Re: Any Way to Run Windows 2000 From Read-Only CD?

From: Will (DELETE_westes_at_earthbroadcast.com)
Date: 01/13/05


Date: Wed, 12 Jan 2005 22:23:32 -0800

Your point regarding infecting the computer during runtime when the disk is
read-only is excellent, and well taken. I suppose all you can do is
firewall the application within the OS by limiting what privileges owned by
the user level that the application is run at. You can additionally put
tight firewall rules on the box to limit outgoing connections severely, and
maybe to notify the administrator when authorized connection attempts are
made.

Regarding your not having problems with Windows, I'll share the following:
the last three companies I went to where the admin told me they had no
security problems at all had viruses on critical servers. I'll share one
case in detail:

I found with a sniffer that every 10 minutes there was an attempted outgoing
NETBIOS connection to different random IP addresses in Japan. This was on
the company's proxy server, no less, a machine with full access to the
internal corporate network. The sniffer trace clearly showed the
connection attempts originated from within the proxy server itself, not from
the network behind the proxy. The connection attempts were coming from the
kernel itself. So that machine was permanently hosed in my view. No
amount of analysis would recover it, at least not by anyone except an elite
system administrator (the kind who would have charged more money for the
time than the cost to rebuild the machine).

At the last two public companies I visited with a notebook, within seconds
of being connected I started getting attacked by viruses. These were
companies with dozens of so-called administrators. What is even more
amazing to me than the fact of these infections is the fact that at all of
these companies these things are just accepted as okay. It's just an
annoyance that is somehow tolerated, and they try to live with it.

On consumer machines it is even worse. I read the estimates that something
like 60% of all computers have adware infections, and as many as 30 to 40%
have more malignant stealth viruses. How many of those are monitoring
keyboard input and attempting identity theft? Who knows? Who exactly
cares? Every time I visit my cousins I cringe as I start to count the
number of programs that infect their machine. They lack the skill to fix
it, the discipline to keep it clean once it has been made clean, and frankly
they lack any sense of jeopardy.

That's the reason that Microsoft has gotten away with poor security for so
long. Very few people care. They just don't get it. There seems to be a
poor understanding that allowing these viruses and stealth programs is just
like inviting anyone off the street into your most sensitive financial
documents and just letting them have free access. I give up trying to
protect the rest of the world. I just give up.

Now, regarding UNIX versus Windows, I try to have a balanced view. I see
that UNIX is a collection of non-standard techniques and applications, and
it is certainly complex. Windows attempts to do things by design and
consistent ideas, and that is good. But there are two key differences.

1) Almost any critical UNIX application has some finite number of files that
contain all of its settings and work information. A mediocre system
administrator can isolate those and secure them. With Windows, you have
this horrible - really unforgivable - intermixing of files and registry
settings across a whole spectrum of applications. A given application may
have created 1000 entries in the registry in 29 different nodes. How can I
possibly identify all of these? Even if I could, how could I possibly
begin to secure 1000 entities in a reasonable amount of time? Then you have
"shared" files and DLLs that go in common system directories like system32.
How can I tell which ones are unique to the application and which ones are
common across other applications? It's not that I like UNIX better - I
don't. It's that UNIX has a more simplistic and crude view of what an
application's components are, and that makes it possible for an average
person to do a meaningful securing of the OS and application. Since most
administrators are average and not exceptional, I think that gives me better
odds of developing something secure with UNIX. To really meaningfully
secure Windows you have to be an unusually gifted administrator. I think
there are issues there that go beyond anything in the published guidelines.

2) Almost everything in UNIX can be turned off. UNIX services tend to be
really stand-alone. With Windows you have these convoluted interdepencies
between services that make it next to impossible to secure the box. You
can follow all of the hardening guidelines, but then you need to just have
faith that all of these weird services you are required to leave on (like
"remote registry") will not have yet-another vulnerability uncovered. I
mean - come on - I have to leave running a service that allows my registry
to be changed remotely in order to startup many key administrative
applications on a local machine? Whose brainstorm was that idea? Now if
any machine on my network is compromised and some service on that machine
runs with the right authority, it can start changing registry entries on
remote machines that were secure?

In any case, UNIX is no joy to work with either. I just end up with
something that is possible to understand, and to continue perfecting. I
would prefer to use Windows if they could just put aside their egos and try
for once to use the keep it simple stupid (KISS) principle instead of trying
to make every piece of code they write involve API calls to every other
program they have written. I look forward to the KISS version of Windows,
whenever that gets done (2016?). In the meantime, I'm just barely keeping
above water.

-- 
Will
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:e8ak1RS#EHA.2600@TK2MSFTNGP09.phx.gbl...
> I concur, Bart's PE is a popular choice for making a boot CD.  Any boot CD
> is going to run much slower, and a lot of RAM memory is recommended.
>
> Many people in large environments with concerns like yours also consider
> using software that freezes and restores the configuration at reboot, like
> FreezeX / DeepFreeze, and/or a solution where the computer is re-imaged
> every now and then at reboot.  You can also consider PivX or PrevX to
harden
> the computer against unpatched vulnerabilities, or SecureEXE to prevent
> unapproved executables from running.
>
> Note that absolutely none of these prevent your computer from becoming
> infected.  What they will do is prevent anything from remaining after a
> reboot.  However, while your system is running, it can be infecting other
> computers on the network. And then after your reboot, if your machine is
> then immediately re-infected, your read-only boot CD will have done little
> to help.  This is similar to the advice in the 1990s to make your MS Word
> normal.dot file read-only to prevent Word macro viruses... this
> sensible-sounding idea ended up helping not at all.  A network worm like
> Blaster / Welchia or Sasser would keep reinfecting your computer quickly
> after each reboot.
>
> I must say I don't have the same problems you are having keeping Windows
> secure, or with securing it.  Assuming you're on a large network, have you
> followed the hardening guides at www.microsoft.com/technet/security and
> www.nsa.gov/snac, and used group policy templates, active directory,
script
> files and/or ghost images to automate the process of hardening machines?
> Most adware is prevented by doing one or more of the following: 1) using
> anti-virus like McAfee that detects spyware and adware, 2) using patch
> management software to install patches regularly, 3) using some sort of
> Internet content filtering like the Spybot Search & Destroy "Immunize"
> button or the Restricted zone adware .REG file at www.mvps.org, always
> logging in as a non-admin, non-power-user for web browsing, and/or
upgrading
> to XP SP2 asap.  Running a non-MS browser might help somewhat, for now.
>
> I don't think Windows is any harder to harden than other OSes [except that
> some other OSes that are newer will naturally have better default
settings].
> Windows 2000 was released about the same time as RedHat 6.x / 7.x, and
that
> wasn't secure by default either.  Windows XP SP2 on the other hand is
pretty
> secure by default.  For home users, the 1, 2, 3 of antivirus, firewall and
> patching is pretty effective, especially if the AV detects adware.  More
> hardening guidelines are here:
>
> http://securityadmin.info/faq.asp#harden
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%23pLmcfg9EHA.824@TK2MSFTNGP11.phx.gbl...
> > "Will" <DELETE_westes@earthbroadcast.com> wrote in message
> > news:uwDwlLT9EHA.3076@TK2MSFTNGP15.phx.gbl...
> > > I'm so disgusted by viruses and hackers that I would like a way to run
> > > Windows 2000 from a read-only device that cannot be rewritten, in the
> > event
> > > that any service is compromised.    Has anyone published instructions
on
> > how
> > > to build a bootable Windows 2000 CD?
> >
> > BartPE.
> >
> > Nothing's perfect but this is close.
> >
> > -- 
> > Herb Martin
> >
> >
> > >
> > > -- 
> > > Will
> > >
> > >
> >
> >
>
>


Relevant Pages

  • Re: Unix vs. Windows Security
    ... and b) security will mean Internet security. ... There are some core issues at the heart of the UNIX vs. Windows security ... Neither were ever designed to be secure. ...
    (comp.security.misc)
  • Re: Determine if open(2) created or opened?
    ... > simple!= secure. ... that the source of many of Windows' problems can be attributed to it's ... This myth is exactly why the UNIX community is just sitting on their ... You can switch security contexts within a thread ...
    (comp.unix.programmer)
  • Re: Unix vs. Windows for Security
    ... maintain in a secure environment. ... security problems. ... > Unix is a multiuser operating system, so out of the box it is far from ... > don't have that multiuser shell ability on Windows you have on Unix. ...
    (comp.security.unix)
  • Re: Unix vs. Windows for Security
    ... > Unix is a multiuser operating system, so out of the box it is far from ... > Windows comes with nothing basically. ... So unless you take the proper steps to secure Unix it will be ...
    (comp.security.unix)
  • Re: What is the more popular UNIX flavor?
    ... about my experience with Solaris and Cygwin. ... installing packages. ... needing eg tftp you only need to activate on a Unix system. ... probably need installing first on the equivalent Windows system. ...
    (comp.unix.questions)