As much of a flame magnet as this post may be, I'd actually like to commend MS for their security efforts on Windows XP. If you don't know how to update your system, who cares, XP bugs you by default to install updates. If you don't click on "OK" when it tells you to patch security wholes, who's to blame? MS can't push it, or there'd be yet another lawsuit. If you're not clued enough to understand the concept of passwords in networking security, they've put in a very simple fix, which disallows any user to be used to connect to an SMB share if it has a blank password. Quite a leap from Windows 2000 which doesn't even prompt you for a password to the administrator account it creates. While none of this would stop a determined hacker who has some reason to get to data on your hard drive or something, it does stop the casual exploit scanner from finding machines with open admin access and easy access to install backdoor services, which is more than I can say for most distros of various Unixes. Most computer manufacturers offer their computers with antivirus which automatically update. The adware and spyware stuff, well, users install software, not much you can do about it. Couldn't you just see MS not allowing the install of a program on Windows because it's got spyware? That's a PR nightmare. As another flame magnet statement, I'd just like to point out that linux/freebsd/solaris et al are not designed for the average user to install. The entire lure of linux as a desktop OS is that it's customizable by the user who feels too confined in a "spoon-fed windows environment". Wouldn't shipping a system that has functionality disabled in lieu of security go against this simple principle? If you're such a "computer geek" that you decide you need linux, you'd think you'd do a small bit of reading before jumping into it and installing an insecure machine. As for systems in a server environment, well, I just can't think of any excuse for a sysadmin who installs insecure servers. If you didn't know, than you shouldn't be installing the OS in a server environment anyway. Best regards, Hunter Pine -----Original Message----- From: Alex Bligh [mailto:alex@alex.org.uk] Sent: Monday, December 09, 2002 6:07 AM To: Sean Donelan; Steven M. Bellovin Cc: nanog@merit.edu; Alex Bligh Subject: Re: The magic security CD disc Re: HTTP proxies --On 08 December 2002 23:16 -0500 Sean Donelan <sean@donelan.com> wrote:
It takes a lot of time to talk individual users through fixing their computers. Especially when they didn't break it. They just plugged the computer in, and didn't spend 4 hours "hardening" it. Most of the time we're not talking about very complex server configurations, with full-time system administrators. The "magic" CD would be for people who don't know they are sharing their computers with the Internet.
How unfortunate that the magic CD you refer is not the one with "Microsoft Windows" written on the front :-p Seriously, it is faintly ridiculous that we have operators talking about a magic CD to fix the broken default installations of various operating systems (I include Linux etc. here too). If OS vendors shipped, by default, less broken configs (or at least configs that turned services off - e.g. port 137 - when not required), much, though not all, of this problem would go away. Just like it is (now) considered irresponsible to ship a PABX/Voicemail system with open dialthrough, the same should be true of operating systems. In many such OS's, like it or loath it, automatic or semiautomatic update mechanisms already exist. This would seem to be a good use to put them too. Perhaps NIPC etc. should start talking to OS vendors. Concrete example (not to pick on MS for a change) - every time I've installed a Linux machine I spend 10 or 20 minutes rewriting the (kernel) firewall rules for the box to suit the apps I have installed. It's a completely automable task. Someone unfamiliar with either IP or UNIX would find writing such a script very hard and it would take them much longer. Do mainstraim distributions include such an automatically built script by default? Not to my knowledge. Alex Bligh