Services for Unix

[HTRegz]

Hey Hey,

I do believe that it's time to try and stir some discussion again... so here's my latest discussion topic...

For those of you that have never used Services for Unix before it is quite the impressive Microsoft Product, especially when you consider that it's Free.

Source: http://www.microsoft.com/windows/sfu...view/sfuwp.asp
This paper provides an introduction to the features and benefits of Windows Services for UNIX 3.5, the award-winning interoperability toolkit from Microsoft. Windows Services for UNIX enables Windows and UNIX clients and servers to share network resources, integrates account management, simplifies cross-platform management, and provides a full UNIX scripting and application execution environment that runs natively on Windows.

Services For Unix 3.5, the latest version of the software was released in January 2004. It is catching so much attention lately that Windows & .Net Magazine used it for the July Top Ten List. Unfortunately to read that article you have to be a Windows & .Net Subscriber. Since pasting it opening in this forum would probably violate copyright laws, I won't do that, however if anyone wants more details on the article they can send me a PM. In the mean time I'll list the points they provided.. just not the descriptions..

10. Telnet is provided (Server and Client) (with NTLM authentication)
9. Unix Shells are provided (Korn and C Shells natively, bash can be downloaded)
8. Unix Command-Line Utilities - More then 350 commands and utils
7. Scriptable Management - MMC Snapin, scriptable management through WMI
6. User Name Mapping - Map Unix Users to Windows Users
5. Interix Unix Application Runtime - Unix Runtime with a full set of APIs
4. Perl 5.6.1 - No explanation needed
3. Password Syncrhonization -- Password Changes between the systems
2. Server for NIS - Store UNIX users, groups and hosts in AD and have them authenticate against AD
1. NFS Support - Client, server and gateway, Unix clients access Windows shares (Server), Windows clients access unix files (client)

You also end up with three noticeable services running... init, inetd and cron. Services that all work similar to the way their UNIX counterparts work.

Now for the discussion... Here's some questions I pose to you.

1. The Telnet server -- does it have any significant security increase over the default Windows telnet server? Why would you make use of this one instead of the one that comes with Windows. Since SFU has an Interix version (unix sources compiled) and a Windows version.. which would be more reliable to use.

2. Does adding NIS and NFS to a Windows environment present any new security risks that an administrator would have to take into account?

3. Is having UNIX user authentication tied into AD a good idea? How about password synchronization over the network even if 3DES encryption is being used for transmission?

4. Is having a full UNIX runtime with a full set of APIs beneficial on a Windows server? is it secure.

As a home user I love this software and I'm currently trying to convince my college that it should be tied into our server/operating system courses. I think it'd be great to setup and tear apart in a lab setting.. I'm just wondering if the Services it provides open the server up more than it should be... SFU 3.5 is still relatively new and doesn't have a lot of documentation... How many sloppy set-ups are there out there... even for the properly done setups.. does anyone know how secure it really is?

LINKS
Services For Unix 3.5 Homepage
Download Services for Unix 3.5
Introduction to Services for Unix 3.5(Word Document)
Features of Services for Unix 3.5
Additional Tools for Services for Unix 3.5 (including the bash shell)


Peace,
HT

PS. If this is new to a lot of people and you'd like a tutorial about the install and setup and what I know about it so far.. how to install additional packages... let me know and I'll start to work on one.

[pooh sun tzu]

It won't be about the compatability or security of the programs that decide how secure the OS will be because of these additions, but how the admin impliments, configures, and handles them that will be the deciding factor of security.

While program individuality has a small hint towards an OS's entire picture towards security, it's also as simple as the admin shutting off the UNIX telnet he doesn't need or securing NFS through SSH and patching it when patches are released.

Just like Windows, and just like UNIX, the programs themselves won't make or break the OS. The admin's knowledge of the tools will.

[Spyder32]

Just like Windows, and just like UNIX, the programs themselves won't make or break the OS. The admin's knowledge of the tools will.

Particularly my take on that as well. This program however sound's interesting, I'd love to be one of the beta-tester's and to see how it work's and how integration between the two is considering almost any version of Window's is different than Unix 3.5. As for some of your question's:

2. Does adding NIS and NFS to a Windows environment present any new security risks that an administrator would have to take into account?

I don't think so, unless someone further persued to exploit it (which would be the case if this was EXTREMELY popular).

1. The Telnet server -- does it have any significant security increase over the default Windows telnet server? Why would you make use of this one instead of the one that comes with Windows. Since SFU has an Interix version (unix sources compiled) and a Windows version.. which would be more reliable to use.

To me, this would be a "user's preference" issue. I prefer Unix-like environment's so I would most likely go for the Interix version. As for reliability, again I'd go for the Unix one, but that's me.

[HTRegz]

Hey Hey,

Pooh Sun Zu
Just like Windows, and just like UNIX, the programs themselves won't make or break the OS. The admin's knowledge of the tools will.

A program may not make or break an OS... but it can break system security. While improper implementation is an admin problem, how about new exploits for the software itself... As an admin, you have no control over that.. If this product becomes widely used and distributed and holes are found and exploits are produced... Having services like NFS and NIS could lead to some large problems... Now that it's a free product, how likely is MS going to be to keep it updated as need be.... will they be monthly updates, weekly, yearly, whenever the next version happens to come out. If a vuln comes up in the SFU NIS Service that gives attackers full access to AD, that's a pretty big hole... what if it takes MS a month to patch it... Not many businesses could stand to take their servers offline for a month... What are the resulting implications to this... how fully will it be supported?

Spyder32
Particularly my take on that as well. This program however sound's interesting, I'd love to be one of the beta-tester's and to see how it work's and how integration between the two is considering almost any version of Window's is different than Unix 3.5. As for some of your question's:

You don't need to be a beta tester dude.. it's available right now... go download it and play with it. It's pretty cool. Btw its not Unix 3.5.. Services For Unix is the software name... 3.5 is the version. It'll work with basically any Unix or Linux distribution. As far as integration... that's what NIS and NFS take care of... *nix supports them by default, and this adds Windows support so that they can work together.. I'll grab a box out of the corner and through 2k server on it later.. and promote it to a DC.. then I'll throw it on the network with my Linux Server and see how AD handles the NIS stuff and I'll let ya know.

Spyder32

I don't think so, unless someone further persued to exploit it (which would be the case if this was EXTREMELY popular).

Software doesn't have to be extremely popular in order for exploits to be discovered... As long as software has a single user an exploit can be discovered...

[Spyder32]

I'll grab a box out of the corner and through 2k server on it later.. and promote it to a DC.. then I'll throw it on the network with my Linux Server and see how AD handles the NIS stuff and I'll let ya know.

Heh, this would actually be great. I might go download it myself and see what I can come up with/play around with it. Also, that tutorial you were talking about sound's like a great idea I'd love to learn more about this.

Software doesn't have to be extremely popular in order for exploits to be discovered... As long as software has a single user an exploit can be discovered...

Oh I know. All it take's is one user who want's to look for an exploit. However, all I was trying to point out was that usually it take's software to be extremely popular before you have a number of exploit/vulnerability problems (such as I.E). Now compare Internet Explorer's vulnerabilities/etc to that of a less-known browser such as FireFox. Sure there are vulnerabilities out for Firefox probably, but no where near the "problem rate" (or rate in general) of that of IE.

[Vorlin]

I think a good integration between the two would be pretty neat, however, is this software something MS came up with or is this something that was bought out, etc? MS is known for changing good software to suit their needs OR the integration between anything else and known MS products could be horrific.

The above said, AD seems to be where things are going in the business world. I'm wondering how will services like this affect Win 2003 where you have to have CALs. How would this differ from using the standby 2000 server w/ these extra services including telnet and NFS besides cost?

Security of the applications from your own user pool is one thing, but applications that have holes or known exploits, that's another...one I can work with, the other I can't, and have to wait for patches unless I'm pretty knowledeable in the application's code.

[ss2chef]

We have used Services for UNIX for years. Mostly for the NFS portion which allows our SGI
workstations to jive well with their MS counterparts. SAMBA and similar tools just don't compile well on some versions of HP-UX and AIX so Services for UNIX has saved out hind parts many times. The password management components are also a large benefit. FYI, Trying to get things talking to an AD setup seems to create as many or more problems than it's solving with the 3.x versions. The initial configuration was painful for us so we gave up.

Of the many 3rd party Win<--->UNIX packages, this one is worth trying if you have the need.