UCSB Bans Windows NT/2000 in the Dorms 533
nick58b writes "The people in charge of the networks for all of the on-campus dorms at UCSB banned the use of Windows NT and 2000 on their networks citing security and network problems associated with them. While there are problems with NT/2000, Windows 98 and ME computers are still permitted. Students using these are "recommended" to upgrade to XP Home Edition. In other news, sales of Windows XP are way up at the campus bookstore."
Not surprising... (Score:4, Informative)
My mom works in the library, and guess what OS she uses? You guessed it! NT!
Administrator account (Score:2, Informative)
Re:XP _is_ Windows 2000 (Score:3, Informative)
Its not windows 2000 with windowsblinds (shareware theme thing) of course. Its easy to tell from windows versions. XP is Windows 5.1 , not 6 or 5.5.
If you won't get disgusted, here is MS'es document
http://msdn.microsoft.com/msdnmag/issues/01/12/
Re:Kickbacks? (Score:2, Informative)
Windows XP Home: $407.40, RRP is $531.46
Windows XP Home UPG: $210.49, RRP is $274.90
So approx 24% profit.
Prices are in NZ$, ex GST.
This isn't just plain stupidity (Score:3, Informative)
We will always see through this kind of bullshit. The best we can do is to educate others without seeming too fanatical to be taken seriously.
Not a scam (Score:1, Informative)
It _IS_ a security/bandwidth problem (Score:5, Informative)
This has been a topic of discussion recently at our office mainly because there have been a tremendous number of security issues relating to Windows 2000 (not so much with NT since these are students, not corporate users). I personally think that the move is a little drastic, but it will be interesting to see how this pans out at UCSB (especially how they will enforce it).
There will be people talking about how secure/insecure Win2K is. Allow me to give a common trait to all of the compromised machines:
1) Blank Administrator Password
2) Unpatched Windows (i.e. no Service Packs installed)
In nearly ALL the compromised machines, the computer is not updated and has a blank Administrator password.
The easy solution: install SP3!
An easier solution: set an Administrator Password!
All really simple solutions that would prevent 99% of the issues we have encountered thus far.
So I said it was a security problem. How is it a bandwidth problem?
Allow me to point to the DarkIRC and Nimda security bulletins [berkeley.edu] we have written up by our security.
So you've got a zombie, what do you do with it? A number of things:
1) use the compromised machine in a DoS attack
2) use it as a FTP server
3) use it as a IRC bot
A script kiddie can just use a machine on a fat bandwidth pipe at will to his liking. It's definitely NOT fun when the pipe is already clogged as it is with folks and P2P apps.
So there you have... if you don't think it's a problem, it IS a problem. There are too many calls about this to our helpdesk to have it be a minor issue that everyone else makes it out to be.
Read the story again (Score:3, Informative)
PS: I don't think UCSB is getting anything from Microsoft, because they agreed to run Linux on most of the servers here.
just my $.02
The wool has been pulled over your eyes... (Score:5, Informative)
Oh, boy. You just took that hook, line, and sinker, didn't you? What exploits are running around on a default version of Windows 2000 that would cause problems with your network?
Answer: NONE.
The culprit you're looking for is IIS, which is NOT installed by default on Windows NT Workstation or Windows 2000 Professional. If you install IIS from the Windows 2000 CD, you will be vulnerable until you download the patch -- but to install IIS, you must explictly insert the CD after Windows 2000 is installed, find IIS, and install it. (By the way, this problem could be eliminated other ways, such as not allowing servers on port 80.)
The IIS version that ships with the Windows XP Pro CD is not vulnerable. But to say Windows 2000 is vulnerable to a common remote root exploit out of the box is simply untrue. IIS 5.0 is the scapegoat you're looking for.
Re:Legal Implications, hoax? (Score:1, Informative)
Re:Just curious... (Score:2, Informative)
*sigh* Ok I'll bite.
XP is basically (and has been referred to on occasion by MS as) NT5.1 . Windows 2000 is using the NT5.0 kernel.
XP has had a few speed optimizations here and there as well as some built in "performance boosters" such as automatically defraging and optimizing the boot hard drive when the computer it otherwise idle.
All of this was basically necessary to implement so as to hide how the extra five hundred megabytes of bloat that came just with adding TWO features to Windows XP;
Skins and user switching.
(Yes, it took MS 500 megabytes to add those two features. Go figure.)
Oddly enough even XP pro lacks some of the functionality of Windows 2000. The ability to Lock a workstation is gone (Doh!), or at least hidden some wheres far far away. Horrible for security.
Also killing Explorer.exe in Task Manager is now A Serious Ordeal where as in Windows 2000 it was just another ho-hum task. I have seen killing Explorer.exe bring down an entire Windows XP system.
Some minor encasements to USB Mass Storage was made, and Internet Explorer 6 was shipped by default. There is also a cheesy personal firewall included with XP Home, but it hardly counts as a true security feature.
The Windows 2000 shell can actually be swapped out easily enough and another shell can be dropped in there. The Win9x line is the same way, very customizable. MS seems dedicated towards working against this though and integrating everything into one tight mess of tangled dependencies.
Oh yah, and XP likes telling you what to do. At least in Windows 2000 it was possible to beat some sense into the Machine, but in XP. . . . well the beating is still theoretically possible, but finding the sensitive spot to pound on is not quite as easy as it was with Windows 2000.
Also, like I said.. no Windows buff, but.. wouldn't the 9x stuff be less secure than NT/2k? Or is 9x just less stable, while the NT/2k stuff has more holes?
There is normally a pretty steady correlation between security holes and stability. When you have one, odds are that the other can be found to. Sloppy code is sloppy code.
That said, Windows 9x is both unstable and full of security holes. Quite frankly the poor thing was never meant to go 32bit, mine as well be forced onto the Internet and be made to play around with T1/3s doing DDoS attacks.
98 is rather fun in that you can do almost anything to it and it will take it in stride though.
Really, nobody ever took full advantage of 98, hehe. Active Desktop could have done some nifty things.
Re:Ubelievable (Score:3, Informative)
This sentence should be parsed: Some other options are to (downgrade to Windows 98), (get a free operating system such as Linux).
Like I said on the resnet forum (Score:5, Informative)
8/30/2002 2:49:15 AM
I'm writing this to the people in charge of Resnet policy, but also to people using Resnet. An outright ban on Windows 2000 will prove to be a costly and ineffective policy for increasing the security of Resnet.
1. Software and Bugs
Windows 2000, like any operating system, is a complex bundle of computer code. Like Windows XP, GNU/Linux, or MacOS, people find bugs in the software from time to time. Certain malicious people try to exploit the bugs to damage networks, reputations, etc. Other people develop software patches to fix the bugs.
Oftentimes, bugs are found with application software, like web browsers, web servers, e-mail clients, and the like. The operating system is generally not at fault. In this case, it just so happened that problems with some Microsoft application software were found in 2001 and combined creatively to create a series of rather devastating worldwide attacks.
2. Who is to Blame
It is important to realize that Windows 2000 was not the vulnerable software in these cases. Rather, bugs in Internet Information Server and Internet Explorer were exploited; they were the cause of the widespread effectiveness of the worms called "Code Red" and "Nimda." In other words, there are computers running Windows 2000 that are not and never were susceptible to Code Red, and there are devices not running Windows 2000 that were susceptible. Similarly, there are plenty of computers not running Windows 2000 that helped spread the problem through the Nimda worm.
Thus, these problems cannot be blamed on Windows 2000. Where does the blame lie? Programmers are bound to make mistakes, especially in an environment where a for-profit company is trying to produce and sell a modern operating system. Since few pieces of software are ever bug-free, it is ultimately up to system administrators and everyday users to make sure that their systems are as secure as possible (or practical). One of the ways to help increase the security of a computer is to apply security patches once they are released.
3. Patching Problems
A properly maintained computer is like a properly maintained car. Using a two-year-old unpatched computer on the Internet is like driving a car too fast on a twisting mountain road during an ice storm on bald tires. Using such a system or driving such a car is asking for trouble.
The bug in IIS that made it vulnerable to Code Red was announced two months before Code Red. The bug in Internet Explorer used by the Nimda worm was announced a full 5 months before Nimda. Yet even today, nearly a year after these attacks, thousands of machines worldwide are still unpatched. In other words, they are either infected with Code Red, or vulnerable to it. Unfortunately, many of these machines are likely to remain unpatched forever.
With that in mind, we turn now to the proposed ban of Windows 2000.
4. What problems does it solve?
Windows XP is not vulnerable to Code Red and Nimda. So upgrading to Windows XP does protect against certain problems.
5. What problems doesn't it solve?
It does not change the fact that improperly configured or improperly managed systems are vulnerable. It does not protect against attacks that have yet to be developed. It does not help educate users about ways to make their systems more secure. It does not help users of other operating systems running vulnerable versions of Internet Explorer. It does not protect against the thousands of other vulnerabilities that plague other operating systems. It does not stop denial of service attacks and port scans (that for some reason were blamed on Windows 2000 by the Resnet web page).
6. What problems does it cause?
Bugs that were introduced during the development of Windows XP could conceivably outweigh the bugs that were patched during that time. It would be naive to think that every bug in Windows XP is also present in older Windows operating systems.
The Products Use Rights document for Windows XP now includes a clause saying that Microsoft may access and change the operating system and its components without your agreement, and in fact without your knowledge. Suggesting that users of Resnet upgrade to Windows XP puts them in a position where they agree to relinquish control of their computers. Incidentally, versions of Windows 2000 up to service pack 2 do not contain this clause.
The ban of an operating system creates a dangerous precedent. Nowhere in the Resnet Acceptible Use Policy has there been any mention of the ban of a specific software product. The AUP does state that users cannot interfere with others, or with the proper functioning of the network. However, anyone would be hard put to prove that Windows 2000 was the sole cause of any problems by virtue of any fundamental and uncorrectable security flaws.
7. What are the costs of the upgrades?
As always, these costs are generally borne by the end users. They must acquire and install the software and learn to use it. This costs time and money and doesn't appreciably increase the security of the network.
8. What are the alternatives?
Requiring that users patch Windows 2000 systems would take less time and money. Verifying that a system was patched by probing the computer for the Red Alert vulnerability is no more difficult than fingerprinting the OS and checking that it is not Windows 2000. Certainly, installing a patch is a less intensive operation than upgrading an operating system and dealing with any problems and incompatibilities that may arise, so support problems faced by the RCCs are fewer.
In conclusion, the proposed Windows 2000 ban is both costly and ineffective. It seems as if the Resnet staff has already decided on implementing this "solution," which is lamentable. As there has been no discussion of or opposition to the ban on this forum, I felt it was necessary to provide a different opinion.
9. Resources:
Resnet Policy:
http://www.resnet.ucsb.edu/information/win2k.html [ucsb.edu]
http://www.resnet.ucsb.edu/information/use_policy
Code Red:
http://www.cert.org/advisories/CA-2001-19.html [cert.org] (exploit)
http://www.cert.org/advisories/CA-2001-12.html [cert.org] (bug)
Nimda:
http://www.cert.org/advisories/CA-2001-26.html [cert.org] (exploit)
http://www.cert.org/advisories/CA-2001-06.html [cert.org] (bug)
Windows XP PUR:
http://www.microsoft.com/licensing/resources [microsoft.com]
http://www.infoworld.com/articles/op/xml/02/02/11
Re:Legal Implications, hoax? (Score:2, Informative)
Re:The wool has been pulled over your eyes... (Score:1, Informative)
Re:The wool has been pulled over your eyes... (Score:5, Informative)
Answer: NONE.
The culprit you're looking for is IIS...
Having worked on dorm computers, the bigger problem with win2k and winxp is usually the presence of an administrator account with no password. There's a good number of exploits out in the wild that use the absence of an administrator password to take over machines, presumably for DDoS. I'm not certain, but I think that if you tell the installer there will be only one person using the win2k/xp system, it skips the part where it prompts you to set a password for administrator.
Re:XP is NOT secure (Score:4, Informative)
Distribution
(emphasis mine)* Name of attachment: Sample.exe (this file may not be visible)
* Shared drives: Infects open network shares
* Target of infection: Specifically attempts to infect unpatched IIS servers
Re:The wool has been pulled over your eyes... (Score:2, Informative)
Seems like a blank admin password would be a bit of a security risk on ANY operating system. And NO you are spreading FUD when you say it skips the set password dialog. That is ludicrous. *Nix users will say ANYTHING to put down the "Evil Empire" even if they have no idea what they are talking about. Would it have killed you to try it (or look it up) before making a statement about something you're "not certain" of?
alex
At my place it is other way round. (Score:3, Informative)
So much about objectivity of various security issues...
Re:The wool has been pulled over your eyes... (Score:2, Informative)
You can connect to the box by:
net use * \\ipaddress\C$ ""
That will map an unused drive on your machine to the administrative share on the remote machine that is sharing the C:.
Re:You mean, XP with universal Plug and Play (Score:2, Informative)
Re:XP is NOT secure (Score:2, Informative)
Re:The wool has been pulled over your eyes... (Score:2, Informative)
Re:The wool has been pulled over your eyes... (Score:4, Informative)
Re:Kings College, London (Score:2, Informative)
No surprise they're banning Linux; net services sucked so much when I was there, I scammed myself a UNIX account up the road at UCL. KCL's computers used to be a bunch of BBC 'B' micros serving as dumb terminals for their VAX system. They had no helpdesk. One of their labs was in an old plague pit. They had one grouchy old lady operator (in the 'old skool' style) and you had to apply for special dispensation to have more than 256K (yes, K) of disk space. Office hours were 2pm - 4pm, Wednesdays.
Ah, memories!
It's no surprise they're *completely* clueless... they have no history of decent computing or having a helpdesk. Now, UCL and Imperial, they have a clue... good helpdesk, too (at least at UCL, didn't get a chance to talk to the Imperial folks).
Pathetic Attempts (Score:1, Informative)
You know the silly thing? The way they check to see if you have Win2k is thru a "registration" process by which you are not given a valid IP address (DHCP) until your MAC is registered the system. This involves accepting an agreement, etc, etc. Guess how they find out you're using 2k? Your HTTP request. It was rather simple for my friends using 2k to validate their MAC's on other peoples' computers, or on their own computers (if they dual boot) and then return to 2k, easy as pie.
What kind of bs is that?
Tony