Microsoft dominance poses security risk

[Tiger Shark]

Catch: Nice post..... Good to see someone who clearly, actually, understands both OS's and doesn't simply run with the "ya-ya-ya-ya-ya-ya - my OS is better than yours".

For others reading this thread I will point you back to this thread where I think I have placed the basics out there. They work for any OS..... But they point back to the admin.

Simply put:-

Regardless of the OS, it is the adminstrator that determines it's level of security. Remembering that security is the balance between security and usability, the average moron can create a secure system, but it isn't usable for the users. It takes a quality admin to allow the users to _work_ but to prevent them from becoming a liability, (regardless of the fact that, without knowing it, they are the biggest liability). So - Regardless of OS - It's the admin..... .

What is so difficult about that to understand?

There are a million admins of Windows boxes who, because of the "ease of use", leave their systems wide open.... It's not M$' problem, it's a securable system if the admin knows a thing or two.....I'll refer you to Catch's post for the other OS's issues but clearly if you put an admin who hasn't done _everything he can_ to secure the system you are going to end up with an exploitable system......

My 2 cents

[catch]

aeallison, again I think it is more of an organizational flaw than an OS one. Microsoft freely admits that its OS is shipped in an insecure state and I for one agree with this decision. Not only from a sales stand point for functional out of the box, but from a security stand point as well. Going from a completely insecure state takes half as many steps as going from a secure system to a functional one. (what exactly are the full consequences of loosening the security on this object? Will these rights transfer to something unforeseen? Now I need to go through and review the entire system's security since god knows what changes might take place inadvertently. While starting with insecure, you lock down exactly what you want how you want it.)

Catch: Nice post..... Good to see someone who clearly, actually, understands both OS's and doesn't simply run with the "ya-ya-ya-ya-ya-ya - my OS is better than yours".

Hehe thanks. However, I still run the "blah blah blah, my OS is better than yours." We non-retrofitted TOS people have great disdain for both UN*X and NT, the only differences is that NT people know that NT is as secure as is really indicated for standard commercial environments, while UN*X people think their OS is the most secure to have ever existed. Needles to say this inspires a touch more disdain for UN*X (especially OpenBSD/Linux) users.

I do however disagree on the statement about the admin being the end all to security. Some systems simply have greater assurances and capabilities than others. For example, a Win98 machine filling the same role as an AIX machine could never be as secure. While it is true that if a system were set up in the least secure manner possible this might skew things, it is for this very reason that both main system security evaluations also judge on the presences and accuracy of a trusted facilities manual. (configuration guidelines) These manuals are intended to remove the need for talented admins and ensure that anyone can establish a secure state with the system intended.

OpenBSD tried to solve the problem of admin involvement with the near complete hardening on the system, but what happens when an OpenBSD admin needs to install bind or sendmail? Suddenly it becomes apparent that OpenBSD offers no greater security functionality than Lindows. AND no procedures are made available for these installs either so now you need a talented admin, and as those of you familiar with the various IS maturity models know that a migration from talent leads to more predictable results and more predictable results may be more effectively tuned.

catch

[Tiger Shark]

Catch: Love the way you use a crappy OS to prove your point........

For example, a Win98 machine filling the same role as an AIX machine could never be as secure.

How about shifting up to a Win2K box for example - You know, give me a _chance_ to argue the point.

These manuals are intended to remove the need for talented admins and ensure that anyone can establish a secure state with the system intended.

Manuals are all well and good but it takes a talented sysadmin to write them in the first place. You need the talented guy because each network is different offering different services internally and externally and the software managing the services differs from system to system too. Yes you can give a literate admin a manual for how to lock down a Win2K box for example as it comes out of the box but then what happens when he needs to add services. If you write the manual for today it'll probably be obsolete tomorrow - a problem I have just maintaining my own system's documentation. When the literate sysadmin decides that mail program X is the mail server he is going to use the information may not be in your manual as to how to secure it. It's there that the "talent" comes in.... The talented sysadmin goes away and researches what the program does, where the potential weaknesses may be and then with his knowledge of the system as a whole determines how best to secure the product. You made these points yourself but I thought they were worth reiterating.......

So, really, it still comes back to the admin. An admin that attends to detail, understands his system, understands how attacks may take place, properly monitors traffic and learns his networks traffic patterns is a far better admin than the many who pop Win2k, *nix or whatever right out of the box, installs a bunch of services and dumps it right on the net with none of the above "prerequisites".

Is a talented sysadmin "hack-proof"? Of course not, but the chances are much greater that it will take a more talented cracker to break in rather than some lame script kiddie or automated worm.

Disclaimer: This is my story and I'm sticking to it........

[maxim_86ualb2]

Well I think the best OS is the...................................................


there is no Best........ U cant say this is best...... all u can say is that this os can do better on this subject .......

well as I have done some reserch.........

==Linux system is the sys of shoise from Hacking groups..... everywere..... ::exept for some exeptions::

==it is easier to hack M$ from *nix/linux then the opposite........
:: from my experience... when I added a linux box to the Lan that my pc is on....I wasnt even able to C its settings........ but from it I could C every thing I dono Y or how

---------------------------------

[IPull0ut1nTyme]

The more security you implement, more than likely the less user friendly it becomes. The crappy thing about security is that there are just as many people (if not more....actually finding the flaws and not just utilizing them) working vigorously to circumvent it as there are trying to make systems more secure (No, I don't have any statistics to prove this so take it as you wish). Trying to make a system for a large number of users would be easier if they were all computer security professionals and all were happy employee's that were dedicated to maintaining that secure system. Unfortunately, thats doubtfully ever gonna be the case.
I suppose the question is really whether or not Microsoft is a feasible choice for our government to be purchasing from along the lines of security. I can't say I'm for or against it, but essentially that it wouldn't matter which OS was chosen, there would still be some level of insecurity somewhere along the lines of its implementation. They just have to choose the system that is least likely to be insecure, and I don't know enough about every option to say which OS would be best fit...hopefully the gov't does....achhh......I gotta trust the government AND Microsoft....

[maxim_86ualb2]

Well u want security........ turn off the PC

[catch]

Catch: Love the way you use a crappy OS to prove your point........

If the point doesn't hold under all circumstances... it is a logical fallacy. :-P

How about shifting up to a Win2K box for example - You know, give me a _chance_ to argue the point.

Because then it becomes an argument about the subtleties of two similar (securitywise) system and not an argument about some systems being inherently more secure than others. (which if this were not the case DOD-STD-5200.28 and ISO 15408 would not exist)

Manuals are all well and good but it takes a talented sysadmin to write them in the first place. You need the talented guy because each network is different offering different services internally and externally and the software managing the services differs from system to system too. Yes you can give a literate admin a manual for how to lock down a Win2K box for example as it comes out of the box but then what happens when he needs to add services. If you write the manual for today it'll probably be obsolete tomorrow - a problem I have just maintaining my own system's documentation. When the literate sysadmin decides that mail program X is the mail server he is going to use the information may not be in your manual as to how to secure it. It's there that the "talent" comes in.... The talented sysadmin goes away and researches what the program does, where the potential weaknesses may be and then with his knowledge of the system as a whole determines how best to secure the product. You made these points yourself but I thought they were worth reiterating.......

*cringe* I hate to say it, but it is clear to me that you have either never used a well documented OS or have just not been aware of the documentation available for it.
Trusted facilities manuals (TFMs) are not written by system administrators, they are written in the design stage and tuned during QA. This gives the document a completely different spin than you'd find in something written by someone who is basing their knowledge on use of the system rather than involvement in its actual design.
Good documentation and system design should work in a modular manner that services and systems in a network may be dropped in a black boxed format (each system or subsystem configured as X with all defined I/O configured to the spec as well)
Allowing a system administrator to have any say at all in system configuration is just asking for trouble. High assurance/high security systems have all administrator functions documented to unyielding procedures and if these procedures are well formed (which is easier to do than to find an equivalently talented admin) your system will be correctly managed.
All things like researching new products and such should be done by the risk management team.

So, really, it still comes back to the admin. An admin that attends to detail, understands his system, understands how attacks may take place, properly monitors traffic and learns his networks traffic patterns is a far better admin than the many who pop Win2k, *nix or whatever right out of the box, installs a bunch of services and dumps it right on the net with none of the above "prerequisites".

Again the admin should not have this level of involvement, the admins should merely follow procedures and have limited knowledge of the systems themselves, this is why many security focused organizations use role rotation specifically for admin roles. This way the admins never have too long on any given system, plus the admin that takes their spot after audits their work, though with a proper change control management system (ccms) this is less of an issue.

Is a talented sysadmin "hack-proof"? Of course not, but the chances are much greater that it will take a more talented cracker to break in rather than some lame script kiddie or automated worm.

Relying on talented admins means you need to have many admins that are all equally talented for large systems otherwise points of weakness will appear or inside attacks can happy admin from shift X is counted on for his talent so no CCMS is in place and no procedures are followed and the admin from shift Y isn't as talented so he may miss X's inside hack or may miss an error in X's uber talented configuration to fix whatever.

Computer security is about a single universal principal... assurance. The more you have the more secure any system is. Fact of the matter is some OSes offer more assurance than others. Fact of the matter is that an infrastructure based on policies, standards, guidelines, procedures, CCMS, role rotation, and dedicated risk management is going to offer far greater assurance than a few talented admins working ad hoc.

catch

PS. maxim_86ualb2 please save the trite, regurgitated comments for a thread more deserving.

[Tiger Shark]

Catch:

Trusted facilities manuals (TFMs) are not written by system administrators, they are written in the design stage and tuned during QA. This gives the document a completely different spin than you'd find in something written by someone who is basing their knowledge on use of the system rather than involvement in its actual design.

EEEEEK!!!!!!! So if the system was crappily designed and I rely entirely upon the TFM I'm likely to have holes that I don't understand.... That doesn't sound very good at all. You seem to be implying that you can have an army of braindead drones as sysadmins and everything will be fine....... As long as they RTFM.....

It also seems to me like we are talking about apples and oranges. Your scenarios "stink", (and I don't mean that badly), of high security facilities/systems while I am talking about security in your bog standard, run of the mill, IT house in Anytown, The World. There is no comparison and there are not the dollars to invest in the type of thing you are talking about at the level the discussion is aimed at.

Though I do find your posts quite enlightening.......

[catch]

EEEEEK!!!!!!! So if the system was crappily designed and I rely entirely upon the TFM I'm likely to have holes that I don't understand....

This is why standards are so very important to measure the assurances of the system in question to ensure that it is not crappily designed and that the TFM is adequet. Be weary of any system afraid to have itself held to the yardstick.

That doesn't sound very good at all. You seem to be implying that you can have an army of braindead drones as sysadmins and everything will be fine....... As long as they RTFM.....

Not only will everything be fine, but you wil have a lower instance of inside attack as well. And the money you save on employees can be spent on the overall security architecture.
This is going to be very arrogant of me... but really most system admins know very little about computer security. Sure they know about patches and user profiles, but how many system administrators do you know that monitor for transitive rights? Or even know what transitive rights are and how they occur in single command/multi actioned systems? These are very important security concepts. Most system admins can't even comprehend how MAC, DBAC, and RBAC work, so why would we expect them to take concepts from these and apply them to lesser functional systems?
The understand of these and other important security related aspects are best left to the experts. Admins are intended to implement policy, not to create it.

It also seems to me like we are talking about apples and oranges. Your scenarios "stink", (and I don't mean that badly), of high security facilities/systems while I am talking about security in your bog standard, run of the mill, IT house in Anytown, The World. There is no comparison and there are not the dollars to invest in the type of thing you are talking about at the level the discussion is aimed at.

While it is true that I am primarily familiar with high security/high assurance system/organizations I also know that the same basic principals apply to lesser systems. That is how you know they are logically correct. Just think of this like F1 fompared to your average Geo Metro, the concepts are the same, just less extreme.

People like the idea of talent because it makes them feel more important. Everyone wants to be a star and no one seems to appreciate that doing their job to fit into an overall system well will yield far greater results. This also tends to lead to a lack of understanding from history and mistakes are made over and over again. the whole idea of procedures is that they are made by people who know how to do it, so no one else needs to learn. IT people just have this love for reinventing the wheel though... quite puizzling and hurts the industry as a whole.

catch

[Tiger Shark]

Catch:

Be weary of any system afraid to have itself held to the yardstick

But the systems and examples you are talking about are somewhat distanced from the reality of the internet. M$ and the other OS's get "yardsticked" every millisecond of every day somewhere in the world. Furthermore, I know for a fact that so many of the "documentations" for systems are usually written "by the developer - _for_ the developer" and, as such, remain a useless pile of paper for many that have to try to implement said system. They require the prior, intimate, knowledge of the system to understand. With computers becoming the "normality" in business and the home environment it is unreasonable to expect any but the _very_ few to be able to manage the systems in the way you are advocating.

but really most system admins know very little about computer security

Clearly..... That's why I still see Code Red, Nimda etc. But I think you are sitting on your "higher plane" looking down and thinking "amateurs". You are right, in your world. But your world is _not_ the real world. You're not arrogant, you're way ahead of the rest of us "schmucks"..... That's fine - I'm totally self taught as are many here. We also have a bunch of other things to do every day.... Our job isn't just one little portion of computing, (not to denigrate the importance of computer security), but we also have to deal with the dimwit user that locks themselves out of the system, the idiot who calls because their email was returned because they mis-spelled the address and can't read the friggin' NDR that tells them that the account does not exist....... Do you see my point here? I know you do.... You also need to know that I, and many here _do_ understand things like transitive rights and how they can open a system that an admin "thinks" is closed.

People like the idea of talent because it makes them feel more important

I use the word "talent" in an offhand way..... I think you understand what I mean.

Everyone wants to be a star and no one seems to appreciate that doing their job to fit into an overall system well will yield far greater results

I think you are missing the point that many here _are_ the system.... We work, often alone, to secure the systems we manage. We come here to get more information to help us do our, multi-tasking jobs more efficiently and more quickly...... Don't take my "talented" reference as a feeling of complacency on my or anyone elses part..... We know that it is only a matter of time before we mess up.... That's why we are here..... To delay that moment where we "poop our panties" and decide how we are going to explain this to the boss.......

IT people just have this love for reinventing the wheel though... quite puizzling and hurts the industry as a whole

If you run _only_ from your manual there is no wheel to invent. But then you have no room to invent, innovate and excel...... You simply follow a path delineated by another. You learn _nothing_! Blindly following others can lead you down a road that you may find "U" turns are impossible and if the road is going the wrong way you are screwed......

That's what I, and others here I'm sure, want to avoid.....We get tested daily and we test ourselves daily...... In your world "procedures" are fine, (hey... I was in the military 10 years... I understand the blind following of orders.... I left because I _appeared_ to be smarter than many of those developing the procedures......).

I enjoy the challenge of the learning process and the problems it presents me daily....... I'm sure you enjoy what you do..... maybe, one day, you will yearn to learn as opposed to follow the "big dog" that wrote the manual......

If you are writing the manual - REMEMBER - most of them will not understand it...... They will simply follow it blindly..... and then there will be no room for them to improve, learn or innovate..... I, for one, have no interest in that world.

As I said before, I respect you for your knowledge and ability to communicate..... But I think you are talking to a different audience to the one you are used to..... We do not and cannot operate the systems you are talking about...... We run the ones in the _real_ world.... (no offense meant.....)