Certified Mail
Certified Mail: August 2002
"Windowsville" residents chime in on the "which OS is more secure" argument; readers debate Microsoft's longevity.
Other "Windowsville" Residents Weigh In
Regarding Dian Schaffhauser’s June column, “Here
in Windowsville,” much of the blame can be taken by admins, as well
as Microsoft. Our burgeoning need for a “user-friendly” OS in the mid-to-late
’90s was met by Microsoft with NT 4.0. Granted, it was full of security
holes; but, at that time, it was hardly a consideration, as viruses were
only even known about in admin circles—and Melissa was just a girl’s name.
The main issue was usability and getting up quickly for a new domain with
all new users in the new remote office. Speed was just about everything.
Unix guys, bless them, are usually better known for their ability to give
a good argument than deploy a new network with speed.
On the other side of the coin, many a network came up with the office
secretary running it because she knew Windows 95 and Office. Teaching
the office secretary Unix wasn’t even remotely close to the list of options
for most small businesses. So, now we have a fairly user-friendly NT 4.0,
which is hard to defend on an open network, and we have Windows 2000,
which is much easier to defend, but not near so user-friendly as NT (Active
Directory, anyone?). As Pogo so famously said, “We have met the enemy,
and they are us.”
—John Ingle, MCSE
Round Rock, Texas
SANS does tend to be a bit biased. What can you expect from a bunch of
Unix geeks? I work in a multiplatform organization. The group I’m in provides
systems and network administration, so there are plenty of opportunities
to propagate the “OS holy wars.” I came up through 3COM LAN, VMS, SCO,
DOS, Windows, Novell, NT 3.51, NT 4.0, and Win2K with a touch of Ultix,
Sun OS, MVS and AIX. Most of what I do now is NT 4.0 and Win2K. The people
I work with support Mac OS7.x-OS9.x, OSX, Sun OS, Solaris, IRIX, Linux
(three or four flavors), HP-UX and AIX. We don’t agree on much, except
that a poorly configured and managed system is a security threat, regardless
of the OS.
As bad as “Code Red” was, it didn’t affect near the percentage of systems
that the “Morris Worm” did. Second to poorly configured and managed systems,
the “keyboard input device” is the biggest security threat. The single
biggest security advantage the Unix world has over the Wintel world is
that most users don’t normally use a privileged account.
Can a Wintel box match a Unix box for security? You bet. Can a Unix geek
secure a Win2K system the same way he would a Unix box? Nope. Is the average
Unix geek willing to learn to use the “Windows World” tools to secure
a W2K system? No. The end result is that most Win2K boxes secured by Unix
geeks aren’t very secure.
—Randy Cardon
Los Alamos, New Mexico
I think you’re a little misguided in thinking Windowsville folks are
the skinny guys eating sand. I think the sand is being kicked at a company
many people like to call Micro$haft.
Let’s shed the victim mentality for a minute and think of something controversial,
like the “dumbing down” of America. If you think in those terms, what
OS is the most dumbed down in terms of ease of installation and ease of
use?
Would it be OpenVMS, OS/400, Tru64, Solaris, Red Hat? While Solaris,
OSX (I’ve never personally worked with OSX) and Red Hat are fairly easy
to install and configure, I think Windowsville is one of the simpler OSs.
The hallmarks of Microsoft’s software are the intuitive design, integration
of components, and ease of use. Microsoft has made great advancements
in configuring a system at install time. Despite the fact that, generally,
Windowsville software is easy to get up and running, it’s an intricate
and complex beast that takes a lot of time and experience to master.
Let’s assume we can eliminate the fringe element that simply has nothing
but hatred for Microsoft. Then consider the various controversies such
as the antitrust case, some of Microsoft’s business practices, admissions
in court about poorly written sections of code and all the security vulnerabilities.
This is a company that many people want to kick sand at. And, I guess
if you’re standing behind it, well then—yes— you, too, are going to get
covered in sand.
—Randy Baker, MCP
Ontario, Canada
Skinny guy who had to eat sand, huh? If I remember correctly (it has
been a loooooong time, after all), the sand-kicker was the chump by the
end of that story.
—Anne M. Ford, MCSE
Plano, Texas
I also find a pervasive anti-Microsoft and pro-Unix bias existing in
the security community. While I’m confident Bill Gates’ mandate to stop
project development until the security issues are fixed will, in the long
run, change this perception, the problem is that once a bad rap is propagated,
it’s difficult to alter.
My current job in a large state government agency has me tasked with
the responsibility of migrating from Novell to Win2K. As part of the migration,
I’m going from region to region teaching a class on administering AD and
Exchange. The first couple of hours are, on occasion, a general bitch
session where every bit of FUD (Fear, Uncertainty and Dread) ever heard
by students is raised and quoted as gospel. What I find both interesting
and rewarding is that, by the end of the class after the students have
had time to see how efficient security is in AD, their preconceptions
improve remarkably.
Still, I spend too much of my time spitting sand from my mouth and wiping
it out of my eyes.
—Wm. John Bean, MCSE+I, MCT
Lacey, Washington
No, I don’t think you’re wrong in feeling like the skinny guy at the
beach. However, we’ve brought some of this on ourselves by taking for
granted the security provided by a Unix-powered router, mail server or
firewall. As we’ve seen, these also aren’t perfect; thus the many seminars
and training sessions for Linux and Unix gurus.
My Unix friends have had to swallow some statements about invulnerability
over the last 10 months or so. Remember when they could brag that no Unix
box could be virus-infected? That’s changed. Because Unix uses the TCP/IP
protocol suite, it’s also vulnerable to selective port attacks. Thanks
for some good insights.
—Darwin Steele, MCP, MCSE, MSCE+I
Lafayette, Colorado
Correction to June Remote Administration Article
Several readers have pointed out an error in the June cover story,
“Remote
Control Freak.” The function call I used, AdvancedSettings2.RDPPort,
comes from the TS Web ActiveX control, msrdp.ocx. The version of msrdp.ocx
in the Windows 2000 TS Web client doesn’t export this function—only the
version in Windows .NET and Windows XP. Here’s a workaround.
- Install IIS at an XP desktop. When you install it, select the Remote
Desktop Web Connection option in the Details window of the World Wide
Web service. This creates a folder called TSWeb under %systemroot%\Web.
- At a Win2K IIS server, create a folder called TSWeb1 under Inetpub\wwwroot.
Copy the contents of the TSWeb folder from the XP desktop to the TSWeb1
folder.
- In the IIS Manager console, create a new virtual folder called TSWeb1
and point it at the new TSWeb1 folder.
- In the TSWeb1 folder, make the change to the Connect.asp file outlined
in the article. Essentially, this consists of looking for a series of
entries starting with MsTsc.AdvancedSettings2 and adding this line:
MsTsc.AdvancedSettings2.RDP Port = .
- Now connect to the XP Web server using an IE 5.0 browser and point
the browser at http://web server/tsweb1. You’ll be prompted to download
the new ActiveX control. If you already have the old control loaded,
you’ll need to restart the client.
Make sure you configure your Terminal Server to use the same port you
entered in the Connect. asp page. Do this with the following Registry
entry:
Key: HKLM | System | CurrentControlSet | Control | Terminal Server WinStations
| RDP-Tcp
Value: PortNumber
Data: Default is d3d (hex for 3389), change to unused port number
—Bill Boswell
Am I an MCSA?
I’m an MCSE on NT 4.0 and Win2K. I also hold CompTIA certifications,
including Network+ and A+. Can Microsoft grant me an MCSA title?
—Fanny Kanku, MCSE
According to Microsoft, “In this case, only if the individual has
taken exam 70-218, Managing a Microsoft Windows 2000 Network Environment,
as one of their Windows 2000 MCSE elective requirements will they will
earn the MCSA for Windows 2000 as well as MCSE. Exam 70-218 focuses
on the most critical job tasks for Systems Administrators of Windows
2000 environments. Therefore, while it is not a ‘core’ requirement for
MCSE on Windows 2000, it is a core requirement for MCSA on Windows 2000.”
Answering Auntie
Auntie, regarding your May column, “It’s
a Long Way Down from the Top,” as much as many people would love to
see otherwise, Microsoft is here to stay. Short of some major technical
catastrophe, the new generation (.NET) of development tools is going to
do nothing but get stronger; at least that’s what I’m seeing.
I’m sticking with the Microsoft exams, and I think the future for developers
like myself is to cross-train and become stronger in other areas, especially
on the database side of development. What the market is really looking
for is a jack-of-all-trades. It wants a Web developer/DBA who can properly
administer and tune SQL Server as well as sling code and manage IIS. In
the eyes of many corporations, especially small ones, it’s key to have
an MCSD/MCAD—and, if not an MCDBA, at least one MCP who deals with database
administration.
In my experience, more companies are switching to SQL Server and Microsoft
platforms. It would be a terrible waste for them to “retool” even if a
new whiz-bang technology comes around in the next 10 years or so. I’m
banking on Microsoft being here for the long haul.
—Tod Love, MCP
Richmond, Virginia
The question of Microsoft dominance is, “How long?” Obviously, nothing
lasts forever, as you pointed out with Novell, which I, too, cut my networking
teeth on. It’s hard to see Microsoft losing its dominance on the desktop
in the next decade, but in the server world, companies can no longer ignore
the low-cost, reliable and effective Linux platform. The biggest problem
I see with Linux right now is simply that companies are wedded to Microsoft
with huge investments, and it’s hard to break that contract and start
a new direction.
I have been an MCSE since 1998, Novell before that. But I have so many
frustrations with Microsoft that I often wish I were a Linux admin. I
have Linux experience, as we run our e-mail and a DNS server on it. With
Linux slowly creeping into the corporate environment, I’m definitely considering
Linux certification in the next couple of years.
—Barry Hohstadt, MCSE
Kirkland, Washington
I enjoyed your little rant about Novell and CNEs. Spoken like a true
Microsoft acolyte. Funny, the term “paper MCSE” never came up in your
column—maybe because it was the flood of them that sank the value of a
Microsoft certification.
By the way, my CNE has proven much more valuable than my MCSE. Every
MCT I have ever taken a Windows NT or Win2K class from has said that NetWare
was/is a better OS; Microsoft just markets better.
—Kerry Ringstad, MCSE, CNE
I haven’t even finished my MCSE yet (I’m close!), but I think that in
certifications, as in most everything else, diversification is a good
idea. For instance, even though you have every confidence that the company
you own stock in will continue to perform , having your entire portfolio
comprised of Enron stock isn’t a good idea, right?
A well-balanced certification portfolio—some Microsoft, a little Linux,
a bit of Cisco, a smattering of security, and maybe even some general
stuff for good measure—is also good common sense. This displays to your
current employer or clients that you have the depth and breadth of knowledge
to provide solutions that fit the business need, not just your certification
track.
To continue your dry-cleaning point—I like light starch in my shirts,
but have no intention of being the one putting it there!
—Brian Rosenow, MCP, A+, Network+, Server+
Birmingham, Alabama