Posts Tagged ‘Linux’

Security: Linux vs Windows, administering Windows over telnet

Sunday, October 24th, 2004

This report just out by Nicholas Petreley takes a good hard look at both OS’s from a security standpoint, comparing design charateristics and the way vurlnerablilities en inherrent buildup of the OS influences the actual severity of exploits and how this is messured most effectivly.

Though the arcticle is clearly anti-MS biased, I found it a insighfull read and will be using its many facts and figures often. I must also say that I agree with every single critisism pointed at MS.

I have to this day, never touched Linux. But articles like this are really making me enthousiastic to get to know it. But coming from a MS background, the hurdle is gonna be pretty big, and I am not quite prepared yet to really delve into it at this time.

Another thing in the report that got me thinking again was the administrative requirements of Windows.  Now I have infact been thinking about this a lot for the past year or so..

I have a Pentium 3 800 that functions as my server. Its running all kinds of stuff: IIS6 with all kinds of web-based stuff like Sharepoint, some static pages, OWA, SUS, and Gallery running under PHP; SQL Server 2000, Sharepoint Portal Server, DNS for inside and outside, Its my DC running my internal domain, and of course its a massive Fileserver.

Now I am very very aware that running all this stuff on the same machine is a security nightmare, and it is. But until I have some money to start to build a serious machine that will do MS virtual server or VMWare ESX, and build instances on top of that… well I am gonna have to deal with my current setup.

But anyhow.. in order to manage it, I sit both at the console, or use RDP (remote desktop), which is esentially the same thing.  Now I have even used RDP on my Pocketpc over GPRS, which is of course rediculous considdering the bandwidth of gprs (or the lack thereoff), and the screen resolution of my XDA.

A few times I have basicly told my self: “Damn it all to hell, I should get my hands of a secure shell program for Windows, and use only command line from here on in!”

WHY on gods green earth would I be so masorchistic?!

Well the why is the easiest part:

-Its more secure. By Administering Windows only via command line, you restrict yourself to one and only one avenue of access. All you need is that telnet access, and it would be secured and encrypted to boot. By not using the GUI, you dont let yourself use the browser either, or run any office app on your server, or any other app for that matter, exept if you really need it! This decreases the area of attack considerably.

-Its less resource intensive. Think of all the resources a single logged on use on Windows eats up? Go have a look in terminal services manager, its crazy. Now Windows loads the gui by default, not much we could do there..  at least..  i think there are ways out there to deacticate lots of this stuff, you can at least kill explorer.exe.. but by not letting yourelf log on to the gui, you prevent all kinds of situations where apps that you are running in your user mode or context, could interfere with what the server is suppose to be doing.. serving.

-Its informative. By forcing yourself to do this, you wil learn a great deal about Windows and how to control it remotly. In the end I believe I will be more effecient in maintaining Windows Server by forcing myself to get down on how to administer it remotely.

-Its damn cool. Command line is cool. Simple as that. You are far more impressive with complicated command line running across your screen, Linux administrators are gods in my eyes.

Can it even be done?

Well, I havn’t really put any serious effort into researching this yes, but I have a fair idea what it would require.

First of all, I would need a deep and thourough knowledge of many many Windows command line tools and command, I would also need to include in this everything from all the resource kits, and plently of third-party tools.

I have in fact had some practice with running in non-admin mode, as I use the cool little makemeadmin.bat that Aaron made which gives me the admin command line mode.. I had to change IP config a lot for my laptop cause the different networks I hook my laptop into, so I delved into netsh for the first practicle time, and made a little batchfile.

Now Microsoft has since Server 2003 put a far larger emphasis on command line tools. This is most evident in their study material, take the 70-290 exam for instance. You are required to know how to do almost everything via the command line now, aswell as the GUI. Many people haven’t relized it, but this is a major shift in MS training methodoligy.

Microsoft also added 60 new command line tools to 2003, adding to an already impressive ammount.

I would also really need to learn how to script. Being dependant on command line means repetative typing tasks.. almost no way around it, so advanced batching and vbscript must be mastered.

Now apart from the command line, there is a pletora of non-gui ways to administer Windows, I mean every MMC console in existance, for instance.. plus plenty of other tools,  But there is no real chalenge to using them.. I use all that stuff already. Also.. you cant realisticly use them over the internet, exept via VPN.  (Yes, RPC over HTTP is an option..but would you trust it? Considdering Microsofts track record with their RPC and HTTP service, I wouldn’t).

Another way is WMI and ADSI, but that requires some scripting knowledge again to make effective use of.

Anyway…  this is at this point just an idea I am playing with, but is academic until I can start virtualizing my server, as I would always need an XP instance for doing my p2p downloading, and browsing when my other pc’s are not available (when I am out of the house for instance).

MSDN Technet brief in The Hague

Tuesday, October 5th, 2004

Today I attended the fall MSDN/Technet brief in the Hague, Netherlands, which is a free event. It was, therefore, nice to see Steve Balmer make an appearance. The theme was ‘Security eXPeriance’ and the sessions centred around ISA 2004 and MOM 2005 mostly.

I attended the hands-on lab for ISA and was quite impressed, even given my limited experience with ISA 2000. I like the fact that MS is now basicly moving towards a single interface that is a lot more intuitive than MMC.. everything now looks like Outlook 2003 😉
Took the lab manual with me, I am sure I can get my hands on the virtual lab to continue playing.

(ISA Server 2004 interface example)

I also attended a very interesting session that basicly squared off firewalling on a Linux platform, agains ISA Server 2004.
Now I know jack about Linux and the software you can get for it, but it was much as I suspected. Now I dont know specificly what firewall tool the Linux guy was using, he was using a web-based admin tool for everything on that machine, including the firewall bit, but even though it was point and click, it was considderably more work to configure anything, as even the most simplest rule had to be built from the ground up.

Now this is probably not a fair test, as I can easily imagine somewhere out there making rule-scripts available for whatever Linux firewall app. But apart from all that, you simply cant get around the interface ease and richness of ISA as a firewall product. Linux requires you to download (and compile) every element of functionality you need seperatly. And when it comes to interface, the only only thing that can compare.. and thus can directly compete.. is checkpoint, and even then ISA just looks plain better, but that should not be a point to take into considderation.

(Checkpoint Smartcentre interface example)

I can predict exactly what the average manager must think, and you should know I considder the average manager rather shallow; “Hey.. that ISA costs no trouble at all to administer.. I’ll just hire an junior admin, with no infrastructure experiance or knowledge at all, for that, and get rid of the Linux specialist who costs 4 times more per hour!”

The most important reminder I got out of the session, is that nothing beats in-depth knowledge of what you are doing. To use Linux effectively, you really need to understand what you are doing. With the average Microsoft product, this is often not the case.

This leeds to masses of lazy administrators. the ones I have often refered to in my previous posts. So I can tell you right now, if something broke down with the infrastructure, then I would far rather have a Linux sysadmin working on the problem, that your average Windows sysadmin, as with the Linux sysadmin, I can probably assume that he has more in-depth knowledge, simply because Linux requires that to get anything done.

As for Windows.. you have masses and masses of admins that know just enough to keep everything working, but not enough to effectivly troubleshoot issues, or help build better solututions to suite business needs. Who cares that you have a really easy to use firewall tool, if the firewall admin cant troubleshoot a routing issue effectively!