Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security

Security Issues with Windows 2000 Datacenter? 357

Posted by Cliff from the prompt-issuance-of-service-packs dept.
alen asks: "The recent IIS security incidents got me thinking. Code Red and Nimda hit servers that weren't patched by their sys admins. If you get infected, you patch your server and end of story. But what if you're running Windows 2000 Datacenter Server? It's a customized solution that you can't change. All your service packs are customized by your vendor. What happens if you have a web or database server that needs to be patched immediately? Are you left out in the cold running unsecure software that you can't patch while you wait in line for your vendor to issue you a service pack or hotfix?" In a situation like this, the whole ball-o-wax resides with the vendor. If you have a good vendor who actually cares about customer satisfaction, these hotfixes will be available quickly. Would anyone out there actually recommend Datacenter for corporate environments?

"My company is currently looking to cluster our SQL 7 servers. We're considering Win2000 advanced server or datacenter. Around a month ago I sat in a meeting with our VP of IT, and the rest of the network admins I work with. Compaq tried to pitch their Windows 2000 Datacenter or Advanced Server solution. Here is the way the compaq people explained it:

You get datacenter only from an OEM. They look at the apps you're running and customize a solution for you in their lab. Every datacenter implementation is different, and every datacenter CD is different. Since we would be using an EMC SAN as our clustered storage system they said our implementation would take special customization. They would have to contact EMC engineers and work together. Once you deploy it, the OEM monitors it. And you can't install any service packs or anything without getting an OK from your OEM. Any service packs are customized for your enviroment. The SLA guarantees a 99.999% uptime or your money back. Part of your money at least. Datacenter isn't an OS, but a program in their words.

Now here is the problem. With Code Red and Nimda, how do you patch IIS running on datacenter in a timely manner? The reason IIS servers became infected was because the admins didn't patch them in the first place. So say a new worm comes out in a few months and it takes a few days for MS to create a hotfix. Datacenter admins can't install it until they get their customized copy from their OEM. And almost every 2000 server runs IIS for terminal server. It can take a few days and in the meantime your servers could be down. And I don't see the SLA covering a situation like this. Meanwhile you're explaining to your CEO how this $500K supposedly guaranteed solution is sitting dead in the water and you can't do a thing about.

Is there something I'm missing, or did Microsoft look over something like this? Especially when they are trying to push Datacenter as 'Big Iron'."
This discussion has been archived. No new comments can be posted.

Security Issues with Windows 2000 Datacenter? More

Security Issues with Windows 2000 Datacenter?

Comments Filter:

  • Whats it needed for? (Score:2, Interesting)

    by Izeickl ( 529058 )
    Erm, what are the big advantages of Datacentre over Advanced server etc?

    • Re:Whats it needed for? (Score:3, Informative)

      by Osty ( 16825 )

      Erm, what are the big advantages of Datacentre over Advanced server etc?


      Straight from http://www.microsoft.com/windows2000/datacenter/ev aluation/business/overview/default.asp [microsoft.com]:

      Microsoft® Windows® 2000 Datacenter Server is the most powerful and functional server operating system ever offered by Microsoft. It supports up to 32-way symmetric multiprocessing (SMP) and up to 64 gigabytes (GB) of physical memory. It provides both 4-node clustering and load balancing services as standard features. It also provides the rich Internet and network operating system (NOS) services of all the versions of Windows 2000 Server. It is optimized for large data warehouses, econometric analysis, large-scale simulations in science and engineering, online transaction processing (OLTP), and server consolidation.

      From http://www.microsoft.com/windows2000/advancedserve r/evaluation/business/overview/advanced.asp [microsoft.com]:
      The Windows® 2000 Advanced Server operating system contains all the functionality and reliability of the standard version of Windows 2000 Server, plus additional features for applications that require higher levels of scalability and availability. This makes Advanced Server the right operating system for essential business and e-commerce applications that handle heavier workloads and high-priority processes.

      Other pieces of information not listed in that blurb about AS: supports up to 8-way SMP and 8 GB of RAM (compared to DC's 32-way and 64GB).


      You're obviously not going to have a DataCenter machine sitting underneath your desk at work, but it's quite possible to do so with Advanced Server.

      • In other words, Datacenter changes the following two lines of code in the kernel header:

        #define MAX_CPUS 32
        #define MAX_MEM_GB 64

        You pay only a few dollars for that mod. The remainder of the huge expense goes to pay for a special team of engineers whose purpose in life is to try to keep your systems up and running.

        • Comment removed (Score:5, Informative)

          by account_deleted ( 4530225 ) on Sunday October 21, 2001 @04:54PM (#2457261)
          Comment removed based on user account deletion
          • I follow Linux Kernel development. Current kernels handle at least 8 way without much degradation.

            If you want to address large amounts of RAM (> GB), you are better off with a 64 bit architecture.

            Which you can download from RedHat today.

          • If you follow the Linux kernel development, and read around, you'd notice that scaling to a 2-way or 4-way machine is a big leap in performance. Throw Linux or any other OS on a 6-way or 8-way machine and you will watch that increase in performance degrade (ie a 2-way machine isnt x 2 the performance of a single CPU machine, and an 8-way system isnt x 2 the performance of a 4-way machine).

            This, of course, is crap. To say that "any other OS" has the same scalability problem that Linux has is simply not true.

            Take IRIX, for instance. I wrote some image processing code that runs on Origin servers. The 8-processor server in my lab runs my code about four times faster than my 2-p servers. And, surprise, the 32-p server in my friend's lab runs my code about four times faster than my 8-p machine.

            To generalize the problems you see on Linux and Windows to "any other" operating system is simply hogwash. Your point about Windows scalability is well taken, though.

            • Re:Whats it needed for? (Score:2, Informative)

              by Cramer ( 69040 )
              And you weren't running on a PC either.

              There are scalability limits beyond 4 and 8 processors. Part of it is hardware and a lot of it is software. SGI/IRIX does both very well (hello, they make/made the CRAY!) The scheduler used for small SMP systems does not work well with large SMP systems. And PXE, the 36-bit address extensions, is a significant performance hit for machines not acutally requiring it.

              Performance does not scale linearly -- on any system. "About 2x" is not "2x". IRIX scales better than most, but it still isn't perfect. And, surprise, Windows scales better than Linux (or used to.) BeOS is about the best thing I've seen for standard PC hardware -- too bad it never caught on.

              Datacenter is a great deal different from the other windows'. Unlike the difference between NT Workstation and Server (two registry keys), Datacenter is very different.
            • Comment removed based on user account deletion
      • Datacenter can do 4 way active clusters- AS can only go 2 way.

        ostiguy

  • Corruption (Score:2, Insightful)

    by phpAbUser ( 306398 )
    Another major fear is that the databases will become corrupted by patches. Transition from mysql 3.2.6 -> 3.2.10.

  • Modify the SLA (Score:5, Insightful)

    by SwedishChef ( 69313 ) <craig@networkessentials . n et> on Sunday October 21, 2001 @04:19PM (#2457150) Homepage Journal
    Ask the vendor to modify the SLA to specifically cover the contingency of exploits and how they will be dealt with. Your vendor might try to claim that the 99.9999 uptime would cover this, but I'd counter that a server which is up but exploited is useless.
  • I think this problem is smaller than it seems.

    The vender probably has a fix quickly, although it are special computers, they're still i386 compatible (sort of) so the vender won't have to port.

  • Datacenter? (Score:3, Insightful)

    by Anonymous Coward on Sunday October 21, 2001 @04:22PM (#2457159)
    First of all if your company is wealthy enough to be using Datacenter as a web server I hope they are paying you a decent salary. :)

    Its a waste to use Datacenter as a web server or front end machine for applications, its best use is for big honking SQL applications like MS SQL server. Datacenter is a waste for Oracle/NT because Oracle on NT is the worst implementation of Oracle in existence. If you want a big honking box to do oracle for gods sake get a Solaris/HPUX/AIX monster. Big ass database servers should never be directly exposed to the internet anyways, the connectivity should be happening thru a balls to the wall firewall.

    • Re:Datacenter? (Score:5, Informative)

      by spongman ( 182339 ) on Sunday October 21, 2001 @04:37PM (#2457203)
      yup, you shouldn't be running IIS and SQL Server one the same machine. Ideally, you'd run SQL Server alone on the big machine and have a cluster of load-balanced inexpensive boxes running stateless ASP/ISAPI pages connecting to the DB over the LAN. You'll be free to patch the IIS boxes as needed and you can put them in a DMZ for extra security.
      • addendum: for extra security you should make your ASP scripts run as a domain user that only has access to the SQL server, specifically only has access to those tables/SPs on the server that are necessary to run the application. You should also disallow access to the SQL server by all other users except an admin group, none of which have access to log onto the IIS boxes. the reason for this is that even if security is breached on the IIS box, whatever user they run code as will still not have destructive access. it would also require a hacker to write a specific hack for your system in order to access the DB, which, while not being perfectly secure, will greatly reduce the possibilty of a 'script' attack and the likeliness that someone will bother to embark on such a hack will be diminished. of course, if you have really sensitive data then you should hire a security expert (which I am not).

        hope this helps, though.
    • Nimda did go behind firewalls. It came in via e-mail or external consultants with laptops that attached to the LAN, and then attacked all intranet servers. As the story says, IIS is used for administering these servers, so they are indeed in a very vulnerable position and need to be patched.
    • As a sort of related issue, we're going to see many more implementations of W2K/DC & MS-SQL, as Sybase have decided to "update" their licensing model and fuck their customers in the arse.

      Originally, it was:
      Is your Sybase database accessed outside your company? Yes? More money please!

      Now its:
      Is the data in your Sybase database accessed outside your company? Yes? More money please!

      Nte the subtle difference. We've got many front end applications in a DMZ talking to Sybase in our datacentre - the users never see Sybase, nor even know where the data comes from - but now Sybsae want more money...

      So our CIO has done a deal with the Great Satan of Software, and we're going to

      1. Sell all our Sun kit we use for hosting Sybase
      2. Buy shit-loads of cheap x86 servers
      3. Have MS "consulting services" port all the DBs and integrate them with our existing applications.

    • All it took was one nimrod getting infected and then tunneling in through the VPN software. Damn near everyone behind the firewall was running (of course unpatched) IIS because the standard software install didn't disable it. But you know, there's corporate IT for you in a nutshell. Did the CIO catch flack for it? Was any attempt made to improve procedures so this wouldn't happen again in the future? Hell no! They patched everything for that one problem and then went back to their complacent little lives. I guess they think lightning never strikes twice.
  • I think something that both Microsoft and the OEM's count on is the time it takes from the time a bug is found until the time the bug is exploited! In the case of Code Red and Nimda I think that time spanned months.

    Is it not also true that only large OEMs offer Datacenter? I don't think you are going to have a huge problem with the likes of Compaq or Dell providing timely fixes. It may not be available the same day the Microsoft Fix is, but I would be guessing that MS provides enough info to the OEMs to get the fix applied within 3-5 days.

    All in all I think the amount you need to worry shouldn't be more than the satisfaction you can get from a 99.999% guarentee

  • Where did you get your advice?! (Score:5, Insightful)

    by ssimpson ( 133662 ) <<slashdot> <at> <samsimpson.com>> on Sunday October 21, 2001 @04:22PM (#2457164) Homepage

    "And almost every 2000 server runs IIS for terminal server"

    Erm, I work for a Citrix Gold partner and I've never encountered this before. Installing Terminal Server does not require IIS.

    In fact, according to M$ recommendations, you should minimise the services running on the TS box.....That means no IIS.

    Also, the "smaller but more servers vs fewer 8 way servers" for TS debate has been done and dusted, and the recommendation certainly isn't for having fewer large servers. The "sweet spot" is a farm of dual processor servers with 1.5Gb of RAM, thus you wouldn't need Data Center anyway - normal W2k Server would be more than adequate.

  • Datacenter (Score:5, Informative)

    by fazil ( 62946 ) on Sunday October 21, 2001 @04:23PM (#2457166) Homepage
    Keep these SQL apps behind the firewall.. turn off all IIS features on the sql boxes.. and at least Nimda should not be able to get at it. Any web interface would hopefully not use Datacenter, and use standard Advanced Server, which is easily patchable. If sql was available on the front line, well, they almost deserve it.
    • Keep these SQL apps behind the firewall.. turn off all IIS features on the sql boxes.. and at least Nimda should not be able to get at it.

      Your attacker could still use some other exploit [bugnet.com] that doesn't rely on IIS. I hope you don't think we've seen the last of these.

      Note that an exploit like the above wouldn't turn into a Ro0t on a Linux/Unix box because the database server typically doesn't run with system privilege.

  • Lets not forget.. (Score:2, Insightful)

    by Phasedshift ( 415064 )
    Lets not forget that the vulnerability code red, etc takes advantage of has had a patch out for several months, but quite a few people never bothered to patch their servers. Chances are the patch(s) will be available shortly after the mainstream ones are released if you have a good vendor.

    Besides, say your running *NIX with a specially modified version of apache, and there is some remote exploit that is discovered. Obviously you can't just download the source, compile, and install, for fear of loosing those 'special features'.. You need to patch your source code, which may barf (and then you either have to modify the patch file or do it manually. Which could suck if you have no programming skills, and its heavily modified)...

    While most of us would view using a patch trivial (patch, recompile, install), the point is that similar situations could happen.
  • Datacenter servers are not the only ones: Many e-banking applications (see s1.com [s1.com], for example) are rolled by vendors, and upgrades do not come out as fast as vanilla IIS upgrades because of this.

    I don't know of one bank that uses a non-IIS platform. Kind of scary.

    • Re:Not only MS Datacenter (Score:4, Informative)

      by ssimpson ( 133662 ) <<slashdot> <at> <samsimpson.com>> on Sunday October 21, 2001 @05:03PM (#2457281) Homepage

      "I don't know of one bank that uses a non-IIS platform."

      You need to look harder then. The first 5 banks I could be bothered to look at:

      • www.smile.co.uk - Solaris
      • www.hsbc.com - HP-UX
      • www.barclays.com - AIX
      • www.bankofamerica.com - Solaris
      • www.bankofny.com - NT / Netscape Enterprise
      • He obviously didn't even bother to check, but rather was just spewing FUD. Using Netcraft, I found out the following (now that you got me curious)... these are the (Canadian) banks that I trust with my money nowadays...

        www.tdcanadatrust.com - IBM_HTTP_Server/1.3.12.2 Apache/1.3.12 (Unix) on AIX

        www.ingdirect.ca - Netscape-Enterprise/4.1 on unknown

        www.cibc.com - Netscape-Enterprise/3.6 SP2 on Solaris

        www.bmo.com - Netscape-Enterprise/3.6 SP3 on Solaris

        www.royalbank.ca - Netscape-Enterprise/3.6 SP3 on unknown
  • almost every 2000 server runs IIS for terminal server Errr, since when? Terminal Server doesn't require IIS to be installed.
  • I'm not an NT fan (run all UNIX stuff myself) but in general I've learned from bitter experience not to trust any sort of outsourcing solution. Learn to do it yourself, or hire someone who knows their stuff. But make sure you have direct control over your systems or they will spiral into ickiness.
  • Worlds largest crack/xxx/iso/divx/pr0n server!
    I've seen it happen to production servers b4 ">

  • When you can't secure it, hide it. (Score:5, Informative)

    by haruharaharu ( 443975 ) on Sunday October 21, 2001 @04:27PM (#2457184) Homepage

    If you aren't allowed to patch your server, then you should isolate it behind a firewall of some sort, so that the chances of infection are minimized. This may not work well for IIS (beyond simply not running it), but it will serve you well in the general case.

    • If you aren't allowed to patch your server, then you should isolate it behind a firewall of some sort, so that the chances of infection are minimized. This may not work well for IIS (beyond simply not running it), but it will serve you well in the general case.

      So, you're suggesting security by obscurity? Hmm, best of luck to you.

      Some exploits work just fine through the firewall, so then you've got a compromised server insider your firewall and a false sense of security. There's no substitute for being secure in the first place. If it's not secure, don't connect it to your network.

      • So, you're suggesting security by obscurity? Hmm, best of luck to you.

        I would prefer to solve the problem, but if i can't patch, I'll do the next best thing: isolate the servers from the rest of the network. Good luck infecting with nimda when you can't even hit port 80 and all mail ports are blocked (in case some nimrod installs outlook on a datacenter.

  • Datacenter (Score:5, Informative)

    by Nickodemus ( 529872 ) on Sunday October 21, 2001 @04:27PM (#2457186)
    Is a locked down version of Windows. What happens when you lock it down? Well, intensive testing occurs first to determine what is being done with the box and what possible problems could arrise. Then those problems are solved. Also, only certain applications are certified to run on a datacenter box. The goal here is to achieve five nines. That is have this box up and running for 99.999% of the year. Without thorough testing of applications this level of availability would be impossible.

    Part of what you get with a Datacenter purchase is a premier level of support. This includes a named engineer for support, and automatic escalation to the highest level for any support needs. It also includes any updates and or fixes on a priority basis - if you have a Datacenter server you get patches, updates, etc. before anyone else does.
  • It must be impossible to patch any linux installation if customized solutions are sooo hard to patch. Why would one wait for their OEM to move if they know a patch for one of the applications they are using is available? Download or apply only relevant parts of service packs, and you are done.
    • Because. if you do *anything* not certified by the vendor, the 99.999% agreement is void, and they are not responsible for downtime.

      Datacenter is more of a custom solution package than a version of windows. Yes.. it's a version of windows 2000.. but it's really a whole package.

      In other words, it's a version of windows used by vendors to create huge custom solutions, usually for databases.

    • Because this would void the 99.999% uptime deal and all the "sounds good on paper" but is really worthless crap when you do these deals. Is getting a refund on your fees worth more than your servers going down? So I agree with you to a degree but the pointy haired bosses would never agree with this... Least not until you gave them the "get hax0red right now or load an unapproved patch" rush case.

  • Get a guarantee within the contract (Score:3, Interesting)

    by Jeppe Salvesen ( 101622 ) on Sunday October 21, 2001 @04:32PM (#2457196)
    Get the vendor to patch your servers within 12 hours of Microsoft issuing a hotfix/patch. If they will not put that into the contract, tell them they're not professional enough. If they cannot do something as easy as that, would you really want them running truly business critical solutions for you?

  • It all boils down to trust (Score:5, Insightful)

    by DevTopics ( 150455 ) on Sunday October 21, 2001 @04:40PM (#2457216) Homepage
    The real question is: can you trust your OEM?
    Then you can negotiate all the details. And remember: 99.999% uptime does not mean that your server stay up that long, but that you have only an unscheduled downtime of 0.001% or less. Applying a patch is, in nearly every case, a scheduled downtime and does not count.
    Now imagine you really, really need this patch: you can urge your OEM to install it and keep him free from all responsibility (e. g. a server crash after this does not count to the unscheduled downtime, because it was your decision to apply it). If you trust him to play fair, that's fair for both of you.If the OEM is trustworthy, he'll do what you order him to do, but in that case you will be responsible for the outcome as well.You can't burden someone with responsibility if he can't make the decision (unless you don't play fair).

    • 99.999% uptime does not mean that your server stay up that long

      It depends on who writes the contract. I maintain servers with a 5x9's availability (not uptime, that is something different) guaranteed, the metric is taken at the end of every month for the previous 12 months of operation for a period of 6 years. The 5x9's include no scheduled downtime, we always switch in a fully tested duplicate system for the biannual hardware maintenance. If we ever have a crash that takes out the whole system for more than 7 minutes, we can write our bonuses goodbye for the next 13 months. The bonuses are the only form of profit built into the contract after all the engineering costs are covered.

      The real question is: can you trust your OEM?

      No, the real question is whether your management is stupid enough to believe a vendor offering a mythical 5x9's availability without a well developed plan for redundant hardware switchover, mirrored machines, raid storage, onsite spare hardware, experienced engineers who live within 30 minutes drive from your site with a goddamned pager surgically attached[end rantlet]. Did I forget to mention the motorcycles in case of large traffic jams :-) For the original poster's question, start googling for horror stories about the OEM and their failed installations, and complile a list for the next presentation. Then watch the sales slime start to sweat, mumble, and wave their hands to try warding off bad karma.

      To offer 5x9's, the vendor must provide their own power (a battery room built by a qualified company), local stocks of spare hardware, and be able to supply a complete duplicate system within a few hours. At every one of our 5x9's sites, we have our own office space, with our own phones and our own internet connection.

      As you can tell, a real 5x9's contract costs about 5 times as much as a regular installation. A real 5x9's contract always specifies the length of time to measure against, usually over a number of years, often as a moving average for the previous year or 24 months. A real 5x9's system isn't delivered on a custom burned CD-R so the client can fuck up the installation.

      the AC

  • OEM's are required to give 24/7 support. (Score:3, Informative)

    by Johnno74 ( 252399 ) on Sunday October 21, 2001 @04:46PM (#2457227)
    I can't find any info on MS's site right now, but I'm sure that OEMs that supply W2k datacenter are required to have a support team ONSITE at MS's campus 24/7.

    This article raises a very good point, but Microsoft's idea behind datacenter was they hat total control over the hardware environment, and they made sure OEMs would stand behind it too, so I'd be very surprised (and dissapointed) if the OEM didn't contact their customers *immediately* with patches whenever there was a hole (and I'd guess they are pretty busy too ;)
  • Put datacenter behind a firewall, the webserver (advanced server or the like) on dmz and have a secure "pipe" to the datacenter server where you database resides - no need to use the datacenter server as your webserver too, if you can afford datacenter server, you can afford a separate machine acting as a webserver.
    Just my opinion, buy hey, I'm a linux guy...

  • DUH! :) (Score:4, Funny)

    by gnovos ( 447128 ) <gnovos@NoSpAM.chipped.net> on Sunday October 21, 2001 @04:46PM (#2457230) Homepage Journal
    I can see you haven't worked with Microsoft software very much, so I'll give you the solution: Reinstall your machine.

    It's *just that simple*, can you believe it? Every time Nimda hits your machine, just wipe out the system drives, reformat and re-install! Easy, right? Sure you may have to reinstall 40 or 50 times a day, but again, if you are familiar with M$ software, you'll know you need tons of backup machines that you can swap out as needed with your infected machines. Make an assembly line of it. Have one guy reformatting, another guy reinstalling and a third guy disconnecting the infected boxes and plugging the fresh machines into the network!

    Now, where do you want to go today?

  • Redundancy? (Score:2, Insightful)

    by Sase ( 311326 )
    *Nod* all of these servers should be placed far behind a strict ruleset firewall.

    But what about Redundancy? That's one thing I don't like about this "datacenter" why should there be only one? Or.. why should an application have to call for just "one" server? Wouldn't it be more wise to develop the application across a dual array of servers? Each one of these servers could be easily patched in a matter of minutes, at the same time. (Say windows2k advanced servers.

    I'm personally not a fan of MS server products.. Although I have had to use them for quite a few applications.. but there has to be a way to get by the "necesity" for DataCenter Server.

  • The good sides of Mainframe Mentality... (Score:5, Insightful)

    by mdb31 ( 132237 ) on Sunday October 21, 2001 @04:46PM (#2457232)
    Windows 2000 Datacenter installations are hard to patch for the very same reason that apply to IBM, Sun, HP, etc. installations of the same magnitude: you just don't touch them.


    This is commonly refered to as the Mainframe Mentality: these systems are so critical to a business, you don't make any changes to them unless these changes are a. absolutely critical and b. have been tested extensively in the exact configuration you'll be running them.


    Now, it may seem that this would cause every Windows 2000 Datacenter server to be instantly infected with Code Red and friends, but in reality this will not be the case, because:

    1. You don't expose your Datacenter servers to the Internet -- never. No matter if you're running Microsoft, AIX, Solaris or Linux: only trusted systems should have strict "need to know" access to your server;

    2. Datacenter-type servers typically don't run HTTP servers. You would scale out HTTPDs (more boxes), not scale them up (bigger boxes). Also see rule 1;

    3. The config of your Datacenter server is the bare minimum. So, in the case of Windows 2000, you would not ever run IIS or Index Server (the true culprit in case Code Red et al...) on it, just your database server and perhaps your business logic (although that, again, tends to scale out better than it scales up).


    In summary: security hotfixes and Datacenter-type environments tend to be mutually exclusive. If you need a patch to your Datacenter server, it pretty much needs to be custom-developed for you. Fortunately, since Datacenter setups are not typically designed by the clueless individuals that gave Code Red free reign, this tends not to be an issue in real life.

    • I run one datacenter server. 8-way intel hardware.

      1: It got spanked by nimda. It's inside the corp. firewall, but the virus got into the network via email. Once inside, that particular region of the network is largely insecure. We're running it in a lab/demo environment, so security is not a huge concern.

      2: The damned thing shipped with IIS installed and running. Since it's the only OEM OS we have in our lab, I didn't notice it there in the three days the box was plugged in.

      3: see 2.

      Called the vendor. Support was !ofclue about patches. The best I could do was apply all of the IIS-related patches, disable all MS internet services, and clean the hell out of the system. Love me some MS.

  • Unanswered Question (Score:4, Funny)

    by Phroggy ( 441 ) <slashdot3@ p h roggy.com> on Sunday October 21, 2001 @04:47PM (#2457239) Homepage
    If anyone out there is running Win2k Datacenter, I've got an important question I've been trying to find the answer to, with no luck so far. Can someone finally give me an answer? The question is this:

    Does Windows 2000 Datacenter ship with 3-D Pinball installed by default? If so, is it in the Start menu?

    That's all. Thanks.
    • If we do buy datacenter I'm planning on burning me a copy and install it on my home network. And maybe share it out to a few thousand of my closest friends.

  • I'm guessing (Score:3, Interesting)

    by loraksus ( 171574 ) on Sunday October 21, 2001 @05:05PM (#2457285) Homepage
    Since you're paying microsoft a shitload of money, I'm sure that something can be worked out. All the friggin losers who were hitting my box with (a la Code Red) were on DSL / @home lines.

    Incidentally, the iis vunerability was known since iis 4.0 was released. It was kept secret by MS because of the "If no one knows about it, no one will exploit it". I'm thinking the data center people get the patches that home users don't - sort of like netware's support, there is a $200 per support issue, but they will forward the problem all the way up to the guy who coded the section you are having a problem with.

    The lame fuck of the day is 24.202.127.156

  • Uptime is a poor metric (Score:4, Insightful)

    by Anonymous Coward on Sunday October 21, 2001 @05:06PM (#2457289)

    Specs are hard to write and all vendors have weasel clauses. Just look at insurance policies - damage due to acts of war are generally excluded. With cracking being described as a "terrorist act" you could end up with exploits not being covered.

    A big common exclusion is "unscheduled" downtime. One of our vendors would see a router or firewall machine starting to act funny and then quickly "schedule" some emergency downtime that night to reboot it thus avoiding having to pay.

    I have not had good experience with outsourcing - never forget that these are the same bunch of folks who are getting skewered for lousy tech support for poor end-users who have paid extra for support packages. Attitudes don't change much across corporations.

    Before I would spend the bucks for any sort of "managed services" I would make sure that the vendor guaranteed 100% availibility without exception. Availibility must be defined as a maximum latency (ie. no end user will wait more than 750ms for a response or whatever is needed).

    Rationale? Any app that requires this type of support must be available to the end user without fail. That's why you pay the bucks.

    OS is "up" but web server is compromised or down? It's no good to the user. The downtime was scheduled? End user doesn't care.

    Why 100%? Why not. They are already guaranteeing less than 316 seconds per year of downtime. Let them work their payments for that downtime into the contract cost. I don't want to have to total up downtime and argue over when the year started. I want the vendor to know that any downtime costs them bucks. No argument, no weasel clauses, no exceptions (better keep those machines maintained, protected and patched).

    Been there - been burned. We moved our servers from a "managed solution provider" to a generic server farm and got far better service for one tenth the cost.

    • And at that point, you should have a cluster. Period. No one box will have full uptime. But wait, you say, what about a mainframe? Well, a mainframe is just a cluster in a box. At a really really low level. So when you hotswap a CPU, you're just knocking out a cluster node.

  • Think firewall + watchdog functionality (Score:5, Informative)

    by chabotc ( 22496 ) <chabotc AT gmail DOT com> on Sunday October 21, 2001 @05:07PM (#2457292) Homepage
    Put the datacenter server behind a firewall, preferably with some string matching functionality (ie watchdog).

    the later iptables have a string-patch included, which allow you to target certain port/string combo's, with this it is easy to block worms from the webserver, as long as you know what request it makes.

    exampple to block cmd.exe access (taken from my own internal firewall scripts, this will block nimda)

    $IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m limit \
    --limit $LIMITLEVEL -m string --string "/cmd.exe" \
    -m state --state ESTABLISHED -j LOG \
    --log-level $LOGLEVEL \
    --log-prefix "MS IIS cmd.exe usage:"

    $IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m limit \
    --limit $LIMITLEVEL -m string --string "/cmd.exe" \
    m state --state ESTABLISHED -j LOG \
    --log-level $LOGLEVEL \
    --log-prefix "MS IIS cmd.exe usage:"

    $IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m string \
    --string "/cmd.exe" -m state --state ESTABLISHED\
    -j REJECT --reject-with tcp-reset

    $IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m string \
    --string "/cmd.exe" -m state --state ESTABLISHED\
    -j REJECT --reject-with tcp-reset

    If you wanted to block codered, filter on /default.ida, filtering on global.asa is also a good idea ;-) etc ..

    (see iptables docs for more info)

    G'luck

  • Odd question (Score:3, Insightful)

    by md_doc ( 8431 ) <matt@webhosters.TOKYOcom minus city> on Sunday October 21, 2001 @05:33PM (#2457353) Homepage
    This is an odd question because both code red and nimda were actually viruses that took advantage of things like directory traversal and admin tools on the system. In short most admins already knew about these issues and fixed them themseleves by disabling the dir traversing and removing the template site.

    So in short to answer your question when it comes to code red or nimda you really should not have a problem if you are a good admin. The same is true in the linux world and newbie web programmers that do things like system calls without checking out what is going to be called. If you call something that the users passes to you then obviously they can do things like tracrt ip; rm -rf / and your code would let it. This is not perls fault or php's fault or any other languages fault it is the programmers fault.

    As much as I dislike windows, mainly because I have been an asp programmer for a long time and I would rather use linux and do perl programming (which I do now), Microsoft is somewhat right in that a knowledgable sysadmin already had the holes fixed. At the same time they should not send out software with issues like that.

  • You really don't want to put IIS on you Terminal Server. If you're using TS in admin mode you don't need to use TSAC (the web plugin). I find I do just as well with the RDP client application. It works smoother and the win32 version will fit on one floppy if you want to carry it around.
  • "Would anyone out there actually recommend Datacenter for corporate environments?"

    Loaded statement... entering Slashdot filter code...

    Made by Slashdot author = PASS...
    Negative against Microsoft = PASS...
    Vaguely positive to Open Source operating systems = PASS...

    Good to go.

  • Thank you for your answers (Score:4, Informative)

    by alen ( 225700 ) on Sunday October 21, 2001 @06:32PM (#2457486)
    I actually posted this question twice, and I'm glad they used this second posting with our actuall situation. The first one was more of a what if scenario.

    As far as terminal server and IIS, you need IIS if you want to use the Terminal Server Advanced Client and go in through the web. I was originally taught to use TS through IE and forgot going in through the TS client.

    If we do go with Datacenter, the servers will host SQL 2000 Enterprise in a clustered enviroment. We currently use SQL and have a propritery in house written app for it.

    And as far as the Code Red holes being found months prior to infection, I just used this as an example. I remember in 1997 and 1998 NT had new security holes every week. Windows 2000 is slightly better. 6 months ago I remember downloading hotfixes that will appear in service pack 3.

    My question still remains, if a new flaw in IIS, the kernel or any other part of the OS is found how long are we supposed to wait for a fix? I forgot the specifics, but I'm pretty sure the compaq people said they customize the source code for your enviroment. They will need a copy of our in-house app, get in touch with the EMC engineers because our EMC box will be our clustered storage and analyze everything else. Then we will get a CD with a customized copy of Windows 2000 Datacenter. Like EMC, the servers will be monitored by another company and they will most likely know of any problems before us. Every so often we will get a new CD with updates, service packs, etc customized for us. But if a new worm comes out in a few months that exploits some currently unknown flaw in Win2000 or any other part of the OS, will we be dead in the water while we wait for a patch? After September 11th we were calling EMC for tech support on our Symetrix and we were basically told get in line. They had richer customers to support first.

    • Re: (Score:3, Insightful)

      by account_deleted ( 4530225 )
      Comment removed based on user account deletion
    • First you go and take the Windows 2000 security training course at the SANS conferences. There you will learn about turning off unnecessary services, hardening the installation of the software and the OS. You'll learn about ipsec and filtering out illegitimate traffic at the network layer of the box. You'll learn about auditing your box to watch for problems, etc.

      Then you will realize you won't have an IIS server on your SQL Server box anyway, because it's unnecessary. So you won't be at risk to Code Red or Nimda or any similar IIS Worm. Even if you did have IIS, you'd lock down the install by removing the various ISAPI filters and such that were exploited, so even without the patches you would never have been vulnerable.

      Then your going to go out and subscribe to the advisories from microsoft.com/security, sans.org, securityfocus, ntbugtraq, etc... so you won't have to worry about waiting a few months you will know about them the day they hit the streets.

      I think the training will help, in conjunction with a better understanding of exactly what you are doing you can be pretty confident about your installation. If you want to lock it down, you can... and I'd say it's advisable to do so.

  • No patches needed to block Nimda and Code Red (Score:3, Informative)

    by MoritzB ( 529899 ) on Sunday October 21, 2001 @06:49PM (#2457522)
    Both Nimda and Code Red can be avoided by locking down the IIS 5 configuration (... as demonstrated by the MS IIS lockdown tool). No patches (not even OS service packs, i.e. no Win 2k SP1 or SP2) are required! If you add some firewalls in front of your IIS, one of those being e.g. ISA Server 2k, you could use - HTTP forward caching (where all cached requests would be handled on the "other" side of the NAT firewall) - content filtering (to block offensive code such as Nimda). If your admin knows her job, everything should be just fine with your Win 2k Datacenter (except for the noise those boxes tend to make) ... M.

  • Get your facts straight first (Score:4, Informative)

    by thesolo ( 131008 ) <slap@fighttheriaa.org> on Sunday October 21, 2001 @06:49PM (#2457525) Homepage
    A few things here:
    1. Datacenter machines will NEVER be running IIS. I've worked with several OEMs before, and none of them would EVER send out a datacenter machine with IIS running on it. If your OEM gives you a datacenter machine with IIS on it, run. Run as fast as you can to another OEM that doesn't.
    2. Datacenter should NOT be available to the internet! If this is a mission-critical machine, why would you want it on the internet? So it can double as an EFNet server?! Machines like this should only be accessible to a select group of machines on its own network.
    3. As stated before, Terminal Services does NOT require IIS to run. And also, you really shouldn't be using Terminal Services on this machine to do anything except possibly monitor performance--any changes made to the system would violate the uptime guarantee from your Vendor. This is a "LEAVE IT ALONE" situation.
    4. If you are dumb enough to have a Datacenter machine running IIS, you deserve to get a worm on it. Anyone who has the kind of money to get one of these machines should have some active brain cells too.

    The issues mentioned in this article are null & void, as a situation like that would most likely never, ever happen. (Then again, you picked Compaq as your OEM, so maybe...*insert rim shot here*)

  • Woah, big misunderstanding... (Score:3, Insightful)

    by Telek ( 410366 ) on Sunday October 21, 2001 @06:55PM (#2457532) Homepage
    So say a new worm comes out in a few months and it takes a few days for MS to create a hotfix.

    Is there something I'm missing?

    Absolutely. You've got your timelines backwards.

    Worms come out a few months after the bugs have been discovered and patches have been made available. We're talking months here. Code Red came out more than 2 months after the bug had been discovered and patches created.

    Microsoft has had their patches out in the wild within a few days of a major bug being discovered. The worms however take much longer to be created/deployed/spread. Although it is possible for the worms to come out much faster, they will still be lagged behind the discovery of the bug, and the patches are issued almost immediately.

    And if you have an agreement with your provider that you will have 99.999% uptime, then you better believe that they will be phoning you at 2am in the morning to tell you that they're coming over to install a new patch lest they break their contract.
    • Melissa is a bad example since WSH has always been there, but patches and virus updates only came out after the fact. How about when hackers stole some of the source code from Microsoft? I bet there is a least 1 flaw that someone other than Microsoft know about.
  • Is it possible to cluster SQL server in order to yield increased performance?
    Intuition tells me no, which is why you see so many large database servers.

    But is it possible at all?
    • Windows 2000 Advanced Server and Datacenter support network load balancing. Kind of like Beowolf where the machines divide the tasks among them. Never used it. We only had clustering running on advanced server at work to test it.

      SQL 2000 Enterprise and Exchange 2000 Enterprise support clustering on advanced server and datacenter server. I assume they support network load balancing too.
      • That has absolutely nothing to do with my question.

        Load balancing is NOTHING like beowulf.. beowulf is about using appropriate parallel-processing libraries (PVM, etc) to squeeze performance out of a cluster of machines.

        As for the machines 'supporting clustering'.. that's an industry buzzword that's not terribly meaningful. ALL operating systems 'support network load balancing' in this respect.

        Win2k advanced server & datacenter do NOT automatically cluster anything; clustering is application specific.

        My question is whether database servers in particular can be clustered in order to increase performance (some queries to one machine, some to another). My theory is that they generally can't, because, in order to remain coherent, each machine would have to receive all transactions anyway.
        (Certianly lookups could be done with replicated databases.. that's not what I mean though.. I mean real transaction processing stuff)
        • Microsoft got the top spots in the TPC-C transaction performance benchmark by using clusters of SQLserver2000. The feature that makes it worth using these clusters is 'partitioned views', which is something like: having a view on a set of data that is retrieved from more than 1 machine, i.e. what you want.
  • Awhile back my organization had several major security concerns with both Win2K Server and Win2K Datacenter, most of which dealt with LDAP. After our concerns were finally escallated high enough within Microsoft, a surprising reply was sent to us... it basicly stated that some of the holes were to be patched by Q4 2001 but that we should consider upgrading to what they called 'whistler datacenter' (essentially the server and datacenter versions of Windows XP) for complete security. I for one am tired of feeding the M$ machine.
  • The SLA guarantees a 99.999% uptime or your money back
    Let me see, 99.999% uptime on a windows system. That translates to 4 minutes and 12 seconds downtime per year. I don't know about you guys, but on this planet that's not what I call a credible proposition. On windows, that' more like winning the lottery. I surely hope somebody in that meeting had the sense to laugh.

  • Unisys and Datacenter (Score:2, Informative)

    by isfry ( 101853 )
    As someone who just had Unisys install an ES7000 with Datacenter and talking to the install people. You can do anything to the box that dose not touch the kernel. How Unisys explained the 5 9's SLA is that they will have a copy of you set up and will apply patches to them before they are installed on your system, but I cases like code red they will issue them to you and put it on the test server to test. They aren't going to keep you from installing a critical hot fix but when possible they will test it before they unleash it upon you.

  • Nice Comments (Score:3, Insightful)

    by Null_Packet ( 15946 ) <nullpacket@doscher. n e t> on Sunday October 21, 2001 @09:45PM (#2458013)
    This may not be modded up high enough for the +4 folks to see it, but I have to say that the people posting at +4 and above have some really great comments.

    It's nice to see Slashdot as a technical community, not just a Linux one. I know, I know, *nix is the preferred OS of many of the readers/posters, but it's nice to see such an array of comments and extremely constructive ideas and comments. Nice Comments, all.
  • Run Hogwash... its modification of snort that actualyl makes firewall decisions based on snort rules... so you can detect an attack and refuse to allow it into your network.

    hogwash.sourceforge.net

Slashdot Top Deals

All seems condemned in the long run to approximate a state akin to Gaussian noise. -- James Martin

Close