99% of all windows users run as admin. 100% of all windows server administrators log in with a admin level account and do lots of things as admin they they should not.
So yes, it is way WAY easier to get someone to click on something evil and have it run instantly then...
WTF are you talking about? What fantasy world are you living in? When I log onto a server I am doing it to perform a specific task. I know my servers like I know the back of my hand. If some random box pops up asking me to run some code I'm going to tell it NO and then break out some tools to figure out where the hell it came from and what it is doing on my server. In over ten years of taking care of networks for small and medium sized businesses, I have only ever seen one SERVER box owned, ever. It was in 2003, it was an NT4 box (fully patched, hahahahaaaa, like that meant anything) and AGAINST MY RECOMMENDATIONS, the client installed a wireless router and failed to secure it properly (because they had the inhouse, part time computer know it all do it instead of paying me). The box blue screened, I brought it up, saw all sorts of stuff that shouldn't have been there, told the client "I told you so." and then sold them a new Windows 2003 server (they needed to upgrade anyway).
It just makes me so mad, and makes me rant like this every time I read some jack hole on/. spreading FUD about Windows boxes getting owned all over the place. Boxes get owned because admins are failing to do their jobs properly. If you understand computer security, you know that nothing is 100% secure. You stay on top of the trends, you put safeguards in place, and you establish procedures to mitigate downtime. Because no matter what OS you are running, you will have downtime. I think that when you STEP INTO REALITY, you will find that the time required to do a bare metal restore on a Windows box isn't all that significantly different from the time required to do the same thing to a Linux box.
Just for discussion's sake, how many attacks on Windows boxes are really "remote" exploits then? Last I checked they either count on having one of the core networking ports exposed to the internet (137, 139, etc), or they require the client to visit a site that then excutes codes in their browser.
I think that it's pretty safe to say that no matter what OS you are running, the days of truly remote exploits on properly secured boxes are more or less past.
Like I said earlier today in another thread, the biggest threat to network security are the internal users. Those are the folks who are going to be elevating their privledges and causing havok. Unfortunately these days, it is more likely than ever because of the easy availability of exploit information on the internet. Anyone with any sort of inclination to hack a box can spend an hour on Google and get a pretty good understanding of how to run a few scripts to own something. The fact that OSX is now on the list of boxes being exploited goes to show that computers are inherently insecure and it doesn't matter what the host OS is. In fact now that Macs are running Intel chips, every hacker who can write x86 ASM code is having a field day.
Mostly because most or our problems aren't foriegn invasion, they are inside jobs, mistakes, etc.
I completely agree with this one. The threat posed to a network from outside sources is insignificant to the threat posed by pissed off employees who have already been given access. Unless the company has had some meetings and strategy sessions where the IT people get together with everyone else to explain the risks and develop strategies to mitigate them, there will be holes. All it takes is an engineer with a flash drive or a CD burner to move some data to a competitor.
A lot of things could be done, but unfortunately the reality of the situation 95% of the time is that IT staffs are so overburdened that they don't have time to activate all of the nifty little, wouldn't it be cool features that are out there. Sure you could impliment a managed switch, but then every time a NIC fails, or a workstation fails, you need to go reprogram the switch. It becomes just another thing to do on a task list that is already too long to begin with.
I'm not super knowledgable in the area of man in the middle attacks, but I'm pretty sure that he could just unplug the copier, plug in his laptop, and then spoof the MAC address on the copier. From there he just poisons the arp cache on the switch and voila, snifferic pwnz0rz.
The trend I see supports this. Anyone who is serious about doing virtualization is using VMWare to virtualize Windows, and sometimes Linux hosts. The hot-failover and SAN connectivity offered by VMWare is light years ahead of Windows. In fact, my boss who writes for Windows IT Pro caught some flack from his editor after his editor caught some flack about a virtualization article that my boss wrote. My boss basically put it out there that the Microsoft virtualization offering is way behind VMWare and has some catching up to do. Microsoft didn't like that, so someone else re-wrote the article to make it more Microsoft friendly.
Very true. I've been playing AA since 1.3 and the learning curve on the game is pretty steep. Until you learn the maps and get an idea of where the bad guys are shooting at you from, it seems an awful lot like the other guys are "cheating" because they kill you so quickly... usually before you can get a good idea of where they are.
These are the threads that I enjoy the most on/., and they are the threads that keep me from being an asshat. It is great entertainment to watch some smart ass geek try to check somebody, and then get roasted and exposed as a fuck hole. =)
I mainly work with HP Proliant servers and RAID arrays. It seems that out of the typical 4-5 disk RAID5 array, I will typically average about a drive failure per year (per server.)
If anything, this is an argument for bringing these projects in-house (a true government project). There is no way it can be said that outsourcing saves money and they couldn't afford to do this in-house - $24 billion buys you a lot of good staff.
Here is the counter argument to that. Keep in mind I'm not sure how government jobs in the UK go. I am only familiar with government jobs here in the state of California, and I've been told that Federal (United States) jobs are very similar. In order to be hired by the government, there needs to be a position there for you. Creating a position involves a lot of bureacracy because once a position is created, it is pretty much there forever. The government isn't setup to hire a whole slew of contract workers and then let them go. Sure, they contract out all of the time, but those contractors aren't on the payroll.
Assuming that the government could create all of those positions, what do all of those people do when the job is done? Surely people who are competent enough to create something as massive as a big brother style medical records database are going to be bored stiff when the project is done. Once the project is done it won't take anywhere nearly as many people to maintain it as it took to develop it.
The government pretty much HAS TO contract the work out because there isn't a Department of All Things to do with Computers. Without such a department to keep everyone busy what you would end up with is a whole slew of people who worked on one project and who are now sitting around playing solitaire and reading/. on the tax payer's money.
Sure they do. Most non-profits have a development department. Those development department employees usually have what is akin to customer (donor) information. They need that information to be secure.
I'd blame internal company employees, to make it both more realistic as well as highlight the complexities of IT security that make it different from facilities management.
That's a very good point. I'm not worried about someone external to the company breaking into my network. With all of the firewalls, IDS', multiple levels of anti-virus scanning and web filtering taking place, the odds of malicious code getting in are pretty slim. My biggest concern is the recently fired employee, or the better than thou Mac user in the design department who would love nothing more than to see the network crumble. Those are the people, the ones who are trusted with the keys (logon accounts in this case) that we need to worry about.
You're on the opposite side of the equation from me. I have 10+ years of real world IT experience but no degree or certifications so no one wants to hire me, despite the fact that I have demonstrated proficiencies in the field.
I think your definition of qualified might be different from mine, because in my experience there is definitely not a surplus of qualified people out there.
I second this. It is hard as hell to find anyone competent with REAL WORLD EXPERIENCE for less than $75,000 a year. There plenty of guys out there who you can pay $50,000 and throw into the breach, but as soon as they have to recover a corrupt Exchange message store or bring up a crashed domain controller, they're going to end up causing more problems than they fix. And forget about it if they have to troubleshoot anything outside of the server (like a switch or firewall).
Forgive me as I've only ever worked with "real" Windows domains and I'm ignorant in regards to SBS. Does SBS even allow a second DC?
SBS is a complete nightmare if you're used to dealing with the real deal. We picked up a client who had the Geek Squad from Best Buy come in and setup a server for them. Of course they used SBS. All of the administrative tools are different. The layout of AD is different. The whole product just sucks big, smelly donkey nuts. We scrapped SBS and setup Server 2003.
I second this. My first job in IT was in 1996 on Novell 3.12 network with NT 4.0 workstation on about 50 desktops. Since then I have transfered to consulting and some of our clients are running 500+ machine networks with dozens of servers and multiple sites. There are tools to get the job done, but the Microsoft tools are not always the right ones. For example, I wouldn't use RIS. Use Ghost instead. Definitely figure out Group Policy because it will help you enforce standards across the enterprise. Get an anti-virus suite that has good management tools. I'm familiar with Symantec Entperise AV (currently at version 10.1), but I'd at least take a look at NOD32 and see if that will get the job done. Another one that might suite your needs is TrendMicro. You're going to want to use something like WSUS (at the minimum) to manage your security patches and critical updates. If you can afford SMS, go for it. Like the parent said, get an MSDN subscription. That way you'll always have the fresh no-day evil empire warez to play with.
Probably one of your biggest challenges is going to be dealing with backing up and ensuring the integrity of that much data. You might start looking to SANs, or at least tape arrays. We like to use Veritas Backup Exec, and most of our clients end up with arrays of HP Ultrium drives. You might need to start delving into performance tuning some of your servers. On a smaller network you can connect 50 users up to a server and not really think twice about it. Once you start getting into enterprise applications like Exchange and SQL, you'll find that you need to keep a closer eye on things, especially if you have multi-site, multi-server deployments... although life is a lot better these days than it was with Exchange 5.5 (shudder).
You're going to want to get a good firewall at your office, and for your clients. A firewall that will support a 50 user network won't necessarily support 200+ users. This probably goes without saying, but setup remote access. Get a solid VPN connection up and running. Make sure all of the desktops and servers can be connected to with RDP, VNC or some similar client.
I don't want to know how you do it, that seems trivial. I want to know how you afford it.
Around here GPRS/EDGE data costs $60 for a measly 25 MB. That'd be good for about what, 30 songs at 56kbps maybe?
Where are you living? Who is your carrier? I get unlimited data with Verizon for something like $50 a month.
So lemme get this straight. On a computer with Internet Connection SHARING (ICS) enabled, another host that has been trusted by the original host can screw with that host? Show me a real threat. You know, one that doesn't require me to explicitly give you access to my computer, or my internet connection. Are computers that just have ICS turned on vulnerable, or does the exploit only happen when launched from a computer that is already configured via ICS to share the connection of another computer?
And in other (non)news, a man unlocked his security door, invited a stranger into his home, and then that stranger then mugged him.
I think it's right around the time you naturally figure out that you really don't need any of the crap that they're selling that the sellers decide that they don't need to market to you anymore. Kind of funny how that works, huh? =)
It seems to me that the more time passes, the less I understand around here. Funny how that happens.
Have you noticed that too? Do you ever feel like "the powers that be" only choose to "inform" a particular age bracket about what "cool" is and after a while, you realize you aren't getting those messages anymore? =)
US magazines can have very different standards for reviews and often print what the manufacturers give them to print rather than writing the copy themselves.
It is very true. The most blatant example of it that I see is in the automotive performance market segment. Most of the "product reviews" read just like the marketing materials for the product.
So yes, it is way WAY easier to get someone to click on something evil and have it run instantly then ...
WTF are you talking about? What fantasy world are you living in? When I log onto a server I am doing it to perform a specific task. I know my servers like I know the back of my hand. If some random box pops up asking me to run some code I'm going to tell it NO and then break out some tools to figure out where the hell it came from and what it is doing on my server. In over ten years of taking care of networks for small and medium sized businesses, I have only ever seen one SERVER box owned, ever. It was in 2003, it was an NT4 box (fully patched, hahahahaaaa, like that meant anything) and AGAINST MY RECOMMENDATIONS, the client installed a wireless router and failed to secure it properly (because they had the inhouse, part time computer know it all do it instead of paying me). The box blue screened, I brought it up, saw all sorts of stuff that shouldn't have been there, told the client "I told you so." and then sold them a new Windows 2003 server (they needed to upgrade anyway).
It just makes me so mad, and makes me rant like this every time I read some jack hole on /. spreading FUD about Windows boxes getting owned all over the place. Boxes get owned because admins are failing to do their jobs properly. If you understand computer security, you know that nothing is 100% secure. You stay on top of the trends, you put safeguards in place, and you establish procedures to mitigate downtime. Because no matter what OS you are running, you will have downtime. I think that when you STEP INTO REALITY, you will find that the time required to do a bare metal restore on a Windows box isn't all that significantly different from the time required to do the same thing to a Linux box.
I think that it's pretty safe to say that no matter what OS you are running, the days of truly remote exploits on properly secured boxes are more or less past.
Like I said earlier today in another thread, the biggest threat to network security are the internal users. Those are the folks who are going to be elevating their privledges and causing havok. Unfortunately these days, it is more likely than ever because of the easy availability of exploit information on the internet. Anyone with any sort of inclination to hack a box can spend an hour on Google and get a pretty good understanding of how to run a few scripts to own something. The fact that OSX is now on the list of boxes being exploited goes to show that computers are inherently insecure and it doesn't matter what the host OS is. In fact now that Macs are running Intel chips, every hacker who can write x86 ASM code is having a field day.
I completely agree with this one. The threat posed to a network from outside sources is insignificant to the threat posed by pissed off employees who have already been given access. Unless the company has had some meetings and strategy sessions where the IT people get together with everyone else to explain the risks and develop strategies to mitigate them, there will be holes. All it takes is an engineer with a flash drive or a CD burner to move some data to a competitor.
I'm not super knowledgable in the area of man in the middle attacks, but I'm pretty sure that he could just unplug the copier, plug in his laptop, and then spoof the MAC address on the copier. From there he just poisons the arp cache on the switch and voila, snifferic pwnz0rz.
The trend I see supports this. Anyone who is serious about doing virtualization is using VMWare to virtualize Windows, and sometimes Linux hosts. The hot-failover and SAN connectivity offered by VMWare is light years ahead of Windows. In fact, my boss who writes for Windows IT Pro caught some flack from his editor after his editor caught some flack about a virtualization article that my boss wrote. My boss basically put it out there that the Microsoft virtualization offering is way behind VMWare and has some catching up to do. Microsoft didn't like that, so someone else re-wrote the article to make it more Microsoft friendly.
Very true. I've been playing AA since 1.3 and the learning curve on the game is pretty steep. Until you learn the maps and get an idea of where the bad guys are shooting at you from, it seems an awful lot like the other guys are "cheating" because they kill you so quickly... usually before you can get a good idea of where they are.
These are the threads that I enjoy the most on /., and they are the threads that keep me from being an asshat. It is great entertainment to watch some smart ass geek try to check somebody, and then get roasted and exposed as a fuck hole. =)
You fuck her right and sleep at her place until she makes enough to pay rent for both of you. =)
+1 for Go. It is almost video game related... how many board games are there where mentioning the name of a videogame system is part of playing? =)
I mainly work with HP Proliant servers and RAID arrays. It seems that out of the typical 4-5 disk RAID5 array, I will typically average about a drive failure per year (per server.)
They want their technology back.
Here is the counter argument to that. Keep in mind I'm not sure how government jobs in the UK go. I am only familiar with government jobs here in the state of California, and I've been told that Federal (United States) jobs are very similar. In order to be hired by the government, there needs to be a position there for you. Creating a position involves a lot of bureacracy because once a position is created, it is pretty much there forever. The government isn't setup to hire a whole slew of contract workers and then let them go. Sure, they contract out all of the time, but those contractors aren't on the payroll.
Assuming that the government could create all of those positions, what do all of those people do when the job is done? Surely people who are competent enough to create something as massive as a big brother style medical records database are going to be bored stiff when the project is done. Once the project is done it won't take anywhere nearly as many people to maintain it as it took to develop it.
The government pretty much HAS TO contract the work out because there isn't a Department of All Things to do with Computers. Without such a department to keep everyone busy what you would end up with is a whole slew of people who worked on one project and who are now sitting around playing solitaire and reading /. on the tax payer's money.
Sure they do. Most non-profits have a development department. Those development department employees usually have what is akin to customer (donor) information. They need that information to be secure.
That's a very good point. I'm not worried about someone external to the company breaking into my network. With all of the firewalls, IDS', multiple levels of anti-virus scanning and web filtering taking place, the odds of malicious code getting in are pretty slim. My biggest concern is the recently fired employee, or the better than thou Mac user in the design department who would love nothing more than to see the network crumble. Those are the people, the ones who are trusted with the keys (logon accounts in this case) that we need to worry about.
You're on the opposite side of the equation from me. I have 10+ years of real world IT experience but no degree or certifications so no one wants to hire me, despite the fact that I have demonstrated proficiencies in the field.
LoL. I wish I had mod points because that's just funny.
I second this. It is hard as hell to find anyone competent with REAL WORLD EXPERIENCE for less than $75,000 a year. There plenty of guys out there who you can pay $50,000 and throw into the breach, but as soon as they have to recover a corrupt Exchange message store or bring up a crashed domain controller, they're going to end up causing more problems than they fix. And forget about it if they have to troubleshoot anything outside of the server (like a switch or firewall).
SBS is a complete nightmare if you're used to dealing with the real deal. We picked up a client who had the Geek Squad from Best Buy come in and setup a server for them. Of course they used SBS. All of the administrative tools are different. The layout of AD is different. The whole product just sucks big, smelly donkey nuts. We scrapped SBS and setup Server 2003.
Probably one of your biggest challenges is going to be dealing with backing up and ensuring the integrity of that much data. You might start looking to SANs, or at least tape arrays. We like to use Veritas Backup Exec, and most of our clients end up with arrays of HP Ultrium drives. You might need to start delving into performance tuning some of your servers. On a smaller network you can connect 50 users up to a server and not really think twice about it. Once you start getting into enterprise applications like Exchange and SQL, you'll find that you need to keep a closer eye on things, especially if you have multi-site, multi-server deployments... although life is a lot better these days than it was with Exchange 5.5 (shudder).
You're going to want to get a good firewall at your office, and for your clients. A firewall that will support a 50 user network won't necessarily support 200+ users. This probably goes without saying, but setup remote access. Get a solid VPN connection up and running. Make sure all of the desktops and servers can be connected to with RDP, VNC or some similar client.
Lots of luck streaming anything continously over a mobile "broadband" connection. I've noticed that packet loss and dropped connections are the norm.
Where are you living? Who is your carrier? I get unlimited data with Verizon for something like $50 a month.
And in other (non)news, a man unlocked his security door, invited a stranger into his home, and then that stranger then mugged him.
I think it's right around the time you naturally figure out that you really don't need any of the crap that they're selling that the sellers decide that they don't need to market to you anymore. Kind of funny how that works, huh? =)
Have you noticed that too? Do you ever feel like "the powers that be" only choose to "inform" a particular age bracket about what "cool" is and after a while, you realize you aren't getting those messages anymore? =)
It is very true. The most blatant example of it that I see is in the automotive performance market segment. Most of the "product reviews" read just like the marketing materials for the product.