented text file.
I'd say that much (but not all) of what you can do in a single-line on a unix shell (ie, using pipes and redirects), you can also do in Windows, more or less. But the tools are less polished, they're less well known, and there's much less of a culture around them. So practices revolving around these dont often flow from senior admins to junior ones.
Put a very experienced, very competent windows sysadmin with a scripting for administration background on a Unix machine for the first time, and in many ways it going to feel primitive and painful, just like you felt.
Anyway, overall, I'd agree that in many ways, Unix administration is simpler
My opinions anyway.
What you describe is exactly what happens in a windows shop with competent admins.
Anyone who does all (or most) of their administration via the gui is not, almost by definition, very competent.
You write scripts to do the work you need to do, and then run the scripts against every server in the domain (or whatever subset you need).
You over time build up a script library of all the little point solutions you've come up with, and often you end up re-using these across different problems.
And since its all just windows, compatibility is a sure thing, and your scripts are portable across time and systems and domains.
And you can do this without ever installing Cygwin or SFU.
This is one of the problems with unix admins making judgements from insufficient information. Just because you dont do automated, scripted, and remote administration on windows the same exact way as on Unix, doesnt mean that you have to do everything in the GUI.
Windows is extensively, intimately, and pervasively manageable via scripts. Its just a different style of scripting than what you would do with a bash shell. Some of its a bit less elegant, since everything is not 'a file', but its quite powerful.
Since windows 2000, there isnt really (that I've ever been aware of at least) anything you cant do via scripting.
In fact, a good measure of a windows sysadmin's competency is how much of their job they can do from their couch, at home, in their underwear.
You're comparing apples to oranges.
)
Scripting.FileSystemObject (the COM component you're referring to) is what you use when you need programmatic access to a file and its conents.
The common use is to read (or write) through a file, one line at a time. If all you need to do is dump the contents of the file, you do:
type filename
And if you really need to do it inside a script, then you simply write yourself a function to do this, and stick it your script library. Then its done once, and you just re-use it.
Here, I'll spend 3 minutes and write one now, and then its done forever, for the times when you need this, but the command-line type command isnt suitable.
Note that the following procedure is a bit verbose, more than you'd need to, but this is the 'right' way to do it.
sub cat(byval filename)
const ForReading = 1
const ForWriting = 2
const ForAppending = 8
dim fso, f
set fso = wscript.createobject("Scripting.FileSystemObject"
set f = fso.opentextfile(filename, ForReading, false, false)
wscript.echo f.readall
f.close
set f = nothing
set fso = nothing
exit sub
end sub
Depends what kind of clustering you're talking about.
o wsserver2003/technologies/clustering/winclstt.mspx
t ion/overview/technologies/clustering.mspx
Windows server supports three kinds of clustering currently, and HPC/Compute-Clustering is in the works.
An Overview of Windows Clustering:
http://www.microsoft.com/technet/prodtechnol/wind
What's New in Windows Clustering:
http://www.microsoft.com/windowsserver2003/evalua
The simplest kind is called NLB (Network Load Balancing), which is used heavily to make easy web farms. It's a shared-nothing approach, where all the machines participating have a deterministic algorithm to decide which machine will respond, without communicating about it.
There's also Component Load Balancing, which you can think of as a mid-tier application-services level clustering. It's mostly used where you have a mid-tier set of COM+ serviced components, and you want to 'scale-out' that mid-tier.
Then there's what MS calls 'Server Clusters', which is what many people think of when the word clustering is used. This can be active/active, active/passive, or N+1. This is what you normally see when people talk about clustering a SQL server, or Exchange Server.
HPC (High Performance Computing) or Compute Clusters are a fourth kind of thing. This is often used to divide and conquer on very large research problems, or rendering farms (to make Shrek, for exmple). MS has traditionally not had anything in this space.
This fourth item is what TFA is talking about, the first three have been in windows for many years.
For at least the smartcard+PIN, you're not understanding how the technology works.
... one for login, and one for any outbound transactions.
The PIN does you no good whatsoever without the card (more exactly, without the crypto and unique IDs on the chip), just like the card does you no good without the PIN.
Collecting PINs is utterly useless, and doesnt get you squat.
The RSA SecureID fobs (and similar from other companies) is effectively as strong, albeit by a different technique.
So even if you do a successful MITM attack, all you can do is use the response from the bank's challenge that the user sends. This will only work for one web session, and is not ever replayable.
Even this can be mitigated by things like requiring additional challenge/responses