Re: [Full-Disclosure] Microsoft plans tighter security measures inWindows XP SP2
From: yossarian (yossarian_at_planet.nl)
To: firstname.lastname@example.org Date: Sat, 01 Nov 2003 00:25:53 +0100
> On Fri, 2003-10-31 at 11:12, yossarian wrote:
> > <snip>
> > > File and printer sharing is not needed? Remote administration is not
> > > needed? Maybe not in home use, but in corporate?
> > No, sorry Paul. Printers have their own IP address, file and
> > was introduced for small networks. But since the mid nineties a network
> > interface became standard in laserprinters- printersharing became a real
> > issue. File sharing: not for workstations, unless you make backups of
> > workstation. Not suitable for corporations, user data is corporate
> > needs a back up so MUST be on a server. It is impossible to secure a
> > where file and printsharing is common (where is the sensitive info to
> > secure?) - my personal BOFH way is disable the server service on every
> > Workstation. And the browser service as well.
> What planet are you working on? I have bought 5 printers in the last
> three years and 2 of those had built-in network cards. The others use
> "jet-Direct" type interfaces which require software to be installed on
> the server. You're saying I install this on everyone's workstation so
> they can connect directly? Uh huh. No file sharing; everything should be
> stored on a central server. Sure, no problem I'll just go out and drop
> $100k on a SAN to store it all. *Or* I could take advantage of the fact
> that every machine I buy comes with at least 40 GB of drive space on it.
> And I'm sure you're going to suggest thin clients here, so I'll go out
> and buy a small render farm for my graphics guys to do their 3D work on.
I usually work for banks and government agencies - yes SAN systems are
getting fairly normal, nowadays. I think you are in the SoHo market, with 5
printers in three year, 50 users that develop software - the customer I am
working for at the moment has some 5000 printers in the network, all HP with
Jetdirect with an IP adress. I am not a printer admin, so I had to check at
the HP4000 here at home - nope, it runs even when I turn off the server, all
you do is install IP printing service on the workstations, not
printersharing which is a NetBios thingie... Yeah, you can install software
on the server and share the printer to the users, but to use a shared
resource you do NOT need to install file and printersharing on the
workstations. Like I wrote - workstations, NOT servers.
Jetdirect cards are printerservers, at least the ones in HP's. Connecting a
printer to a PC IMHO makes it a server, albeit a non-ded one - and it is
utterly useless. I am not into thin clients for power users, but this has
absolutely no relation to file or printersharing....
And I do consider the big disks in new 'puters a waste of capacity, but
since they cost the same as 4GB few years ago, who cares?
Dunno how it is on the planet you work on, but PC's get stolen on a fairly
regular basis, so having data on it is considered insecure. No need for
firewall, superglue is better here.
And for the SAN thing - I agree people doing rendering takes a lot of disk
space, but Joe Average User won't need so much storage - maybe 50MB per
year. With 2000 users per server - who needs a SAN? Unless you allow them to
store everything - MP3's, holiday snapshots, downloaded software they aren't
allowed to install anyway, bedroom movies, every previous version of every
document, etc. Maybe I am getting old, but what is wrong with disk quota? It
actually increases efficiency, less time needed to find an older document.
Different with developers, graphic types et all, I know, but the large
majority of puterusers type word documents, send e-mail and use big apps
that are serverbased or mainframe based. So no local data.
> > Remote administration may be needed, I just said it is rarely used, for
> > various reasons, the foremost being that the support staff don't know
> > about the inner workings of windows, MCP or not.
> Right and what inner workings do I need to know to use my remote patch
> management software without RPC? It's really handy actually, but then
> again maybe there's a better way to do it that I'm just to stupid to
> know about.
Login script. Daisychaining patches. Basic stuff, really.
> Hopefully we can all agree that anything Microsoft can do to attempt to
> make it's O/S more secure is better than the way it is now.
What is the use of a wrong attempt? A false feeling of security is actually
Full-Disclosure - We believe in it.