Microsoft plans Windows overhaul to fight hackers - Page 3
Page 3 of 7 FirstFirst 12345 ... LastLast
Results 21 to 30 of 62

Thread: Microsoft plans Windows overhaul to fight hackers

  1. #21
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Catch, Catch, Catch...... <sigh> You're doing it again...... Sitting up there on that higher plain of yours looking down.... I wish I had the time to do your job..... I have 650 workstations in 18 locations all connected across three counties. I have 4 staff that are systems/network oriented, including 2 that are "help desk" so they don't really count.... Then I have my administrative functions, supervisory functions and committee functions. I first get on my work systems just after 05:30 _every_ day and usually am still connected to them at 19:00 every weekday night, (I give myself a break on weekends.... go figure.....).

    Again with the teaching... why is it my job to teach just because I am educated? I am here to engage in security related conversation, to freely offer adive on problems, and to correct information that I know is incorrect.
    Thank god you are educated..... or you'd be approaching utterly insufferable at times. I did notice that you completely forgot to reply to my post in our last "confrontation" about your holier than thou attitude to this forum. For your edification it's here so you don't have to waste your valuable time searching for it.....Wanna reply? Or was your lack of a reply your convenient admission that the reality is that you spend a lot of time here just looking down your nose at people with "real" jobs....

    Catch.... You're in the wrong place.... If you want security discussion at your level there are the uber leet places for you..... If you want to help us less than leet dorks please feel free.... But your uber leet attitude in this less then leet world does us no good and makes you look silly......

    Now, let's see if you conveniently "forget" _again_.......

    You're good - Clearly - Don't waste it by pissing everyone off - it does you no good and it sure as hell does us no good - so what's the point?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #22
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I am not sure how in this instance I am looking down. I made a comment about Windows' security strengths and it gets responded to by people that have no contribution at all other than to mock and then paste wildly inaccurate data.
    After that I get called a racist for telling people to keep an open mind.

    My job is very easy right now because the federal government decided to spend one billion a week in Iraq and every project I was working on has been delayed, so I have had a little more spare time than normal for a few months now. My real day job now consists of consulting on risk evaluations and mitigation plans, but that is only a few hours a day.

    I do recall the other thread and I came to the conclusion that you were happy with your way of doing things, so there was little point in continuing the conversation, I had made the points I wanted to make and the rest to me seemed semantics. Additionally I felt that my points could still be valid while affording you the last word. If there was an aspect that you wish to discuss further, kindly let me know.

    I work in a highly formal environment (with significant resources) and I know that this isn't for everyone. I don't expect everyone to follow those ideals. I just want people to be aware of them. having work on both sides, I can't even express the value added in highly formalized settings, it is uncomparable to the ad hoc stuff so many people are used to, but the formalized settings are much rarer and consequently more cost prohibitive. If more people were educated, the costs would come down and more people would benefit. That is really the only point I ever try to teach. The industry standard is the cheapest solution that works well enough, so don't confuse that with the best solution. Especially if costs can be mitagated.

    Also, I don't think the need for allegations about why I didn't reply are needed. Sometimes I do genuinely forget or overlook responses. Doesn't mean I don't love ya. :P

    If you respond intelligently, I am not rude... but when people post things that are just so blatantly wrong, the very attempt on their part as a novice to try to argue that with me is insulting. many of my posts are downright friendly, I just have zero tolerance for uneducated people that spread misinformation. And without people like me... god imagine where we'd be then? If bad information just stood as truth.

    I am not here to be liked and I am not seeking friends, but people that know me are aware that I know my **** and that I will also give not on straight answers but high assurance documents for further reading and they find that valuable.

    catch

  3. #23
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Catch: You make me laugh..... And I _really_ do mean that in the best possible way.... You are obviously in a very "controlled" environment, working in a _very_ specific way.... Your knowledge and skill are _not_ in question.... Trust me.... I just think it could be slightly better used..... But that's my opinion and you are free to disagree....

    I made a comment about Windows' security strengths
    Yeah..... I saw... I tried to give you pos AP's because your post was right on the money.... But I wasn't allowed..... I had to "spread them around" before I could pos you again..... Sux but it's the way of this world.... Sorry... I'll pop you some somewhere.... you deserve them....

    every project I was working on has been delayed, so I have had a little more spare time than normal for a few months now
    Then you have some time to write Tutorials..... Now there's a _good_ use of your time here.... I, for one, would appreciate your insight.

    If there was an aspect that you wish to discuss further, kindly let me know.
    It's that "real" world thing...... Your job is clearly different from "ours".... You get to _really_ play and understand.... the rest of us have "proper" jobs too..... You can help us in both.... Sometimes you seem to not be doing that.....

    If more people were educated
    I'm not sure if you could handle my users..... "Challenging" doesn't begin to describe them...

    The industry standard is the cheapest solution that works well enough, so don't confuse that with the best solution. Especially if costs can be mitagated.
    I work for a non-profit..... Kinda like the goverment.... Cost are extremely difficult to mitigate in my world..... But with my 10 years in the military.... I know how they get "mitigated" in yours..... 'nuff said?

    Sometimes I do genuinely forget
    Yeah..... I know that one..... Accepted.... I'm a smelly old fart..... You're let off.... <BG>

    I just have zero tolerance for uneducated people that spread misinformation.
    I think I love you...... <LOL> I have _no_ time for idiots..... Period....

    I just have zero tolerance for uneducated people that spread misinformation.
    Nor me...... I'm here to learn and to educate where I can.... I don't know which is the greater burden........

    I know my ****
    Clearly..... Just play nice with us kids and we'll try not to **** in your sandbox.....

    Catch.... your tenure here will be determined by your use..... You know your stuff and it is fine to blow off the idiots that you have... Trust me on this... I appreciate it..... But rather than just blow off idiots..... Give us the benefit of your knowledge.... You have a valuable commodity.... you can share.... or you can go " nah, nah, nah, nah, nah"......

    Which do you think is better?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #24
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I have a horrendous headache right now so I'll likely comment on the rest of this later. Suffice to say I do appreciate the compliments and I have been meaning to come up with a few more tutorials. Just a matter of finding topics that have not been done before (why do it if it isn't needed), that people will actually get some value from, and won't take up hundreds of pages, cause I don't have that much time.

    I suppose I'll give that topic more thought... plus I have a few other personal projects (free, automated ISO17799 auditor, online CISM study guide, and the project of the last few years an Boyer-Moore theorem prover... heh my programming skills suck though so it's been fun) that I've been trying to force myself to finish up.

    catch

  5. #25
    AO Part Timer
    Join Date
    Feb 2003
    Posts
    332
    Since we are now far from topic. I will be short.

    You're good - Clearly - Don't waste it by pissing everyone off - it does you no good and it sure as hell does us no good
    I couldn't of said it better myself.

    You have obdviously looked down on other people before today. I come and go here at AO. I have written a few tutorials for the "common" people. You know the type, those peeps on my level . I help when I can. I also hold very strong opinions. I have personal projects that take up alot of my time. I have my boxes, My Norton Security Suite, a soldering iron, and a very strong desire to learn. No matter how intelligent you are, you can't take that from me.

    You mentioned you aren't here to make friends. Thank you Captian Obdvious. That much is apparent. If you really wanna help, practice tact. If you wish to help. Then damn it, HELP!
    Write a tutorial on something the community needs. Because we defenitley don't need to get belittled by you.

    I mean what exactly is the point of including statements like uneducated loud mouth, and sad foolish boy? Not to mention that was the blunt of tow of your recent posts. Wouldn't you have been the bigger person by simply pointing out why you felt you we're right? I may not be on your level, but believe me when I say this, I understand the way you think. What I said about the mirror is true like it or not.

    I find it both amusing and wholely inappropriate fo you to think that you can even attempt, much less have the right to attempt to analyze in this regard,
    NUFF SAID

    Be safe and stay free my fellow AOer, till we meet again

    Those who flaunt their powers quickly disappear when the truely powerful emerge.
    Your heart was talking, not your mind.
    -Tiger Shark

  6. #26
    Banned
    Join Date
    Oct 2002
    Posts
    133
    Catch, since you must not have seen the security link, here it is.

    Security

    I read an article on the Microsoft web site that said that NT "security" is sufficient for most users. At first, I was appalled that they made that statement considering the large number of security holes that exists (I have found hundreds myself). However, the statement is true. Most users are not concerned with security. Therefore, the extreme ease at which any user can gain Administrator access on an NT system right out of the box is not of concern to most users.

    However, for the system administrator the issue is completely different. There are dozens of directories and hundreds of files that the administrator has to change by hand in order to make NT secure for most businesses. This requires anywhere from 30 minutes to an hour per machine to ensure that the security is correct. Even at the least secure levels, all UNIX variants are more secure than NT.

    For the company president or CEO, NT "security" is also not sufficient. Because of the ease of gaining administrator access, all company secrets are at risk. I know many companies that let the users run on Windows NT, but the mission critical applications are run on UNIX. Despite the advantages that UNIX has in terms of scalability and reliability, the default security of NT scares away all but the die-hard Microsoft fans. Even a cursory inspection shows that it is not worth risking your business for the "pretty" Windows GUI.

    Yes, there are holes in UNIX and Linux. In order to exploit them, you need to either be a UNIX guru or an expert programmer (or both). Anyone can easily exploit the holes in NT.

    Another important aspect to consider is that the NT security model is stricter than Linux. That is the concepts behind Windows NT security could lead to more strictly controlled system. However, the implementation has made Windows NT open to all sorts of attacks. The gaping holes in Internet Explorer are just a few examples. (Well, actually there are quite a few.)
    Linux
    Advantages

    * Security has had years to be tested and verified.
    * Security is tied to the file. Can reinstall without fear of having to replace security information manually.
    * Can easily tell if a file has been changed on your system This includes mundane things like the permissions, but also includes more important things like the checksum.(see below)
    * Standard attack on any system is the "dictionary attack". Can create tools easily to test for this vulnerability. (see below)
    * Able to merge systems/domains.
    * Firewall functionality is built-in to the server.
    * Can easily check if a new user has logged in changed the default password.

    Disadvantages

    * File access currently limited to READ-WRITE-EXECUTE for USER-GROUP-OTHER.
    * Security is not as strict.
    * No auditing.

    NT
    Advantages

    * Stricter security available. (See below)
    * Larger number of choices for access permissions.
    * Auditing of security event.

    Disadvantages

    * Security is still in it's infancy. Infantile mistakes are still being made in regard to security. (See below)
    * Security is bound to the name of the machine and domain. If you reinstall all security information is gone.(See below)
    * Have to check by hand for any changes to files.
    * No tools to check for "dictionary attack" vulnerability.
    * Systems have to be reinstalled when merging domains. (Security ID is dependent on the currently installed copy of the system.)
    * Microsoft sells an extra Firewall product.
    * No easy way to check to see if a new user has logged in and changed their password (See below)
    * There a literally hundreds of holes that allow any to create a Trojan horse without any special programming skills.(See below)
    * This list goes on. Check this out for more.

    Default permissions on drive shares under Windows-NT (C:, D: not C$, D$) is FULL-CONTROL for everyone.This means I can access it without even logging into the domain. The default permissions for the systemroot directory (e.g. C:\winnt) is also FULL-CONTROL for everyone. In five minutes I can create a dozen Trojan-Horses to give any user Administrator access.

    Assume you have discovered that someone has broken into our network. On just a single machine, how long will it take to check 5 administration related groups to see if there are any additional users added? (Such as the Administrators or Account Operators group) UNIX 5 seconds per machine. NT 5 minutes per machines.

    * Script runs once a day and checks the sum of /etc/passwd. If it has changed, a message is sent to the sysadmin (would also react because a password was changed.)
    * Script could count the number of entries to see if one was added. Could also check group file for changes and report them.
    * A quick script could be written to check to see if there were groups with no users, or when users were added to groups.
    * Could be expanded to check through any files. Cannot automate these tasks on NT as everything is hidden in the registry and there are no tools built in. You could create a script to check NT for additions to groups, etc., but the output of "net user" and "net group" is extremely difficult to parse.

    NT security is generally better than UNIX. However, "stricter" might be a more appropriate word than "better." It is theoretically harder to crack NT password as they use a larger encryption key. However, the LM HASH used to encrypt passwords actually breaks the password into two, seven-character pieces. This makes it easier to crack than the ten character UNIX algorithm as you can crack each half individually. Plus the encryption algorithm is the same for every user. If two people have the same password, you do not even need to crack the password to see this, as the encrypted version is the same. In addition, the standard attack is still a dictionary attack and that works effectively no matter how large the key is. The major problem with NT security is that you cannot get around it. There were several examples where this security mechanism has become more of a problem than it is worth.

    In addition the encryption is the same all the time. Using tools freely available on the Internet, you can dump the encrypted passwords and compare them. If two users have the same password, the encrypted password will be the same for both. On Linux, there are 4096 different ways to encrypt the password. This make the odds very low that two users will ever have the same encrypted password. Using basic techniques of intelligence analysis you can quickly narrow down the possible passwords, making guessing NT passwords easier. I did this on one system and found several encrypted passwords that matched. I assumed correctly that this password had something to do with the company.

    Using the the latest version of l0phtcrack I was able to crack about 10% of all the passwords in our domain within a few hours. I had 25% within a couple of days. Many of the passwords I would have considered safe a few years ago. However, because of the simplicity of the NT encryption mechanism no password is safe.(Note that cracking NT passwords is something which Microsoft said was just "theoretical".)

    We made the mistake of rotating our backups every week in some of our offices. That is, we only had five tapes. We discovered that although NT Backup and the Event Viewer reported all was well, it wasn't. The system crashed and we had to reinstall. We then discovered that the tape was unreadable. However, it worked fine when we installed originally. Since our data was on another drive, it was untouched, but not well. All the permissions were based on the original installation. Although, we could re- create the users, the permissions on the files and directories no longer valid. As far as NT was concerned. These were different systems. Therefore, once again, we had to re-create the permissions by hand.

    How can you tell if a file on an NT machine has changed? With what tool? Can't even think about using a batch script. In 5 minutes, I could write a script that writes the sum for each file on the system into a file then another script (or the same one with a different flag) it could check all of the files to see if they have changed. However, why bother if rpm already does it?

    I have heard comments that because the Linux source code is freely available then it is less secure. The opposite is true. There are tens of thousands of people out there who look through the code and when a bug is discovered (related to security or not) it is made public and the bug is fixed. The xcmd bug (mentioned above) is an example of a potential security problem that was detected by someone who had the code and was then fixed by the developer. Since the developers use the code they develop (not necessarily true for NT) they have a stake in making it secure. With 10% of all Internet servers running Linux (still more than NT) it has to be secure. That's why the program that could bring down any NT machine was called "winnuke" and not "linuxnuke"? Granted the "ping of death" did effect Linux machines, but since the patch was on the net within a couple of hours, does it really count?

    When new users are created they typically get a standard password. If they never login there is an account with a known password on the system. Under NT, there is no easy way to check for this. Under Linux it can easily be made part of the user creation process to check after a specific period of time.

    The default permissions on Windows NT out of the box provides for very little security. Everyone, even users not logged into the domain have complete control over the system root directory (normally C:\WINNT). In addition, everyone also has the ability to change the C:\WINNT\SYSTEM32 directory, which also contains number of very important system programs and files. All a hacker needs to to is replace one of these with a Trojan horse and the next time it is run by an administrator, that hacker get administrator access to the system.

    A normal user can also change the file associations. That means that when the administrator clicks on a .TXT file NOTEPAD.EXE isn't started or when the administrator clicks on a .DOC file WINWORD.EXE isn't started, but rather a Trojan horse. It can even be a batch file, that then adds the hacker to the Administrator group and then starts the intended application.

    One important aspect of NT "security" is that most security bugs uncovered on NT are really naive. While many have been solved, (and sometimes amazingly fast for Microsoft within a few weeks) the simplicity by which these bugs can be exploited is incredible. This gives the impression that NT is built by a bunch of kids, or at least people who have no clue about real-world security, only the theory.

    Although there are security bugs in linux, (such as sendmail), they are fairly sophisticated and out of reach, even with complete instruction to most computer users. The NT bugs can be exploited by anyone and with the tools that NT provides by default!

    Another key problem is that so often, the bug fixes (security and otherwise) address just a single aspect of the problem and do not address the underlying mistake. For example, in W95 and NT it was possible to enter a public share and "jump behind" its root on the server and then get access to any directory on that server. The trick was simply to enter the public share in a command window and then issue a "cd ..." in the root of that share. This was not trapped by the server and this gave access to the parent directory and every other directory. The reaction from Microsoft was to fix just this one stupid error. In the next service pack, it was not possible to do it anymore, but doing "cd .." did it again. Plus the same problem existed on the Internet Information Server. When Microsoft fixed the ".." problem in MIIS, you could still get around it by access a URL using "../.." (the parent of the parent). Not good security.

    For more really stupid NT security holes check out the Insecure.Org website.

    Microsoft tries to market its domain concept as an improvement. Anyone who has tried to implement it in a large network, knows that this is far from the truth. Since the NT domain concept is the only security that NT knows about, it is an "all or nothing" deal. Either the shares are open to the entire world "everyone" or you have to add machines to domains, create "trust relationships" between domains and so forth. Remember that "trust relationships" are n*(n-1). Therefore, with just five domains, you have 30 relationships to manage. Even that few can be a real problem. Because of this shortcoming and the obvious difficulty with manging so many relationships, a lot of administrators simply make shares and other resources available to everyone. In other words, the NT shortcomings cause administrators to make their systems insecure.

    On November 15, 2002 the web site osopinion.com published an article entitled "Study: Linux' Security Problems Outstrip Microsoft" in which it claimed that there were actually more security problems with Linux than with Windows.

    Reading through the article I see nothing different from what has been said from Microsoft supporters for quite a long time about the relative security. There was a lot of handwaving in the article and throwing out numbers like they mean something. The article said "Linux software" and "Microsoft products". When you consider that a number of the bug/problems listed in the CERT advisories apply to both Linux and Windows, they are classified as "Linux software". However, they do not come from Microsoft and are therefore not "Microsoft products". The same bug should be counted against Microsoft, but isn't simply because it was not produced by Microsoft. However, since the software runs on Linux (and therefore "Linux software") it is counted as a bug against Linux. Also, counting the software bugs as "Linux problems" is like saying the PC-cillen bug is a Windows' bug simply because PC-cillen runs **only** on Windows.

    Another important (very important) issue is that many of the Linux (i.e. open source) bugs are from buffer overruns, which have the potential for executing "random" code. They can be found easier in open source software simply because it is open source and you can see them! No one is going to try 4386 different combintations of text to force notepad.exe to overrun a buffer. That's why buffer overruns are never found. However, you can see it with the open source software and it is almost always reported as a security bug. There are more reports of Linux security bugs because anyone can find them.

    Note that the CERT advisories are issued based on both the severity of the problem and the impact. Since most of the software on the Internet is based on open source, many, many times more people are effected than by a bug in a desktop OS. Therefore, open source has a greater impact as it effects more people and is more likely to be reported. As a result the statistics get skewed.

    Check out the CERT site. If you sort the bugs by severity, 18 of the top 25 are "Microsoft products", while less than half of that is open source. A buffer overrun is something that could execute code a hacker wanted, but usually requires a lot of trial and error to figure out just what happens and how to exploit it. Microsoft bugs are things that are typically ones that people discover almost by accident. For example, accessing the parent directory of your Web Server's root by simply using a URL with ../. Since anyone can see the code for open source, the developers cannot hide the fact when the discover bugs themselves. Microsot can and does hide the fact there is a security bug. It simply fixes them without telling anyone in the next service pack. Again, the statistics get skewed.

    Look again at the term "Microsoft products". There are thousands of more open source projects than "Microsoft products". So it make sense that there will be numerically more bugs in open source software than "Microsoft products". However, if you look at it in terms of percentage (based on the cert advisories), there was less than one open source bug for every 3000 "products" but one bug for every 35 "Microsoft products". Almost 1:1000!!!

    However, those are pure statistics and you can manipulate them anyway you want. of the thousands of open source projects, many never get off the ground or produce a single line of code. Many more never become part of the standard Linxu distribution, so it would be unfair to list them because they simply skew the statistics.

    You need to look at the numbers. One thing both the article and the Aberdeen report failed to mention is that a single advisory often contains multiple vulnerabilities. That is multiple security bugs in a single advisory, which was only counted once by Aberdeen. If you look, the 12 advisories that belong to Linux, there are 17 individual vulnerabilities. However, the seven advisories belonging to the "Microsoft products" platform contain 25 individual vulnerabilities.

    Consider the fact that this was one of Aberdeen's "sponsored" reports. The Aberdeen group has been caught before in publishing an "independent" report blasting one company and being paid by that company's competition. Considering the source, my experience with both "products" and the numbers (not statistics), the article sounds like a lot of paid Microsoft propaganda.

  7. #27
    Member
    Join Date
    Feb 2003
    Posts
    95
    Yea, didn't microsoft say that windows server 2003 was the most "secure" server software ever? hmm, they make more broken promises than a politician....

  8. #28
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Catch.... You're in the wrong place.... If you want security discussion at your level there are the uber leet places for you..... If you want to help us less than leet dorks please feel free.... But your uber leet attitude in this less then leet world does us no good and makes you look silly......
    I don't think there is anything that Catch discusses that is above level for here. He has some good statistics and reports on some issues, but throwing around numbers and statistics does not mean that it can't be understood.



    * Have to check by hand for any changes to files.
    * No tools to check for "dictionary attack" vulnerability.
    * Systems have to be reinstalled when merging domains. (Security ID is dependent on the currently installed copy of the system.)
    * Microsoft sells an extra Firewall product.
    * No easy way to check to see if a new user has logged in and changed their password (See below)
    * There a literally hundreds of holes that allow any to create a Trojan horse without any special programming skills.(See below)
    Man.. Whomever is writing this knows very very little about Windows. If the person that wrote this article spent more time trying to learn about windows than trying to bash windows they might realize their misconceptions are pretty funny.

    First off, group policies gets rid of most of these issues.

    You can Lophtcrack to check your password files.

    filever is a tool that can check just about every property on a file and compare it to a file in a different location.. I use it pretty regularly when troubleshooting systems. I create a baseline off of a functioning lab machine and compare it to the machine in production. Makes for an easy way to find mismatched dll's and exe's..

    You can very easily check if a person has changed their password. In fact I just wrote a script the other day that searched through the security log of 10 global catalog servers to determine where the login requests originated when an account is locked out. We have issues at work where people leave a session logged in and then change their passwords. I used only resource kit tools to write the script. It would only be a matter of looking for a different event code ID to find password changes instead of account lockouts. I can tell you the type of client that changed the password, the netbios name of the computer that was used, and I'm pretty sure I could get the IP either in the security log, or with a little bit of digging into the WINS database.

    Hundred of holes? hehe... I think a standard linux distro has more holes than a standard win2k or 2k3 install.

    The other post from this site was funny as well. No CLI in windows?? hehehe.. If you really believe these articles you need to do some of your own research into the help files on a window system. Or http://support.microsoft.com.

  9. #29
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Excellent, I was hoping you'd paste this. I'd almost like to make this a new thread to reach the widest number of people possible, but I won't.
    For the sake of simplicity I will avoid all subjective comments in your paste.

    However, for the system administrator the issue is completely different. There are dozens of directories and hundreds of files that the administrator has to change by hand in order to make NT secure for most businesses. This requires anywhere from 30 minutes to an hour per machine to ensure that the security is correct.
    or you can do it once and make a script or do it once on your friendly group policy editor which will propagate down the entire system. That is undeniable error in the document you posted, let us look for more.

    Despite the advantages that UNIX has in terms of scalability and reliability, the default security of NT scares away all but the die-hard Microsoft fans.
    This is a subjective comment, but I feel that it needs to be commented on as it shows the author's mindset. Having systems ship in a highly hardened start is not only, _NOT_ a good thing, but it is in fact a bad thing. Why is this you ask? The amount of resources required to lock down a completely open system are less than those required to make functional a completely locked down system.
    Think about it for a moment, to lock down a system you look and see what the system does not need, and specifically lock down those objects in accordance with the system's trusted facility manual (TFM) _IF_ it has one. (NT does, Linux does not) Those specific system objects are then audited to ensure that the modifications were made to specification. Unlocking objects however requires that the required objects are unlocked and once this is done, the _ENTIRE_ system needs to be audited to ensure that none of these changes influenced objects beyond the intended scope. This is especially complex in a system like Linux which lacks ACLs as users/groups may be inadvertently granted rights they should not have. (The transitive rights problem with single command, multi action access control models)
    So you see, Windows insecure default configuration is not only intentional, but it is ideal when dealing with secure systems.

    Yes, there are holes in UNIX and Linux. In order to exploit them, you need to either be a UNIX guru or an expert programmer (or both). Anyone can easily exploit the holes in NT.
    Ah, fantastic... I love this argument above all others I think. True it too is subjective but, it is just so bad an so widespread that it needs to be dealt with.
    The fact that Windows exploits fall so easily in the hands of kiddies is actually what ensures that Windows patches are frequently released more quickly than Linux patches are. I know, I know... millions of programmers around the world... blah blah. You missed something, the fact that Linux exploits require more skilled attackers indicates that Linux exploits spend a far longer period in the 0-day realm.

    Another important aspect to consider is that the NT security model is stricter than Linux. That is the concepts behind Windows NT security could lead to more strictly controlled system. However, the implementation has made Windows NT open to all sorts of attacks.
    Back to the argument about default security? Read above.

    Security has had years to be tested and verified.
    Linux dates back to 1992 and the UN*X security model on which it is based was _PROVEN_ flawed by the Harrison, Ruzzo, and Ullman study back in the late 70's. (Not familiar? God bless Google, or read the first part of my tutorial on how to hack nearly any OS.)
    Windows security on the other hand dates back to 1980 with XENIX and subsequently Secure XENIX. This was one of the first systems to take advantage of the developments in operating system security models developed by Bell-LaPadula, Biba, and Harrison, Ruzzo, and Ullman. Though this system was originally a UN*X, it evolved into one of the most secure trusted operating systems ever evaluated (B2). It's segregation of administrators and operators as well as its discretionary access control systems were both dramatic improvements over traditional UN*X and both have since found their way into the NT line. Not only has this model had 23 years, but initial work was done in a highly formalized environment ensuring even greater verification.

    Security is tied to the file. Can reinstall without fear of having to replace security information manually.
    This is not true, and if it were true... it would be an awful hole, not a strength. If you think that each file handles it's own security, try copying a file from one system to another where the original owner doesn't exist on the second system. (for simplicity sake) Now, why would it be bad if it was true? Oh my god parallelism nightmares that would go hand in hand with that design, much less the assurance issues of not having a single point of highly verified controls.

    Can easily tell if a file has been changed on your system This includes mundane things like the permissions, but also includes more important things like the checksum.
    NT can not only do this, but it can do it automatically and in real time, with no additional software required.

    Standard attack on any system is the "dictionary attack". Can create tools easily to test for this vulnerability.
    The dictionary attack? ROFL, I bet the author thinks that telnet is the end all, be all hacking tool. NT can automatically configure password length and complexity requirements as well as account lockout periods after an arbitrary number of incorrect logons.

    Firewall functionality is built-in to the server.
    Perhaps you should look up what a fifth-generation firewall is, you'll need to know if you ever wish to be even a CISSP.
    I'll save you the time, from my roommate's "The CISSP Prep Guide: Gold Edition" pg.119 (There are 5 generations of firewall by the way):

    A Kernel Proxy is a fifth-generation firewall architecture that provides a modular, kernel-based, multi-layer session evaluation and runs in the Windows NT Executive, which is the kernel mode of Windows NT. It is a specialized firewall architecture that uses dynamic and custom TCP/IP-based stacks to inspect the network packets and to enforce security policies. Unlike normal TCP/IP stacks, these stacks are constructed out of kernel-level proxies.

    There, now you have enough knowledge on that subject to get one question right on a basic garden variety security certification program (which is more than I can say for the author of that). No need to thank me.

    Can easily check if a new user has logged in changed the default password.
    NT can log all logon events and policy modifications successful or failed.

    * File access currently limited to READ-WRITE-EXECUTE for USER-GROUP-OTHER.
    * Security is not as strict.
    * No auditing.
    How can you read this and even continue this conversation? basically his whole argument is that Windows NT is more secure, but Linux sometimes ships in a more hardened state. (which as I discussed above is actually a strike against)

    Your own source says NT is more secure. And...

    * Stricter security available. (See below)
    * Larger number of choices for access permissions.
    * Auditing of security event.
    he goes on to restate why, just in case you didn't understand the first time.

    Ok, I see no reason to keep hitting the default configuration issue home as the author does, so let's skip that. I've also covered the system security not being in infancy, and the benefits of having centralized access control management. I've pointed out that he is incorrect on NT's inability to check files for integrity and it's tools to deal with dictionary attacks. The author seems a little confused about:
    No easy way to check to see if a new user has logged in and changed their password
    even though he stated:
    Auditing of security event.
    as an advantage of NT. Again it seems that this author is not only incorrect on many things, but can't even hold a single stance on many things for the duration of the document. Obviously the changing of a password is a security event and can be audited as one.

    Hmm I wonder if the author has any new points... lots of rehashing now in paragraph format rather than list. Ah here we go, passwords.

    NT security is generally better than UNIX. However, "stricter" might be a more appropriate word than "better." It is theoretically harder to crack NT password as they use a larger encryption key. However, the LM HASH used to encrypt passwords actually breaks the password into two, seven-character pieces.
    Ah yes, LM HASH, that is only available for compatibility with WinSUE systems and is suggested by the TFM that they be disabled for NTLM passwords only. Again with default configuration and not with the systems abilities. Use the newer NTLM and password length (+8 chars) as well as complexity requirements and see how well l0pht does then.

    In addition, the standard attack is still a dictionary attack and that works effectively no matter how large the key is.
    Dictionary against what? You can't brute force the logon prompt and if you have access the SAM you are already an admin so why crack?

    He next goes into stuff about how his company didn't verify their backups properly (prolly didn't click that little checkbox that says "verify backup") And then he goes back to monitoring file integrity. Well in addition to checking it exactly the same as you would on Linux (with a script... WSH, PERL, whatever) you can also use NT's built-in system file protection and you may increase the cache and add other files as you wish to be monitored in real time for changes.

    I have heard comments that because the Linux source code is freely available then it is less secure.
    Yup, this is why Linux rootkits are so much better than NT rootkits. In fact it is a trivial manner to trojan a Linux system's kernel, open source compiler (to effect all future kernel recompiles and whatever else you want), as well is the open source IDS system. Have fun recovering from that attack. In NT if you get a rootkit installed your system will start crashing with specific error messages that would tip the admin off.

    There are tens of thousands of people out there who look through the code and when a bug is discovered (related to security or not) it is made public and the bug is fixed.
    All those people working completely ad hoc with no structure or focus. This type of development offers the lowest level of assurance and falls under the lowest maturity level of the software development capability maturity model. Also keep in mind that most of the people developing are programmers with little to no knowledge of system design. (otherwise they would not be using a monolithic system in the first place) and this is who you are relying on?
    You can have a system that has no bugs at all and is still insecure, with a flawed design.
    You can have a system with countless bugs and applications flaws that is secure with correct design.

    When new users are created they typically get a standard password.
    yeah, if you have a security policy written by lazy admins with no concern for security.

    blah blah back onto default security, dead horse... (remember when apache.org was rooted via configuration issues in their ftp, http, and mysql servers as well as the OS itself? All in the same attack? haha)

    There is some talk about the directory traversal issues that effected Windows for a little while, though these two were merely a configuration issue which could have been resolved by stating which users and not allowed to traverse directories in the security policy. And as far as IIS5 goes, every single exploit released for IIS5 could have been dealt with by just following the IIS security checklist.

    Next we have a complete misunderstanding of how domains work, with some bad math thrown in for good measure... (5*4=20 not 30) and lots of unrelated comments about CERT and whatnot...

    Any questions?

    catch

    PS. "Whoever is careless with the truth in small matters cannot be trusted with important matters."
    Albert Einstein

  10. #30
    Banned
    Join Date
    May 2003
    Posts
    1,004
    So nate (or anyone really), still need more time to formulate a public response? Or are you just going to ignore this and let your rather unkind private message stand?

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •