XP is scheduled to go end of life in 2014. (See http://support.microsoft.com/lifecycle/search/default.aspx?alpha=Windows+XP) Corporate IT is going to have to start upgrading/replacing XP desktops over the next 3 years to Windows 7 (and maybe Windows 8). Win7's first service pack just issued a few weeks ago. So the whole "wait until the first service pack" crowd doesn't have an excuse anymore. (And we'll ignore Vista. It's best to ignore it. Do not speak it's name lest ye offend the computing gods.)
And at this point Windows 7 is probably a better OS that XP - although it does require beefier hardware and definitely more RAM.
So, yes, the majority of corporate systems are still on XP. But that is going to change over the next 2-3 years. Corp IT isn't going to have a choice, eventually, if they still want security updates/patches. And any IT department that ignores the lack of patches for XP after 2014 is utterly negligent. So time it's time to at least have a grand XP to Win7 upgrade/conversion on your radar, like it or not.
So IE9 (and IE10, etc...) might not be relevant for corp IT right now. But it will be. Don't ignore it.
If you're doing searches on Google that you wouldn't want your government to know about, then you should be taking some counter-measures (proxies, Tor, only using public locations that can't tie to you directly, etc.). Your paranoia on this should be a function of the repressiveness of your local government. So if you're in China, or Egypt, be very careful when you start searching on political issues...
In the USA, not so much as long as your searches aren't involving criminal or terrorist plots. Beck is taking that too far in the USA, despite the very strong ties between Google management and the Obama administration.
And this would apply to *ANY* search engine. Search engine companies can be forced to comply with local laws. Search accordingly. Protect thyself in anonymity when/if needed.
Having a Windows domain controller with centralized authentication is YES going to save your sanity, and your security.
1. Centralized authentication, so you as the IT guy can get on any machine no problem. 2. WSUS -- so you can actually get all your systems updated with MS updates, and keep them updated. 3. Login scripts and Group Policy -- so you can keep your other software updated. (And standardize settings. And make rolling out new computers MUCH faster.) 4. You'll then be able to get centralized/enterprise antivirus as well to keep your system properly safe.
If you have to update your software manually, and have more than 5 or so systems, you will NOT be keeping them up to date.
Yes, this costs more. Yes, this requires more upfront costs, time, effort, and learning.
This will also save your ass if you grow, as workgroups don't scale unless you have lots of cheap IT labor.
And it will save your ass from viruses/malware infecting your network.
In the long run, you'll spend a LOT less time maintaining a network of interconnected machines vs. "island" systems.
And don't host your web server locally unless you have a REALLY good reason. Hosted web sites are cheap commodities. Even if you need specialized software, you're probably better off with a hosted (maybe virtual) server. You're unlikely to have the huge and redundant bandwidth of a hosting provider.
And unless you need Exchange, Google Apps standard is an amazing bargain (free!).
And don't use laptops for users unless they're really needed. Laptops are much more likely to break or get stolen. Users do evil things to laptops. And they're slower and more expensive.
And avoid wireless keyboards/mice... Wired ones just work. Boring, but they work. Wireless ones quit, have dead batteries, and users can never figure out how to reconnect/pair them.
Unfortunately, the ways posted so far are all manual. I'm an IT consultant and manage Windows/Linux networks for multiple companies. I need to be able to untrust CCNIC (and maybe Entrust.net as well...) for all computers on these networks.
Ideally, whatever script, group policy, etc. employed should: 1. check to see if CCNIC is trusted in Firefox, and if so, untrust it 2. check to see if CCNIC is trusted in the OS itself, and if so, untrust it.
And yes, this is a problem apparently on just about all OSes. I really just need a way to do this on Windows XP or greater and Ubuntu, although this problem seems to exist everywhere.
Porn (especially kiddie porn), torture videos, etc. (the really nasty stuff) etc. should be blocked in most businesses. If you don't, it's a sexual harassment lawsuit waiting to happen.
Yeah, I don't care that someone is jacking off to gay furry porn (if his office door is closed and locked...). But others might. And they might sue. And have a reasonable chance of success.
Warez sites and P2P networks actually fall into both the security and legal bins. And yes, these should be blocked, too. (These tend to be incredible bandwidth consumers to the detriment of all other users. The sites are often filled with viruses and malware. And your company is opening itself up to copyright infringement suits. Yes, you should block this stuff.)
So my take: - Block malware and any other SECURITY threats - Block any LEGAL threats
On the legal threats, you will probably need to talk with management or the company's lawyer to set what should be blocked or not.
Other than that, let them goof off a bit. It's good for morale. People need to vent a bit. (And if they're goofing off too much, reprimand or fire them!)
The list of antiviruses that are totally free for business is pretty slim. Most free antivirus programs are only free for personal usage.
Security Essentials isn't free for business, just home businesses. Sorry. I wish it was totally free. But most free AV isn't supposed to be used by home businesses either, so Microsoft is actually a bit more open than most AV companies. (Imagine that...) Security Essentials' license information here: http://www.microsoft.com/security_Essentials/eula.aspx#mainNav
"You may install and use any number of copies of the software [MS Security Essentials] on your devices in your household for use by people who reside there or for use in your home-based small business."
ClamWin (which can't do realtime scans), Comodo, and PC Tools are all OK for any use (commercial or personal). Comodo is probably the best of the bunch, but it's very, very complex. It comes with Comodo's firewall -- which is very powerful but arcane. PC Tools' antivirus doesn't automatically update.
Spyware Terminator is completely free for any use and can use the ClamWin engine as a realtime antivirus. But I haven't tried it yet. This may be the best current option. http://www.spywareterminator.com/ http://www.techmalaya.com/2008/05/10/clamav-real-time-scan/
Moon Secure AV is a realtime version of ClamAV, but it was pretty flaky the last time I tried it. Maybe it's better now? (Wikipedia notes that Moon is violating the GPL by not publishing its code. So take that into consideration, too.) If Moon worked well, it would probably be a great choice. http://www.moonsecure.com/
On the ZIP front, I like IZArc better than 7zip. It's basically 7zip (it uses 7zip's code) with an interface more similar to WinZip. I think this makes it a better WinZip replacement. http://www.izarc.org/
And if you're using a Windows system (locked down and using SteadyState or DeepFreeze or something similar), you can then easily print statements and results, save them locally, etc.
You can't do that (well, easily) with a Linux LiveCD.
And yeah, this Windows system isn't useful except for those times you're banking, contacting ADP, or other high-risk online activities. But it doesn't need to be anything high-horsepower. Any 5 or 6 year old used/surplus system you picked up for $100 (or if you're an established business, any of your old systems) can handle this. Add a $20-30 kvm to your main system.
For an individual, this setup is expensive or technically challenging. For a business with at least a semi-decent IT department, it should be easy.
(But I'd still want to a *REAL* two factor password system to make it proper!)
1) Drivers. Driver model changed from XP to Vista. Lots of devices at Vista's beginning either didn't have drivers or had buggy/crappy drivers. Win7 uses Vista's driver model, so most Vista drivers will work on it. And since Vista has been "gold" for almost 3 years, drivers exist for most devices made in the last 4-5 years. (Past that, well, still good luck. If a device was really popular or the device/chipset manufacturer is good, maybe you have drivers.)
Note that this may changes a LOT if you go from 32-bit to 64-bit. 64-bit drivers may or may not work well on your system. My personal experience was with a Toshiba Satellite laptop. Utterly unstable BSOD city with 64-bit Win7, even with official drivers. Installed 32-bit instead and the system is rock solid stable. I'd rather be running 64-bit, but not if the system becomes unbootable within a day.
2) File copying. For me, pre-SP1 Vista was completely broken just for the file transfer issues. Transferring files to/from my corporate network took 20x (more?) that of XP. Completely unacceptable and a total deal breaker. (And I don't know how or why this critical bug ever escaped beta. Don't people at Microsoft actually transfer files on their networks???)
3) Performance. Vista was significantly slower than XP, and was pushed onto machines that were completely overwhelmed by this. Even more "hefty" systems struggled. The internal memos on this at Microsoft were classic. People bought $2000 laptops that were much slower than their 2 or 3 year old previous laptops. Vista performance stank. And RAM requirements were underplayed. XP runs fine with 512mb - 1gb of RAM (depending on your usage). Vista needs double that, but some of the original Vista systems had only 512mb.
Vista after SP1 (and some more updates) improved quite a bit on it's performance. Win7 is faster than Vista as well. OK, it's not as fast as XP. But the gulf between XP and Win7 is nowhere as vast as that between Win XP and Vista back in 2006-2007.
We're also 3 years along with Moore's law. Dual-cores are common. Some even have triple and quad cores. Graphics cards are much better as well. So average system power is much higher and more capable of shouldering additional computing burdens.
So Win7 should run well on most 2007+ systems (except for lower-end netbooks), especially if you up the ram to 2gb. Ram is dirt cheap these days, and almost all systems come with at least 1gb of ram. Even many consumer systems sell with 2gb or 3gb of ram.
I still wouldn't try to use it on anything other than really high-end "workstation" systems from pre-2006 (e.g., got a Dell Precision with dual socket Xeons?).
And if you bought a low-end early non-dual core Vista laptop -- sorry, just downgrade the system to XP. You got screwed.
4) UAC. Yes -- UAC sucks, especially if you need to do any real adminstration on a Vista system. I setup group policy on my corporate systems so that any administrator accounts had silent elevation, so UAC still ran but silently in the background. For home systems, sometimes I just turned the annoying bugger off.
It's easier to tone it down in Win7. At these levels, it doesn't pop up constantly, and probably is no more annoying than security prompts in OS X or having to sudo everywhere in Linux.
5) The UI. And yes, I've been using Win7 on my laptop for a month. I'm still not completely happy with some of the UI changes vs. XP. (Vista of course had the same problem. Microsoft broke design conventions that existed since Windows 3.0 or so. Vista made items harder to reach -- requiring 5 clicks instead of 2 or 3. And so forth.) But the UI in Win7 is more polished and less annoying than Vista. I still miss the classic start menu, but I'm missing it less and less. And I couldn't live without the Quick Start bar. It can be somewhat easily faked in Win7. And no, pinning icons to the task bar is not the same -- they take up lots, lots more screen real est
Then extract the ZIP and put it somewhere on a network server where it's publicly accessible.
You could then do the update via login script or GPO or whatever suits your fancy. Probably need admin privs to do this.
You probably also want some code to determine if the system is XP or Server 2003. If it's not, you don't need the update. I use the OS detection routines from here:
I'm not sure I'd rely *only* on ClamAV for protecting incoming mail on my mail servers. But if you can hookup a way to check incoming mail against multiple AV providers, then definitely throw ClamAV into the mix. It's free and it works...
First of all, I think you should just look at keeping the existing system, just improve it. Changeover cost in hardware/software is going to be high, even if it's free software. Here's what I'd do to try to stay with Windows 2k or XP (throw this all out if you're on 98/ME and get a real OS!):
1. Antivirus First of all, why no antivirus? Any reasonable Win2k/XP system should be able to run one. If you want something with very low cpu impact, try Eset's Nod32. Also exclude the directory that the DVR uses to write the videos from virus checks. The videos are unlikely to get infected, and virus checking on those directories will just muck things up. (I'm assuming that this is why you aren't using antivirus.) But everything else then can be protected.
If you have licenses for *any* antivirus product, try it again with excluding the videos directories. Any antivirus product worth more than a warm bucket of spit should be able to do that.
2. Disable services. Disable every unneeded service on these machines. A *lot* of them shouldn't be on. These systems should be doing practically nothing but writing video files (ok maybe some backups, or transferring files to another server for backups). A decent guide to this is here: http://www.theeldergeek.com/services_guide.htm.
3. Consider turning off Windows networking. Disabling SMB/Netbios calls should stop most viruses/worms/etc. If you need to transfer data for backups and such, use SSH and SFTP instead. SFTP is what you'd use on a Linux/Unix system, and is *much* more secure.
Nice, and not too expensive pay SFTP client (Tunnelier) and server (WinSSHD): http://www.bitvise.com/
(And you shouldn't be getting email-borne viruses -- these systems shouldn't be used for email.)
You can also use SSH on this to restrict all kinds of other access as well, while providing VPN-style access. Very, very nice. (e.g. you can only Remote Desktop or VNC through SSH)
4. Block ports and such, and firewall it. Setup a firewall between these systems and the outside world. Restrict ports to *only* those needed (e.g. SSH on port 22). If possible, restrict outgoing data to *only* those IP addresses that need access. Yeah, IPs can be falsified, but it's an extra layer of defense.
You could do this through a software firewall, or even just some cheap $20 hardware firewall boxes.
(I'd probably do the hardware firewall, but if you're cash is tight, or the time/cost of installing all these extra hardware boxes is high, at least deploy a software firewall.)
And decent googling should turn up lots of different hardening guides to Windows as well.
After these you should have antivirus, you're blocking ports, you've disabled almost all virus vectors, and should have systems that are reasonably secure and stable.
Yeah, you have Windows and not sexy or politically correct OSS. But it's what you have. If you can make it work, use it. Fixing up your Windows boxes is probably a lot less time and money than swapping over
Avast is a lot more feature filled than AVG's free version. It has most of the feature found in full $30-$40 products like Norton/McAfee Antivirus:
- Avast doesn't insert taglines in Outlook / Outlook Express when checking mail (which AVG does) - It has Outlook/Exchange and IM support. - You can have excluded files/directories. - Updates are automatic/continuous instead of once a day. - You can configure alerts via various methods (IM, smtp, broadcast, etc.)
And, like AVG, Avast doesn't take a lot of CPU time.
Is it me, or is anybody who doesn't install a basic hardware firewall crazy??? (Or at least foolhardy.)
I've setup DSL and T1s for lots of small companies and friends, and I always install a seperate firewall unit. Post-rebate, these things are sometimes $10 or less. (I wouldn't use one of the $10 units for a business, but it works great for Aunt Petunia.)
With a hardware firewall, you don't need to jump onto WindowsUpdate immediately. And you can get to WindowsUpdate and update the system before your system gets compromised.
Sure, your system is still vulnerable to viruses (via email) and spyware (via stupid user clicking and IE vulnerabilties), but you are very unlikely to get rooted or infected for simply existing on the Internet.
(Firewalls can have security holes too, but they usually aren't so gaping.)
And here's another vote for Avast antivirus (www.avast.com). Great program and free (for home use). Better than some pay programs.
The real story underneath this all seems to be that if you want stable, long-term support for your RedHat installations, you will be forced to purchase their new Enterprise products. Support for their SOHO/Community products will be more limited, and versions will be only supported for 12 months or so.
If you *need* the support for your servers, this might not be the worst deal.
But for workstations, this seems to be terrible. $299 for a basic workstation? I can get Win2k Pro for $150 or so with limited support, or I can get Debian (or other various Linux distros) for free. Yes I would get good added support for that $299, but how often do you need that level of support for workstations? Buy an alternative with a longer life cycle (Win2k/XP, Linux, whatever) and buy per-incident support. Workstations are usually not monolithic -- you have a whole forest of them (tens, hundreds, thousands, depending on the size of the organization). The more workstations supported by that orginization, the less monetary sense this seems to make.
Slashdot Mirror
XP is scheduled to go end of life in 2014. (See http://support.microsoft.com/lifecycle/search/default.aspx?alpha=Windows+XP) Corporate IT is going to have to start upgrading/replacing XP desktops over the next 3 years to Windows 7 (and maybe Windows 8). Win7's first service pack just issued a few weeks ago. So the whole "wait until the first service pack" crowd doesn't have an excuse anymore. (And we'll ignore Vista. It's best to ignore it. Do not speak it's name lest ye offend the computing gods.)
And at this point Windows 7 is probably a better OS that XP - although it does require beefier hardware and definitely more RAM.
So, yes, the majority of corporate systems are still on XP. But that is going to change over the next 2-3 years. Corp IT isn't going to have a choice, eventually, if they still want security updates/patches. And any IT department that ignores the lack of patches for XP after 2014 is utterly negligent. So time it's time to at least have a grand XP to Win7 upgrade/conversion on your radar, like it or not.
So IE9 (and IE10, etc...) might not be relevant for corp IT right now. But it will be. Don't ignore it.
If you're doing searches on Google that you wouldn't want your government to know about, then you should be taking some counter-measures (proxies, Tor, only using public locations that can't tie to you directly, etc.). Your paranoia on this should be a function of the repressiveness of your local government. So if you're in China, or Egypt, be very careful when you start searching on political issues...
In the USA, not so much as long as your searches aren't involving criminal or terrorist plots. Beck is taking that too far in the USA, despite the very strong ties between Google management and the Obama administration.
And this would apply to *ANY* search engine. Search engine companies can be forced to comply with local laws. Search accordingly. Protect thyself in anonymity when/if needed.
Having a Windows domain controller with centralized authentication is YES going to save your sanity, and your security.
1. Centralized authentication, so you as the IT guy can get on any machine no problem.
2. WSUS -- so you can actually get all your systems updated with MS updates, and keep them updated.
3. Login scripts and Group Policy -- so you can keep your other software updated. (And standardize settings. And make rolling out new computers MUCH faster.)
4. You'll then be able to get centralized/enterprise antivirus as well to keep your system properly safe.
If you have to update your software manually, and have more than 5 or so systems, you will NOT be keeping them up to date.
Yes, this costs more. Yes, this requires more upfront costs, time, effort, and learning.
This will also save your ass if you grow, as workgroups don't scale unless you have lots of cheap IT labor.
And it will save your ass from viruses/malware infecting your network.
In the long run, you'll spend a LOT less time maintaining a network of interconnected machines vs. "island" systems.
And don't host your web server locally unless you have a REALLY good reason. Hosted web sites are cheap commodities. Even if you need specialized software, you're probably better off with a hosted (maybe virtual) server. You're unlikely to have the huge and redundant bandwidth of a hosting provider.
And unless you need Exchange, Google Apps standard is an amazing bargain (free!).
And don't use laptops for users unless they're really needed. Laptops are much more likely to break or get stolen. Users do evil things to laptops. And they're slower and more expensive.
And avoid wireless keyboards/mice... Wired ones just work. Boring, but they work. Wireless ones quit, have dead batteries, and users can never figure out how to reconnect/pair them.
OK, we should untrust CCNIC...
Unfortunately, the ways posted so far are all manual. I'm an IT consultant and manage Windows/Linux networks for multiple companies. I need to be able to untrust CCNIC (and maybe Entrust.net as well...) for all computers on these networks.
Ideally, whatever script, group policy, etc. employed should:
1. check to see if CCNIC is trusted in Firefox, and if so, untrust it
2. check to see if CCNIC is trusted in the OS itself, and if so, untrust it.
And yes, this is a problem apparently on just about all OSes. I really just need a way to do this on Windows XP or greater and Ubuntu, although this problem seems to exist everywhere.
- Matt Borcherding
Porn (especially kiddie porn), torture videos, etc. (the really nasty stuff) etc. should be blocked in most businesses. If you don't, it's a sexual harassment lawsuit waiting to happen.
Yeah, I don't care that someone is jacking off to gay furry porn (if his office door is closed and locked...). But others might. And they might sue. And have a reasonable chance of success.
Warez sites and P2P networks actually fall into both the security and legal bins. And yes, these should be blocked, too. (These tend to be incredible bandwidth consumers to the detriment of all other users. The sites are often filled with viruses and malware. And your company is opening itself up to copyright infringement suits. Yes, you should block this stuff.)
So my take:
- Block malware and any other SECURITY threats
- Block any LEGAL threats
On the legal threats, you will probably need to talk with management or the company's lawyer to set what should be blocked or not.
Other than that, let them goof off a bit. It's good for morale. People need to vent a bit. (And if they're goofing off too much, reprimand or fire them!)
The list of antiviruses that are totally free for business is pretty slim. Most free antivirus programs are only free for personal usage.
Security Essentials isn't free for business, just home businesses. Sorry. I wish it was totally free. But most free AV isn't supposed to be used by home businesses either, so Microsoft is actually a bit more open than most AV companies. (Imagine that...) Security Essentials' license information here:
http://www.microsoft.com/security_Essentials/eula.aspx#mainNav
"You may install and use any number of copies of the software [MS Security Essentials] on your devices in your household for use by people who reside there or for use in your home-based small business."
ClamWin (which can't do realtime scans), Comodo, and PC Tools are all OK for any use (commercial or personal). Comodo is probably the best of the bunch, but it's very, very complex. It comes with Comodo's firewall -- which is very powerful but arcane. PC Tools' antivirus doesn't automatically update.
http://www.clamwin.com/
http://antivirus.comodo.com/
http://www.pctools.com/free-antivirus/
Spyware Terminator is completely free for any use and can use the ClamWin engine as a realtime antivirus. But I haven't tried it yet. This may be the best current option.
http://www.spywareterminator.com/
http://www.techmalaya.com/2008/05/10/clamav-real-time-scan/
Moon Secure AV is a realtime version of ClamAV, but it was pretty flaky the last time I tried it. Maybe it's better now? (Wikipedia notes that Moon is violating the GPL by not publishing its code. So take that into consideration, too.) If Moon worked well, it would probably be a great choice.
http://www.moonsecure.com/
On the ZIP front, I like IZArc better than 7zip. It's basically 7zip (it uses 7zip's code) with an interface more similar to WinZip. I think this makes it a better WinZip replacement.
http://www.izarc.org/
- Matthew Borcherding
I’ve coded a batch file to remove the Windows Presentation Foundation plugin (along with the accompanying Firefox .NET extension.)
My batch previously just removed the extension, but then I found out about this cruft as well.
This can then be easily added to a login script or such so you can remove it from multiple systems.
You can grab it from my blog here:
http://borchtech.blogspot.com/2009/10/updated-code-on-net-35-network.html
I hope this is useful to others...
And if you're using a Windows system (locked down and using SteadyState or DeepFreeze or something similar), you can then easily print statements and results, save them locally, etc.
You can't do that (well, easily) with a Linux LiveCD.
And yeah, this Windows system isn't useful except for those times you're banking, contacting ADP, or other high-risk online activities. But it doesn't need to be anything high-horsepower. Any 5 or 6 year old used/surplus system you picked up for $100 (or if you're an established business, any of your old systems) can handle this. Add a $20-30 kvm to your main system.
For an individual, this setup is expensive or technically challenging. For a business with at least a semi-decent IT department, it should be easy.
(But I'd still want to a *REAL* two factor password system to make it proper!)
Vista's big problems vs. Win7
1) Drivers. Driver model changed from XP to Vista. Lots of devices at Vista's beginning either didn't have drivers or had buggy/crappy drivers. Win7 uses Vista's driver model, so most Vista drivers will work on it. And since Vista has been "gold" for almost 3 years, drivers exist for most devices made in the last 4-5 years. (Past that, well, still good luck. If a device was really popular or the device/chipset manufacturer is good, maybe you have drivers.)
Note that this may changes a LOT if you go from 32-bit to 64-bit. 64-bit drivers may or may not work well on your system. My personal experience was with a Toshiba Satellite laptop. Utterly unstable BSOD city with 64-bit Win7, even with official drivers. Installed 32-bit instead and the system is rock solid stable. I'd rather be running 64-bit, but not if the system becomes unbootable within a day.
2) File copying. For me, pre-SP1 Vista was completely broken just for the file transfer issues. Transferring files to/from my corporate network took 20x (more?) that of XP. Completely unacceptable and a total deal breaker. (And I don't know how or why this critical bug ever escaped beta. Don't people at Microsoft actually transfer files on their networks???)
3) Performance. Vista was significantly slower than XP, and was pushed onto machines that were completely overwhelmed by this. Even more "hefty" systems struggled. The internal memos on this at Microsoft were classic. People bought $2000 laptops that were much slower than their 2 or 3 year old previous laptops. Vista performance stank. And RAM requirements were underplayed. XP runs fine with 512mb - 1gb of RAM (depending on your usage). Vista needs double that, but some of the original Vista systems had only 512mb.
Vista after SP1 (and some more updates) improved quite a bit on it's performance. Win7 is faster than Vista as well. OK, it's not as fast as XP. But the gulf between XP and Win7 is nowhere as vast as that between Win XP and Vista back in 2006-2007.
We're also 3 years along with Moore's law. Dual-cores are common. Some even have triple and quad cores. Graphics cards are much better as well. So average system power is much higher and more capable of shouldering additional computing burdens.
So Win7 should run well on most 2007+ systems (except for lower-end netbooks), especially if you up the ram to 2gb. Ram is dirt cheap these days, and almost all systems come with at least 1gb of ram. Even many consumer systems sell with 2gb or 3gb of ram.
I still wouldn't try to use it on anything other than really high-end "workstation" systems from pre-2006 (e.g., got a Dell Precision with dual socket Xeons?).
And if you bought a low-end early non-dual core Vista laptop -- sorry, just downgrade the system to XP. You got screwed.
4) UAC. Yes -- UAC sucks, especially if you need to do any real adminstration on a Vista system. I setup group policy on my corporate systems so that any administrator accounts had silent elevation, so UAC still ran but silently in the background. For home systems, sometimes I just turned the annoying bugger off.
It's easier to tone it down in Win7. At these levels, it doesn't pop up constantly, and probably is no more annoying than security prompts in OS X or having to sudo everywhere in Linux.
5) The UI.
And yes, I've been using Win7 on my laptop for a month. I'm still not completely happy with some of the UI changes vs. XP. (Vista of course had the same problem. Microsoft broke design conventions that existed since Windows 3.0 or so. Vista made items harder to reach -- requiring 5 clicks instead of 2 or 3. And so forth.) But the UI in Win7 is more polished and less annoying than Vista. I still miss the classic start menu, but I'm missing it less and less. And I couldn't live without the Quick Start bar. It can be somewhat easily faked in Win7. And no, pinning icons to the task bar is not the same -- they take up lots, lots more screen real est
This slashvertisement is awesome in its lameness.
How about a brass knuckles flash drive?
A flash drive with a built in stun gun?
Flash drive derringer?
Flash drive vibrator?
Any of those would "pack a punch."
This is a cute drive, but far from unique...
- Matt
I just added a bit of code to my company's Windows domain login scripts to roll out the fix.
.\SecDrv.inf
:safedisc_driver_updated
You'll need to download Macrovision's fix from the their site here:
http://www.macrovision.com/promolanding/7352.htm
Then extract the ZIP and put it somewhere on a network server where it's publicly accessible.
You could then do the update via login script or GPO or whatever suits your fancy. Probably need admin privs to do this.
You probably also want some code to determine if the system is XP or Server 2003. If it's not, you don't need the update. I use the OS detection routines from here:
http://www.amset.info/loginscripts/os-id.asp
Enough setup, here's my quick and dirty code:
rem
rem Update stupid Macrovision SecureDisc driver, if needed
rem
if exist "%windir%\system32\drivers\safedisc-fix-11-09-07.txt" goto safedisc_driver_updated
echo.
echo Fixing Macrovision SecureDisc vulnerability...
echo.
rem
rem replace location here with the proper location for your Macrovision update files
rem
pushd "\\someserver\someshare\macrovision-secdrv-update\"
rundll32.exe setupapi,InstallHinfSection DefaultInstall 128
echo Macrovision safedisc driver updated on %date% > "%windir%\system32\drivers\safedisc-fix-11-09-07.txt"
popd
I'm not sure I'd rely *only* on ClamAV for protecting incoming mail on my mail servers. But if you can hookup a way to check incoming mail against multiple AV providers, then definitely throw ClamAV into the mix. It's free and it works...
- Matt
First of all, I think you should just look at keeping the existing system, just improve it. Changeover cost in hardware/software is going to be high, even if it's free software. Here's what I'd do to try to stay with Windows 2k or XP (throw this all out if you're on 98/ME and get a real OS!):
1. Antivirus
First of all, why no antivirus? Any reasonable Win2k/XP system should be able to run one. If you want something with very low cpu impact, try Eset's Nod32. Also exclude the directory that the DVR uses to write the videos from virus checks. The videos are unlikely to get infected, and virus checking on those directories will just muck things up. (I'm assuming that this is why you aren't using antivirus.) But everything else then can be protected.
If you have licenses for *any* antivirus product, try it again with excluding the videos directories. Any antivirus product worth more than a warm bucket of spit should be able to do that.
2. Disable services.
Disable every unneeded service on these machines. A *lot* of them shouldn't be on. These systems should be doing practically nothing but writing video files (ok maybe some backups, or transferring files to another server for backups). A decent guide to this is here: http://www.theeldergeek.com/services_guide.htm.
3. Consider turning off Windows networking.
Disabling SMB/Netbios calls should stop most viruses/worms/etc. If you need to transfer data for backups and such, use SSH and SFTP instead. SFTP is what you'd use on a Linux/Unix system, and is *much* more secure.
Free Win32 SFTP client:
http://winscp.net/eng/index.php
Free Win32 SFTP server:
http://itefix.no/copssh
Nice, and not too expensive pay SFTP client (Tunnelier) and server (WinSSHD):
http://www.bitvise.com/
(And you shouldn't be getting email-borne viruses -- these systems shouldn't be used for email.)
You can also use SSH on this to restrict all kinds of other access as well, while providing VPN-style access. Very, very nice. (e.g. you can only Remote Desktop or VNC through SSH)
4. Block ports and such, and firewall it.
Setup a firewall between these systems and the outside world. Restrict ports to *only* those needed (e.g. SSH on port 22). If possible, restrict outgoing data to *only* those IP addresses that need access. Yeah, IPs can be falsified, but it's an extra layer of defense.
You could do this through a software firewall, or even just some cheap $20 hardware firewall boxes.
The XP firewall is better than nothing, but it's only incoming. Much better incoming/outgoing freebie firewalls are available from these companies:
http://www.wyvernworks.com/firewall.html
http://www.jetico.com/
(I'd probably do the hardware firewall, but if you're cash is tight, or the time/cost of installing all these extra hardware boxes is high, at least deploy a software firewall.)
5. Other Windows hardening options
You can also try these two freebie Windows hardening programs. They probably aren't perfect, but they help:
Harden-it: http://www.sniff-em.com/hardenit.shtml
Secure-it: http://www.sniff-em.com/secureit.shtml
And decent googling should turn up lots of different hardening guides to Windows as well.
After these you should have antivirus, you're blocking ports, you've disabled almost all virus vectors, and should have systems that are reasonably secure and stable.
Yeah, you have Windows and not sexy or politically correct OSS. But it's what you have. If you can make it work, use it. Fixing up your Windows boxes is probably a lot less time and money than swapping over
Anyone figured out how to block or disable the "Search Across Computers" function on a Windows domain?
The best solution (IMHO) would be to block any uploads of data to Google at the firewall level.
The second best solution would be to force disabling this function via a registry key or group policy object.
I did some searching around, and have found nothing on this.
Avast is a lot more feature filled than AVG's free version. It has most of the feature found in full $30-$40 products like Norton/McAfee Antivirus:
- Avast doesn't insert taglines in Outlook / Outlook Express when checking mail (which AVG does)
- It has Outlook/Exchange and IM support.
- You can have excluded files/directories.
- Updates are automatic/continuous instead of once a day.
- You can configure alerts via various methods (IM, smtp, broadcast, etc.)
And, like AVG, Avast doesn't take a lot of CPU time.
I used to use AVG, but I'm happily switched.
Great product!
Is it me, or is anybody who doesn't install a basic hardware firewall crazy??? (Or at least foolhardy.)
I've setup DSL and T1s for lots of small companies and friends, and I always install a seperate firewall unit. Post-rebate, these things are sometimes $10 or less. (I wouldn't use one of the $10 units for a business, but it works great for Aunt Petunia.)
With a hardware firewall, you don't need to jump onto WindowsUpdate immediately. And you can get to WindowsUpdate and update the system before your system gets compromised.
Sure, your system is still vulnerable to viruses (via email) and spyware (via stupid user clicking and IE vulnerabilties), but you are very unlikely to get rooted or infected for simply existing on the Internet.
(Firewalls can have security holes too, but they usually aren't so gaping.)
And here's another vote for Avast antivirus (www.avast.com). Great program and free (for home use). Better than some pay programs.
The real story underneath this all seems to be that if you want stable, long-term support for your RedHat installations, you will be forced to purchase their new Enterprise products. Support for their SOHO/Community products will be more limited, and versions will be only supported for 12 months or so.
If you *need* the support for your servers, this might not be the worst deal.
But for workstations, this seems to be terrible. $299 for a basic workstation? I can get Win2k Pro for $150 or so with limited support, or I can get Debian (or other various Linux distros) for free. Yes I would get good added support for that $299, but how often do you need that level of support for workstations? Buy an alternative with a longer life cycle (Win2k/XP, Linux, whatever) and buy per-incident support. Workstations are usually not monolithic -- you have a whole forest of them (tens, hundreds, thousands, depending on the size of the organization). The more workstations supported by that orginization, the less monetary sense this seems to make.