RE: NT vs Unix on the Internet

[Russ <Russ.Cooper () rc on ca>]

> Unix has 25 years on NT in support, development and real-world
> deployment. Because of this, Unix vendors have seen just about
> every scenario in which a Unix system can be deployed. As a
> result they have (for lack of a better term) "hardened" the
> system against that type of attack. Because the world keeps
> changing, and the methods used by hackers keep changing, the
> security world must also keep changing. (Unix and NT included)

As Aleph One so adeptly stated, the passage of time has done very little
to improve the level of security that gets implemented (note, time has
definitely improved the level of security that "could" get implemented).

People take a lot longer to evolve than operating systems,
unfortunately...;-]

However, as the moderator of the list dedicated to discussing security
exploits and security bugs in Windows NT, and an active participant in
the recent Teardrop2 attacks against Win boxes, I can tell you something
about the current state of affairs wrt NT on the Internet.

The vast majority (say roughly 90%) of all "hacks" of NT that have been
reported have come about as a result of lack of knowledge on the part of
the installer/administrator. Granted, getting the knowledge to prevent
these exploits is not something that comes in the NT Documentation, but
the information is out there.

Theorizing about attack methods against NT is extremely popular today,
as is sensationalizing reports of exploits (read: DISN). The media loves
it, the hackers love it, its a win-win situation for those two mutually
supporting groups.

This is not to say that NT is secure, or can be made secure, that's not
my point. Debunking a sensational report may have the adverse effect of
leading people to believe its not a problem. I've been responsible for
some of that, I know.

Some facts about NT:

1. Most known Unix exploits have little effect on native NT system (e.g.
MS Exchange versus Sendmail).

2. NT has exploit realities/possibilities that do not exist in Unix
(e.g. getadmin, lsa-secrets).

3. The number of people who "know" how to secure an NT box against
"known" exploits are far fewer than their Unix brethren (that's why we
get paid so much...;-])

4. The number of people, proportional to the number of users, who can
*honestly* say they feel comfortable managing the security of an NT box
is far, far, lower than those in the Unix field (note: when asked, a lot
more will answer yes even though they don't know because they believe
things aren't an issue that are).

Cheers,
Russ - NTBugtraq/NTSecurity moderator
http://www.ntbugtraq.com/ntbugfaq.asp