Re: Security issues, purchasing a new, pre-loaded, Windows XP computer
From: Tijl Schoonenberg (schoonen@desan.nl)Date: 10/07/02
- Previous message: Andreas Huber: "AW: Can I delete Wscript.exe?"
- In reply to: De Velopment: "Security issues, purchasing a new, pre-loaded, Windows XP computer"
- Next in thread: Mike Lyman: "Re: Security issues, purchasing a new, pre-loaded, Windows XP computer"
- Next in thread: Ji H. Lee: "RE: Security issues, purchasing a new, pre-loaded, Windows XP computer"
- Reply: Mike Lyman: "Re: Security issues, purchasing a new, pre-loaded, Windows XP computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 07 Oct 2002 20:53:38 +0200 To: focus-ms@securityfocus.com From: Tijl Schoonenberg <schoonen@desan.nl>
Hi Ken,
Well...
If you really want to patch the whole installation I would say "Get someone
nearby with a cable or DSL line and grab anything you need onto a
CD-Recordable". It would be a hell of a job indeed to patch it through
dial-up. Next to that... I remember someone saying that one (being
paranoid? not really) would be off the best way patching a machine while it
is _not_ connected to the internet and I guess I should agree talking about
a badly secured system (i.e. Out Of The Box).
If you don't have such a download/burn possibility at least use the Express
Install, and not the Network Install of the Service Pack, both can be found
on the MS site, using the first mentioned it should only download and
upgrade those components you really have installed and thus would decrease
the overall download size.
But.. why leave all features installed on his system? i.e. uninstall IIS,
networking services etc... If you don't use them of course. That would
cause the updating process(es) to take less time of course as it does not
have to patch all of the uninstalled components.
O yes... I think you already crossed the following: the Administrator
password is EMPTY on any just-installed system running Windows XP. At least
I noticed it on some XP Corporate installations and I think it's the
default. So the first thing to accomplish is an Admin-password ;-)
Getting (all) other accounts out of the Administrators-group (or giving
them good passwords) might be a job as well as I noticed that users being
created in the install-phase are put inthere (aargh, BILL! why?? heh; maybe
I should blame our OEM-supplier, but I don't think so unfortunately; if so
somebody tell me and I will crush the OEM).
Now for the whole updating process... If doing normal hotfix installations
you'll have to say to every fix whether it should reboot or not. That's
also the fact with an eventual Internet Explorer update (from IE6 Gold to
IE6 SP1) and DirectX updates.
But, hotfixes can easily be chained by executing them with arguments "-z
-m" (i.e. from a cmd-/batchfile) after which it does not ask to reboot. You
might check possible arguments by using "$XP_hotfix.exe -?", but the above
should work.
If you would like to get a tool capable of checking your missing hotfixes,
use hfnetchk.exe. The tool is being developed by Shavlik Technologies
(www.shavlik.com), any documentation about the tool can be found on
Microsoft's Technet pages as well as the download-link, just do a search
for it on that site. The tool checks you system for missing patches and
returns the corresponding MS article-numbers which you can find at
http://www.microsoft.com/technet/security/current.asp.
I think that if you batch the hotfixes those can be fully installed without
any user interaction, though myself, I don't like my system to do nasty
things if I'm not behind the keyboard. Installation of other upgrades I
would definately perform while being there fysically.
Good luck, Tijl
At 09:46 07-10-2002 -0700, De Velopment wrote:
>Hello,
>
> I asked a casual question on another forum and believe I have
>opened a major can of worms.
>
> The casual question came up when a friend of mine told me that she
>purchased a new PC (I think Gateway, but manufacturer not important).
>The PC comes pre-loaded with Windows XP Home. Simple enough. There
>are probably millions of preloaded Windows XP boxes sold every week.
>
> The problem is security. Out of the box, Windows XP has some rather
>dangerous vulnerabilities, including Universal Plug-n-Play, a number
>of Internet Explorer / Outlook Express holes, including incorrectly
>labeling an executable file as an audio (sound) file, and just maybe
>a version of IIS that can be hit from outside by Code Red and Nimda.
>
> The question I brought up is what is required to make a PC, just
>purchased, with Windows XP, safe on the Internet? One answer I got
>was that all downloads, (Service Pack 1, Security Rollup, and
>miscellaneous patches) would come up to 105 Megabytes. The problem
>is that my friend only has dialup access! How long would it take
>to download 105 Megs on a dialup line? How about if the phone line
>is dirty? A related question, for those outside the USA, is how much
>would it cost to download all of these fixes?
>
> So, my question to this list: Exactly what should I tell my friend?
>How dangerous it it to have an unpatched Windows XP Home system on
>the Internet? How many steps does it take to secure it? And, does
>anybody have an estimate on how long it takes with Dialup? Can this
>upgrade be done at night while she is sleeping? (Or does it take
>several reboots and answers to questions (i.e. EULA) along the way?)
>
> Finally, has Microsoft been approached with the idea of releasing
>a bug-fix version of Windows XP that has the patches pre-applied,
>at least for the OEM distributers?
>
> Thanks in advance and best regards,
>
> Ken Parker
- Previous message: Andreas Huber: "AW: Can I delete Wscript.exe?"
- In reply to: De Velopment: "Security issues, purchasing a new, pre-loaded, Windows XP computer"
- Next in thread: Mike Lyman: "Re: Security issues, purchasing a new, pre-loaded, Windows XP computer"
- Next in thread: Ji H. Lee: "RE: Security issues, purchasing a new, pre-loaded, Windows XP computer"
- Reply: Mike Lyman: "Re: Security issues, purchasing a new, pre-loaded, Windows XP computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
