Re: W2000 security



Well, I really do not see much with which I can agree to in your
extended rant. The one part the tried to be on topic as response
to my comment, i.e. relating to SCW, did not make sense as it
claimed SCW did not deliver but then made reference to IE,
with which SCW has nothing to do. Use of IE or WMP or OE
on a server (other than personal server<g>) should be outlawed
by any shop, IMO. My comment was about the services profile
of a W2k3 post-SCW minimization, which is fairly complete.


"Gerry Hickman" <gerry666uk@xxxxxxxxxxxxxxxx> wrote in message
news:%23bHcsKCtGHA.4252@xxxxxxxxxxxxxxxxxxxxxxx
Hi Roger,

Roger Abell [MVP] wrote:

One thing to bear in mind is that it's less bloated with fewer
time-wasting background processes and that reduces the attach surface.

True enough, but the install defaults are better with W2k3 and the
use of SCW (sec config wiz) can really help minimize services beyond
what many might think safe/reasonable.

Yes that was the theory, but the reality was that all the hype about the
SCW turned out to be nonsense. The idea was that IE6 would run in a locked
down mode and suddenly life was perfect and no one would ever be infected
by a trojan ever again.

BUT they forgot the WHOLE of their o/s was badly designed and the WHOLE of
IE is badly designed in the context of security, and having this mish-mash
of a browser that hooks directly into the o/s (e.g. shlwapi.dll) and a
"Windows Media Player" that can't be uninstalled on a PRODUCTION SERVER
MACHINE and is flawed from day one, and guess what?? It's just as useless
as it was before SCW.

If you look at Microsoft's o/s year on year, it's actually got worse. Each
release is worse than the last - in the context of the number of exploits
available to target the o/s in that year. It's all about shifting blame to
the customer - "Hey you enabled the Internet and now you've been hacked,
well that's YOUR fault, we [Microsoft] shipped it with the Internet
disabled so don't blame us", LOL!

All this could be fixed in 20 minutes with some changes to Microsoft
company policy, but we all know why this isn't going to happen.

Vista is going to be JUST AS BAD unless we see drastic change between now
and the release. UAC is a joke, and won't solve anything other than annoy
the hell out of people. I could design a better security model in my lunch
hour. UAC doesn't actually change security at all, it's just stupid
pop-ups. Anyone remember those pop-ups saying "some files may hard your
computer", anyone remember what the user clicked when them saw them??

One thing that WAS good in Win2003 was the way they reduced the number of
components installed by default, but notice how they left the two most
flawed and least server-centric apps INSTALLED BY DEFAULT; yup IE6 and
WMP. We all know why, and we also know this flies in the face of the claim
that they're "taking security seriously". Having the browser that hooks
into processes that run with different security tokens is NOT "taking
anything seriously", it's totally idiotic.

--
Gerry Hickman (London UK)


.


Quantcast