Re: Short List of Security Questions

Karl wrote:
"BC" wrote:

The default is usually the best in the newer Linux distros,
but never in Windows.

Right. Linux gets hacked when people start enabling features, like trying
to use it as a web server. IIS 6 on Windows Server 2003 is hacked far less
frequently than Apache on Linux. A significant problem in Linux and Windows
security is the user not knowing how to safely configure and use their OS.

No: http://www.dgl.com/itinfo/2001/it010723.html



The defaults in Windows XP SP2 and 2003 are pretty secure.

No: http://www.security.duke.edu/securepc-xp.html
http://tech.msn.com/guides/itdecision/article.aspx?cp-documentid=103175&HTTP_HOST=tech.msn.com&url=/guides/955450.armx

Windows XP was
released in 2001 and programmed in the years before that, so for a true
apples to apples comparison, you would have to compare its default settings
to a *nix distro from five years ago. A lot of the threats we're seeing
today weren't really around back then.

You should go by what you can get *today* rather than 5
years ago.


The most secure thing you can do
in Windows is immediately download and install Firefox
and/or Opera and avoid the blue "e" as much as possible,
as well as other programs that use it, like Outlook and
Outlook Express.

People are rarely hacked via web browsers.

No:
http://www.pcadvisor.co.uk/blogs/index.cfm?entryid=237&blogid=4
http://www.ciol.com/EnterpriseConnect/content/article.asp?artId=86344&secId=1345


People do get adware via browsers, but then they also get adware and spyware
from installing freeware, including "Firefox with the Google Toolbar."

Much, MUCH less so:
http://www.informationweek.com/windows/showArticle.jhtml?articleID=179102695


Also in the case of Windows, each new version has been
more bloated, complex and with more points of exploit
than the prior versions, with any new security enhancements
more than offset by greater risks. Win3.11/Win95/Win98
were easy to secure with a couple well-chosen 3rd party
programs,

You have it reverse. Windows 3.x, 95 and 98 were wildly insecure and not
securable.

Wrong -- public libraries for years have had great luck securing
their older Windows workstations using 3rd party apps that
offered much greater security control than anything built into
Win2k/XP :
http://www.aclass.com/SOFT/sec.html
http://www.tsl.state.tx.us/ld/pubs/security/paws.html

They didn't even have user accounts, ACLs, permissions or
auditing to control access to your system. Antivirus added to XP SP2, or
antivirus and firewall added to Windows 2000, makes a system secure enough
for home use.

No. Win2k/XP have many more points of exploit and
using IE 6.0 has been consistently a major vulnerability
regardless of whatever 3rd party apps you might have
running: http://secunia.com/product/11
http://www.us-cert.gov/current
http://www.informationweek.com/news/showArticle.jhtml?articleID=190301059


but Win2k and especially XP are much more
problematic to both secure and to clean-up. Look at this
one guide covering Win2k/Xp:
http://www.markusjansson.net/exp.html

Most of those settings are either default in XP or don't help your security
much on a home workstation. Jesper J and Steve Riley of Microsoft have a
different hardening guide for 2000 / XP that only includes about five tweaks,
and it survived a hacking contest.

Yeah, buy the book: http://safari.oreilly.com/0321336437

Even the file system is suspect -- while it's been touted
that NTFS is more secure and robust than Fat32, but in
real life it's very easy to bypass NTFS security and a

Whereas with Fat32 there's no security at all to bypass. No ACLs,
permissions or passwords.

It doesn't matter -- the XP Home Administrator account
is blank as the default; and I have had good luck fixing
problem XP PC's with a password-resetting Linux boot
floppy and stuff like Bart PE. Either it prevents you
from accessing stuff or it doesn't. Some of those old
Win3.11/95/98 did a far better job of locking out access
from alternative boot devices.


bad spot on the hard drive will mess up Windows
regardless,

Rarely will a bad sector mess up Windows... And that's different from *nix
file systems like ext2 / ext3 how? Is NTFS any more likely to be screwed up
by a power failure than *nix file systems?

Within just the past couple of days, I had to use
Bart PE to fix a system that wouldn't boot up thanks
to some bad spots on the hard drive. And twice
recently before that I had to use a 3rd party NTFS
data recovery app to recover hard drive files. You
compare that to something like Novell's old server
file system which could almost take a bullet. But
compare NTFS to even poor old FAT32:
http://cquirke.blogspot.com/2006/01/bad-file-system-or-incompetent-os.html


and more so, some of the newer worms
actually take advantage of NTFS to hide themselves:
http://www.f-secure.com/v-descs/potok.shtml

I don't like the way the Windows GUI handles NTFS streams either. But this
is similar to setting a file attribute to hidden via the ATTRIB +H command.
Users can see NTFS file streams if they want, as can trustworthy antivirus
programs.

FAT32 only allows very, VERY limited amount of
"hiding" whereas NTFS....well:
http://msmvps.com/blogs/harrywaldron/archive/2006/06/22/102509.aspx


2) How do you keep an installed program from having access to other
programs or other parts of the system in a standalone home computer (here I
refer to file permissions and other security measures) ?

Windows never had that fine a level of security, but
Linux and other OS's have. Supposedly VIsta will have
some of this type of security.

Not exactly. Windows doesn't yet natively have a chroot jail, but there are
a variety of methods in Windows 2000 and newer to control what an application
can and can't see. DropMyRights is one example, Runas is another, the lower
privileged NetworkService and LocalService security contexts used by Windows
services is another. With any of those methods, you can change NTFS file and
registry permissions to control what any application running in that security
context can see, similar to a chroot jail.

Hmm...I had heard that Vista was going to finally allow
security controls on applications, but it appears I heard
wrong -- it's just going to be "run as" privilege control
so that non-Administrator users can run programs that
normally need Administrator user rights.
http://www.microsoft.com/technet/windowsvista/evaluate/feat/secfeat.mspx
That blows.

"DropMyRights" is no more than another privilege control:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp

It's better than nothing, but doesn't at all compare with
the fine grain control that Linux offers



Note that many *nix OSes are lacking in the concept of role-based access
control. With Windows, you can take any file and give every user account
different permissions to that file. Linux OSes by default have up to three
security contexts [Owner, Group and Other] for making file ACLs. The NSA's
SELinux tries to improve on this shortcoming. It's fortunate that Linux has
the chroot jail concept, because it would be difficult otherwise to control
what files the DNS daemon's account can and cannot see.

The newer Linux distros come with Root access disabled, and
with far more security options that Windows:
http://www.ameinfo.com/75175.html
And it that wasn't enough, Novell has a nice little freebie app:
http://www.novell.com/linux/security/apparmor


There are also a variety of third party utilities for both Windows and *nix
that will set up a virtualized sandbox for apps to run in safely. It's not
really logical to compare the security of Linux with all of its various third
party add-ons [Apache, SELinux, Bastille, IPTables, etc.] but not allow third
party apps to be considered when evaluating Windows security, just as it
wouldn't be fair to consider Linux security without allowing IPTables to be
used.

If you go by what system allows for easy security without
a lot of hard work and gotcha's, Windows loses every time.


3) Win98 had a big problem with NetBEUI. Do other windows OSes have this
type of or similar issues?

Well, TCP/IP has quite a number of security issues
in itself, so that's universal:
http://oldwww.cs.umu.se/local/kurser/TDBD03/vt96/lect/sec+fw2.html

That's an excellent point. No matter how you secure your OS, and whatever
OS you choose, it's still generally reliant on and vulnerable to the
shortcomings of the aging TCP/IP suite, such as threats like DNS spoofing,
ARP spoofing, man in the middle session hijacking, SSL, SSH, etc.

True, but Linux has a huge amount of TCP/IP security
built in, which is why Linux boxes make such dandy
firewalls (just ask Microsoft:
http://www.newsfactor.com/perl/story/22171.html)


4) After I go to Windows Update and download the security patches, what
changes have been made to my system ?

Mostly stuff Microsoft is not going to reveal the details
about. The bulk of the patches seem to be workarounds,
often of temporary effect

What makes you say that? You seem to be saying "but I just installed an IE
patch last month, why didn't that fix this new vulnerability from this
month?" Vulns patched this month are usually unrelated to vulns patched in
the past.

Have you ever looked at the details of those patches and
updates when you download them? Look for the instances
of "take control" and "take complete control" -- seeing
frequently recurring almost identical desciptions for
supposedly different security issues, especially when
involving the same application like Internet Exporer is
very indicative of a fundamental design flaw rather than
isolated issues.


If Microsoft was truly serious about security, they would
have long ago rewritten IE to be a standard, standalone
application with no artificially elevated privileges

What artificially elevated privileges does IE have?

!!!!

Unless you use
DropMyRights, IE by default runs in the context of the logged in user, only
with a variety of restrictions, so that IE can't do a lot of things the user
can do.

See: http://www.eweek.com/article2/0,1895,1826269,00.asp


IE 6 has security problems, and I really wish it wasn't integrated into
Windows, because it means switching to Firefox doesn't remove IE vulns from
Windows. However, I don't believe integrating IE into Windows is the reason
why IE has had security problems.

Microsoft wholly artificial bundling of IE to Windows essentially
gives IE the guys to the system -- exploit IE and you exploit
Windows. It is extremely advisable to avoid IE use at all times
and to complain to any company that requires IE to access
their site.
http://news.yahoo.com/s/zd/20060705/tc_zd/182557

Vulns in Winzip, MS Office, etc. are just
as dangerous as IE vulns, because those apps can do just about anything IE
can do, without being integrated into Windows.

No. Microsoft apps have always been in a special category
when it comes to risk since they too have excessive
privileges, often via their use of IE.
http://secunia.com/product/23
http://secunia.com/product/2276

Hope this clarifies.

-BC

.

Relevant Pages