Firewall Wizards mailing list archives
RE: Win 2000 any better?
From: "Henry Sieff" <hsieff () orthodon com>
Date: Sun, 7 Nov 1999 03:39:49 -0600
-----Original Message----- From: Mikael Olsson [mailto:mikael.olsson () enternet se] Sent: Thursday, November 04, 1999 7:01 AM To: Phil Cox; firewall-wizards () nfr net Subject: Re: Win 2000 any better? I'd just like to point out a couple of things regarding security here... 1. Win2000 might have more nifty security policies and editors in place, but that does not constitute security in and of itself.
True.
2. Most attacks that we see today have NOTHING to do with setting object-based security in operating systems.
Really? I don't know, because no one's really keeping track.
3. Most attacks today are based on BUGS in the operating systems and applications.
No; most vulnerabilities are based on bugs. Most attacks are based on poor configuration.
4. The average programmer goofs up (causes a bug) on average in 1-3 places per 1000 lines of code.
Sounds about right.
5. Win2000 introduces some 15 million (more? little less?) lines of new code.
I'd say more than that. But it'll take time to find the holes (and people will be looking from before day one; even a big lumbering giant like MS can learn) and then, what you are left with are holes which can be exploited only if mistakes are made in the implementation. If you need it to be better then that, your going to have to go with custom built unix or linux kernel, adding only the services you need.
6. Go figure what's secure or not until it's been running for a while and a couploe of one hundred new bugs have been found and corrected.
The hundred new bugs will have a minimal impact (in terms of actual exploits) when compared with good old user misconfiguration. Of course, identifying the best practices for Win2k isn't going to be as easy, but that's a different issue; you had best believe ports 135-139 (I've never trusted 138; its choice in company is questionable) is staying blocked at my router and monitored behind it.
Phil Cox wrote:On Mon, 1 Nov 1999, REID FOX wrote:I am getting ready to set up a small LAN w/www access I needcompatabilityand price for an Internet cafe so I decided to start with NT Has anyone had any experience with WIN2000? Is it any better/worse/same as NT for security issues?Pure Win2K is much tighter than a corresponding WinNT net,BUT as with allWindows systems, you mess up just a little bit, and your toast :) I have been running it for a while. Phil-- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Re: Win 2000 any better? REID FOX (Nov 01)
- Re: Win 2000 any better? David LeBlanc (Nov 06)
- <Possible follow-ups>
- Re: Win 2000 any better? Mikael Olsson (Nov 05)
- Re: Win 2000 any better? Gene C. (Nov 06)
- RE: Win 2000 any better? Henry Sieff (Nov 07)
- RE: Win 2000 any better? Russ (Nov 07)
- Re: Win 2000 any better? REID FOX (Nov 08)