This report just out by Nicholas Petreley takes a good hard look at both OS’s from a security standpoint, comparing design charateristics and the way vurlnerablilities en inherrent buildup of the OS influences the actual severity of exploits and how this is messured most effectivly.
Though the arcticle is clearly anti-MS biased, I found it a insighfull read and will be using its many facts and figures often. I must also say that I agree with every single critisism pointed at MS.
I have to this day, never touched Linux. But articles like this are really making me enthousiastic to get to know it. But coming from a MS background, the hurdle is gonna be pretty big, and I am not quite prepared yet to really delve into it at this time.
Another thing in the report that got me thinking again was the administrative requirements of Windows. Now I have infact been thinking about this a lot for the past year or so..
I have a Pentium 3 800 that functions as my server. Its running all kinds of stuff: IIS6 with all kinds of web-based stuff like Sharepoint, some static pages, OWA, SUS, and Gallery running under PHP; SQL Server 2000, Sharepoint Portal Server, DNS for inside and outside, Its my DC running my internal domain, and of course its a massive Fileserver.
Now I am very very aware that running all this stuff on the same machine is a security nightmare, and it is. But until I have some money to start to build a serious machine that will do MS virtual server or VMWare ESX, and build instances on top of that… well I am gonna have to deal with my current setup.
But anyhow.. in order to manage it, I sit both at the console, or use RDP (remote desktop), which is esentially the same thing. Now I have even used RDP on my Pocketpc over GPRS, which is of course rediculous considdering the bandwidth of gprs (or the lack thereoff), and the screen resolution of my XDA.
A few times I have basicly told my self: “Damn it all to hell, I should get my hands of a secure shell program for Windows, and use only command line from here on in!”
WHY on gods green earth would I be so masorchistic?!
Well the why is the easiest part:
-Its more secure. By Administering Windows only via command line, you restrict yourself to one and only one avenue of access. All you need is that telnet access, and it would be secured and encrypted to boot. By not using the GUI, you dont let yourself use the browser either, or run any office app on your server, or any other app for that matter, exept if you really need it! This decreases the area of attack considerably.
-Its less resource intensive. Think of all the resources a single logged on use on Windows eats up? Go have a look in terminal services manager, its crazy. Now Windows loads the gui by default, not much we could do there.. at least.. i think there are ways out there to deacticate lots of this stuff, you can at least kill explorer.exe.. but by not letting yourelf log on to the gui, you prevent all kinds of situations where apps that you are running in your user mode or context, could interfere with what the server is suppose to be doing.. serving.
-Its informative. By forcing yourself to do this, you wil learn a great deal about Windows and how to control it remotly. In the end I believe I will be more effecient in maintaining Windows Server by forcing myself to get down on how to administer it remotely.
-Its damn cool. Command line is cool. Simple as that. You are far more impressive with complicated command line running across your screen, Linux administrators are gods in my eyes.
Can it even be done?
Well, I havn’t really put any serious effort into researching this yes, but I have a fair idea what it would require.
First of all, I would need a deep and thourough knowledge of many many Windows command line tools and command, I would also need to include in this everything from all the resource kits, and plently of third-party tools.
I have in fact had some practice with running in non-admin mode, as I use the cool little makemeadmin.bat that Aaron made which gives me the admin command line mode.. I had to change IP config a lot for my laptop cause the different networks I hook my laptop into, so I delved into netsh for the first practicle time, and made a little batchfile.
Now Microsoft has since Server 2003 put a far larger emphasis on command line tools. This is most evident in their study material, take the 70-290 exam for instance. You are required to know how to do almost everything via the command line now, aswell as the GUI. Many people haven’t relized it, but this is a major shift in MS training methodoligy.
Microsoft also added 60 new command line tools to 2003, adding to an already impressive ammount.
I would also really need to learn how to script. Being dependant on command line means repetative typing tasks.. almost no way around it, so advanced batching and vbscript must be mastered.
Now apart from the command line, there is a pletora of non-gui ways to administer Windows, I mean every MMC console in existance, for instance.. plus plenty of other tools, But there is no real chalenge to using them.. I use all that stuff already. Also.. you cant realisticly use them over the internet, exept via VPN. (Yes, RPC over HTTP is an option..but would you trust it? Considdering Microsofts track record with their RPC and HTTP service, I wouldn’t).
Another way is WMI and ADSI, but that requires some scripting knowledge again to make effective use of.
Anyway… this is at this point just an idea I am playing with, but is academic until I can start virtualizing my server, as I would always need an XP instance for doing my p2p downloading, and browsing when my other pc’s are not available (when I am out of the house for instance).