I Heart... Windows?!
Thu, 04/02/2009 - 10:47
Topic Source:
During a recent infosec-industry beers-and-shoptalk shindig one of the regulars questioned my standard assertion that given 20 mins, I'd be able to escalate privilege to root on any production UNIX box.
"They're making us roll out Active Directory," he whined, looking for sympathy from a fellow UNIXnerd. But the sad, awful truth is this: Windows infrastructure is actually usable -- and perhaps even securable -- in the enterprise.
Fri, 04/03/2009 - 13:29
#2
Its interesting and so true.
Its interesting and so true. People decry Windows systems in a production environment due to the perceived poor security. The fact is that in most corporates the Windows environment is the most patched and up to date of any system. Applications running on Linux/Unix tend to be more important to the business (HR, ERP, Finance etc) and as such, downtime is not an option which means that these systems are infrequently patched and updated. I mean, who in their right mind wants to update a kernel or patch to find that the SAP system that the business has spent millions on suddenly decides to stop working. Seems illogical but thats how the sysadmins and the business thinks as once you've spent the big $$ on a business critical system, you dont want it to go down.
Not that i'm advocating Windows by a long shot, but in a well setup environment where you control the desktop and server OS via a management platform and utilise Group Policy properly and control your application security then you are a long way towards securing the OS layer. Now, just rid yourself of those poorly coded pesky web applications and you'll be sweet.
Of course for every decent Windows setup, theres probably 10 others that are as open as anything and you can just walk on in.
For a decent NOS that provides a very high level of security and granular controls from a central directory, get Netware. Pity its on its deathbed....
Fri, 04/03/2009 - 14:17
#3
MetlSUX ranking: 3
Heh... I still only use Windows for gaming.
To qualify that though, I have no experience with enterprise installs of any OS.
The first exposure to multiuser systems I had was with a CDC mainframe running touch screen green screen terminals (PLATO). It got kinda interesting on the 300baud modem on Dad's PC from home (Mb sized hard drive, wow) playing MUDs with uni-students. My mum was the sysadmin and I was in primary school :) At uni I got more back into "real systems" after a dalliance with Commodore 64 games programming in high school. A touch of AIX on RS/6000 workstations, a touch of A/UX whilst flogging Macs as a summer job. Then installing slackware from 1.44Mb floppies and dual-booting it with MS-DOS 6.22 and windows 3.11. More SunOS then Solaris, then entry level sun boxen E250s,280Rs, with serious internet bizness etc..
I remember the pager, the endless calls from the one blue-screening NT4 webserver I got stuck with while the rest of the sun boxes I admined (rather ordinarily) kept on keeping on.
One thing I don't envy windows admins is getting endless approvals from app owners to bounce boxes so that patches take. Some UNIX platforms now save you from that fate.
Sun and Microsoft platforms now have security configuration toolkits and templates (AD Group Policy templates, Solaris Security Toolkit/JASS ) to help with the simple secure configuration stuff. Yet still there is no easy way to deploy "proper" file system ACLs for applications/databases etc.