RE: Win 2000 any better?

["Henry Sieff" <hsieff () orthodon com>]

> -----Original Message-----
> From: Mikael Olsson [mailto:mikael.olsson () enternet se]
> Sent: Thursday, November 04, 1999 7:01 AM
> To: Phil Cox; firewall-wizards () nfr net
> Subject: Re: Win 2000 any better?
>
>
>
>
> I'd just like to point out a couple of things regarding security
> here...
>
> 1. Win2000 might have more nifty security policies and
> editors in place,
> but that does not constitute security in and of itself.
True.

> 2. Most attacks that we see today have NOTHING to do with setting
> object-based security in operating systems.

Really? I don't know, because no one's really keeping track.

> 3. Most attacks today are based on BUGS in the operating systems
> and applications.

No; most vulnerabilities are based on bugs. Most attacks are based on poor
configuration.

> 4. The average programmer goofs up (causes a bug) on average in
> 1-3 places per 1000 lines of code.

Sounds about right.

> 5. Win2000 introduces some 15 million (more? little less?) lines
> of new code.

I'd say more than that.
But it'll take time to find the holes (and people will be looking from
before day one; even a big lumbering giant like MS can learn) and then, what
you are left with are holes which can be exploited only if mistakes are made
in the implementation. If you need it to be better then that, your going to
have to go with custom built unix or linux kernel, adding only the services
you need.

> 6. Go figure what's secure or not until it's been running for a while
> and a couploe of one hundred new bugs have been found and corrected.

The hundred new bugs will have a minimal impact (in terms of actual
exploits) when compared with good old user misconfiguration. Of course,
identifying the best practices for Win2k isn't going to be as easy, but
that's a different issue; you had best believe ports 135-139 (I've never
trusted 138; its choice in company is questionable) is staying blocked at my
router and monitored behind it.
> Phil Cox wrote:
> > On Mon, 1 Nov 1999, REID FOX wrote:
> >
> > > I am getting ready to set up a small LAN w/www access I need
> compatability
> > > and price for an Internet cafe so I decided to start with NT
> > > Has anyone had any experience with WIN2000?
> > > Is it any better/worse/same as NT for security issues?
> >
> > Pure Win2K is much tighter than a corresponding WinNT net,
> BUT as with
> all
> > Windows systems, you mess up just a little bit, and your toast :)
> >
> > I have been running it for a while.
> >
> > Phil
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
> Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
> Mobile: +46-(0)70-248 00 33
> WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se