These aren't default passwords. They are just bad passwords. Haven't we learned that wide open systems with bad passwords are not a good idea? I bet 90% of the exploited systems have blank passwords. Complex password requirements can be enabled.
I see a lot of people talking about the default shares (C$, D$, etc). To use these you need full admin rights. If I have full admin rights I don't need those shares. I could set those shares up myself. They don't get me anything.
It's about time people figured out that blank passwords and the Internet don't go together. Cheap NAT routers are $30 now. Go buy one. Get one for your mom. Get one for your users that work from home.
This, again, isn't a MS problem. Users need to be responsible. I also think ISPs should be blamed as well. NAT routers are cheap enough they should be built in to cable/dsl modems now. They aren't a "real" firewall but they do the job just fine.
To get to that share you need local admin rights. If I have admin rights to the system I could just share them out. They don't give me anything. By the time I get the security I need to exploit them I could just create them.
The remote management tools don't use those shares to do anything.
If I have the Administrator password I can do anything I want...whether the default shares are there or not. I can easily connect to the system and share the drives out myself. The worm could just as easily do that.
XP does not show the user accounts unless you set it up for the family stuff. My XP machines in my domains don't show any user names.
I have a Thinkpad T30 with their 1400x1050 14" screen and LOVE it. It's enough room for two side by side pages or a web browser and a couple of IM windows. It's not real heavy and has been a serious workhorse. It's crashed once in the last 4 months, and that was due to new ATI drivers (that weren't official).
If they don't do it at least protect yourself. Write a risk assessment stating why you recommend it and the risks associated with not doing it. Then get your manager (preferably a VP) to sign it. If something happens later you are covered and have the paperwork to back it up.
Did the XP users at least try the new interface for a while or instantly turn it off? If you give it a test you'll find the XP interface is nice. The changes are fairly minor but do allow you to access things more quickly. Some things do cause a performance hit but you can easily turn them off.
In fact, I've found the XP interface to be pretty granular in control so if you don't like something, just turn it off.
A lot of people don't like new things just because they are different. Sit a new user in front of Win2K and XP and I bet they prefer XP, especially after tweaking it to their work habits.
Hah! I thought I was the only one. I've probably spread that to 3 or 4 other admins too. It's easy to remember to set up on a box for testing, and it's always live so it's a good ping test.
Competition is good. VMWare isn't being destroyed. If they have a better product people will buy it.
Citrix didn't go away. I run Citrix right now because it offers options I want/need that the stripped down Terminal Server does not. Also, Terminal Server isn't free either.
I live right near RTP and love it. I'm in a small suburb with good surroundings. You really get the bigger city advantages with the small town appeal. Plus, it's a very tech savvy area. Raleigh was just shown to be the city with the highest rate of residential broadband acceptance in the country.
If you do BGP you'll need a bigger router. A small router won't do the job. When I was looking BellSouth required at least a 3640 w/ 128MB as the minimum for any BGP customer.
Trying again won't work. The client's DNS server will still cache your old IP info. It won't ask again until the cache times out. You can try and put in a very low cache timeout, but not everyone listens to your cache timeout. I know that from experience.
What usually goes down on a T1? Normally it's a router module, the smartjack (most often it seems!), or something at the CO. *ALL* of these can be easily remedied with a second T1 with load balancing and failover. Nothing fancy. We do it here with CEF and it works great. Just run each T1 to a seperate router module.
What would BGP buy you? Well, if you ran your second T1 to another CO and to another ISP POP it would let you survive an entire CO or POP outage. But, how often do those happen with a good ISP? Almost never. How much would it cost to run that T1 to another CO? A ton.
I've already been down this road and found out that a dual T1 setup with something like CEF takes care of the job, unless you want to spend a fortune.
The cert would only apply to that exact app. Change one bit in the app and it no longer works. They'd just have to make sure the signed app couldn't be used to load other things, like games.
Do the shows you like come on in HD? That's the way to get the answer. Go hit titantv.com and check out the week's HD lineup. It's definately worth it to me. I don't even have to deal with antennas and such... Time Warner around Raleigh does HD via cable. ABC, CBS, FOX, HBO, ShowTime, and PBS. Not bad at all.
Plus, usually HD sets are higher quality. You get progressive for your DVD and consoles.
ISS' Real Secure Network Sensors support Gb networks. I use their sensor on some slower networks and I've been happy. They have a lot of good signatures....and have started adding a lot more "audit" signatures. The audits let you look for more than just exploits...things like P2P apps, IM (if you want), etc.
We use Cisco VPN. The concentrator is a 3005 and everyone just uses the Cisco VPN Client software. It works great. If you have a need to work from home the company pays your broadband fee. If not, you can pay it.
It's about the simplest solution I could hope for. I rarely ever need to even touch the 3005. For people that can't get broadband we have a dial-in access router with a PRI line.
Check out an IBM X series ThinkPad. It's their ultralite series. Very nice. Many of the current Thinkpads can be ordered with 802.11b on a mini-pci card with integrated antennas.
Network account passwords are stored on the Domain Controller. Those are called Domain Accounts. While the password can be cached locally, if you blank it out you won't get on the network.
The problem is legal liability. If I know my employees download this stuff and don't do anything then the company can be liable. I'm not going to get in trouble and possibly fired so people I manage can warez Britney Spears.
Slashdot Mirror
I'd be interested to check some out.
These aren't default passwords. They are just bad passwords. Haven't we learned that wide open systems with bad passwords are not a good idea? I bet 90% of the exploited systems have blank passwords. Complex password requirements can be enabled.
I see a lot of people talking about the default shares (C$, D$, etc). To use these you need full admin rights. If I have full admin rights I don't need those shares. I could set those shares up myself. They don't get me anything.
It's about time people figured out that blank passwords and the Internet don't go together. Cheap NAT routers are $30 now. Go buy one. Get one for your mom. Get one for your users that work from home.
This, again, isn't a MS problem. Users need to be responsible. I also think ISPs should be blamed as well. NAT routers are cheap enough they should be built in to cable/dsl modems now. They aren't a "real" firewall but they do the job just fine.
To get to that share you need local admin rights. If I have admin rights to the system I could just share them out. They don't give me anything. By the time I get the security I need to exploit them I could just create them.
The remote management tools don't use those shares to do anything.
If I have the admin password I can share out anything I want, even remotely...even with those shares. Once you have admin rights all bets are off.
Complex password checkings is an included feature. It's easily enabled.
If I have the Administrator password I can do anything I want...whether the default shares are there or not. I can easily connect to the system and share the drives out myself. The worm could just as easily do that.
XP does not show the user accounts unless you set it up for the family stuff. My XP machines in my domains don't show any user names.
I have a Thinkpad T30 with their 1400x1050 14" screen and LOVE it. It's enough room for two side by side pages or a web browser and a couple of IM windows. It's not real heavy and has been a serious workhorse. It's crashed once in the last 4 months, and that was due to new ATI drivers (that weren't official).
If they don't do it at least protect yourself. Write a risk assessment stating why you recommend it and the risks associated with not doing it. Then get your manager (preferably a VP) to sign it. If something happens later you are covered and have the paperwork to back it up.
Did the XP users at least try the new interface for a while or instantly turn it off? If you give it a test you'll find the XP interface is nice. The changes are fairly minor but do allow you to access things more quickly. Some things do cause a performance hit but you can easily turn them off.
In fact, I've found the XP interface to be pretty granular in control so if you don't like something, just turn it off.
A lot of people don't like new things just because they are different. Sit a new user in front of Win2K and XP and I bet they prefer XP, especially after tweaking it to their work habits.
Hah! I thought I was the only one. I've probably spread that to 3 or 4 other admins too. It's easy to remember to set up on a box for testing, and it's always live so it's a good ping test.
Funny....
Just order one. They probably did. When it comes in look at the BIOS.
Some new chips have totally new BIOSes on them. No original MS code. The X2 chip is like this.
It looks like the modchips were illegal because they contain a BIOS. Most chips are shipped without a BIOS, but the Enigmahs are pre-flashed.
A modchip without a bios isn't a usable device.
Competition is good. VMWare isn't being destroyed. If they have a better product people will buy it.
Citrix didn't go away. I run Citrix right now because it offers options I want/need that the stripped down Terminal Server does not. Also, Terminal Server isn't free either.
I live right near RTP and love it. I'm in a small suburb with good surroundings. You really get the bigger city advantages with the small town appeal. Plus, it's a very tech savvy area. Raleigh was just shown to be the city with the highest rate of residential broadband acceptance in the country.
If you do BGP you'll need a bigger router. A small router won't do the job. When I was looking BellSouth required at least a 3640 w/ 128MB as the minimum for any BGP customer.
Trying again won't work. The client's DNS server will still cache your old IP info. It won't ask again until the cache times out. You can try and put in a very low cache timeout, but not everyone listens to your cache timeout. I know that from experience.
What usually goes down on a T1? Normally it's a router module, the smartjack (most often it seems!), or something at the CO. *ALL* of these can be easily remedied with a second T1 with load balancing and failover. Nothing fancy. We do it here with CEF and it works great. Just run each T1 to a seperate router module.
What would BGP buy you? Well, if you ran your second T1 to another CO and to another ISP POP it would let you survive an entire CO or POP outage. But, how often do those happen with a good ISP? Almost never. How much would it cost to run that T1 to another CO? A ton.
I've already been down this road and found out that a dual T1 setup with something like CEF takes care of the job, unless you want to spend a fortune.
The cert would only apply to that exact app. Change one bit in the app and it no longer works. They'd just have to make sure the signed app couldn't be used to load other things, like games.
This isn't just process seperation on one OS. It's far more than simple DOS virtual machines. Who doesn't do that now?
Do the shows you like come on in HD? That's the way to get the answer. Go hit titantv.com and check out the week's HD lineup. It's definately worth it to me. I don't even have to deal with antennas and such... Time Warner around Raleigh does HD via cable. ABC, CBS, FOX, HBO, ShowTime, and PBS. Not bad at all.
Plus, usually HD sets are higher quality. You get progressive for your DVD and consoles.
ISS' Real Secure Network Sensors support Gb networks. I use their sensor on some slower networks and I've been happy. They have a lot of good signatures....and have started adding a lot more "audit" signatures. The audits let you look for more than just exploits...things like P2P apps, IM (if you want), etc.
We use Cisco VPN. The concentrator is a 3005 and everyone just uses the Cisco VPN Client software. It works great. If you have a need to work from home the company pays your broadband fee. If not, you can pay it.
It's about the simplest solution I could hope for. I rarely ever need to even touch the 3005. For people that can't get broadband we have a dial-in access router with a PRI line.
Check out an IBM X series ThinkPad. It's their ultralite series. Very nice. Many of the current Thinkpads can be ordered with 802.11b on a mini-pci card with integrated antennas.
They also sell the Thinkpads with Linux.
Network account passwords are stored on the Domain Controller. Those are called Domain Accounts. While the password can be cached locally, if you blank it out you won't get on the network.
The problem is legal liability. If I know my employees download this stuff and don't do anything then the company can be liable. I'm not going to get in trouble and possibly fired so people I manage can warez Britney Spears.