Firewall Wizards mailing list archives
Re: Win 2000 any better?
From: "REID FOX" <reidfox () direct ca>
Date: Mon, 8 Nov 1999 02:07:06 -0800
most attacks are based on operating system bugs. Microsoft does not just release a product and hope for the best (well sort of) without betatests and even after that they have people working on it full time looking for bugs, holes, vulnerabilities.. they even have live update which automaticaly notifies you when there is a critical update available (if your online) of course with such a huge operating system which tries to accomodate other applications in it's registry (some of whom try to take more control than they were intended to have) you are going to have bugs. does anyone think that Microsoft has not kept up with fixing vulnerabilities? are there for example numerous vulnerabilities in an up to date properly configured NT system that are being exploited as we speak? are NT users just sitting ducks? If they are Im sure Microsoft technical service would be interested in what these vulnerabilities are. Microsoft has done a lot for compatability in pc's. Remember Dos 6.22? every app had its own clutch on memory, Dma, I/O etc. talk about nightmare! every single program had it,s own interface to figure out. Now we have Winapps which has actually brought the average houshold to the computer era. Of course theres lots of bugs, Microsoft has been gradually fading dos applications out because "Buggy Windows" couldn't police all these "Buggy Dos programs" now we have hundreds of "Buggy Winapps" but a least there is one standard for windows programs ( at least theres supposed to be). Microsoft has led the way in many areas, did you ever look at the list of drivers supported by windows right from the box? And now people cry because win 2000 doesnt work with certain hardware, Microsoft is saying "hey we have passed MMX PII etc now we are into PIII , USB , etc. tell me, does a programmer writing windows apps care what irq the USB is on ? Does he care what kind of sound card or video card you have? Does he care what kind or how much ram ? what kind of processor? what kind of printer? Meanwhile the person will know how to use his program because it will have a familiar interface , an install/uninstall wizard, it will use the taskbar and act like a windows app should (hopfully). and plug and play too for example, can Microsoft help it if a modem insists on having irq 5? (traditionaly reserved for sound) or if every video card and game decides it wants to exploit the memory block that should be reserved for cga? Or if an ethernet card insists on irq 9? (the bridge between upper and lower irq's) many of these bugs are the fault of the applications rather than windows. (did you see the first version of corel8? or hear about Noton utilities 3 which trunctuated your registry for you) a lot of this is not NT but it will be Win2000. I guess Microsoft figures NT system is ready for plug and play. this will bring a new level to the average user ( web servers) I just wonder from a vulnerability point of view given all these variables Microsoft is dealing with, have they kept up the pace with bug fixes or are they sadly lacking? REID
I'd just like to point out a couple of things regarding security here... 1. Win2000 might have more nifty security policies and editors in place, but that does not constitute security in and of itself.
True.
2. Most attacks that we see today have NOTHING to do with setting object-based security in operating systems.
Really? I don't know, because no one's really keeping track.
3. Most attacks today are based on BUGS in the operating systems and applications.
No; most vulnerabilities are based on bugs. Most attacks are based on poor configuration.
4. The average programmer goofs up (causes a bug) on average in 1-3 places per 1000 lines of code.
Sounds about right.
5. Win2000 introduces some 15 million (more? little less?) lines of new code.
I'd say more than that. But it'll take time to find the holes (and people will be looking from before day one; even a big lumbering giant like MS can learn) and then, what you are left with are holes which can be exploited only if mistakes are made in the implementation. If you need it to be better then that, your going to have to go with custom built unix or linux kernel, adding only the services you need.
6. Go figure what's secure or not until it's been running for a while and a couploe of one hundred new bugs have been found and corrected.
The hundred new bugs will have a minimal impact (in terms of actual exploits) when compared with good old user misconfiguration. Of course, identifying the best practices for Win2k isn't going to be as easy, but that's a different issue; you had best believe ports 135-139 (I've never trusted 138; its choice in company is questionable) is staying blocked at my router and monitored behind it.
Phil Cox wrote:On Mon, 1 Nov 1999, REID FOX wrote:I am getting ready to set up a small LAN w/www access I needcompatabilityand price for an Internet cafe so I decided to start with NT Has anyone had any experience with WIN2000? Is it any better/worse/same as NT for security issues?Pure Win2K is much tighter than a corresponding WinNT net,BUT as with allWindows systems, you mess up just a little bit, and your toast :) I have been running it for a while. Phil-- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Re: Win 2000 any better? REID FOX (Nov 01)
- Re: Win 2000 any better? David LeBlanc (Nov 06)
- <Possible follow-ups>
- Re: Win 2000 any better? Mikael Olsson (Nov 05)
- Re: Win 2000 any better? Gene C. (Nov 06)
- RE: Win 2000 any better? Henry Sieff (Nov 07)
- RE: Win 2000 any better? Russ (Nov 07)
- Re: Win 2000 any better? REID FOX (Nov 08)