UCSB Bans Windows NT/2000 in the Dorms 533
nick58b writes "The people in charge of the networks for all of the on-campus dorms at UCSB banned the use of Windows NT and 2000 on their networks citing security and network problems associated with them. While there are problems with NT/2000, Windows 98 and ME computers are still permitted. Students using these are "recommended" to upgrade to XP Home Edition. In other news, sales of Windows XP are way up at the campus bookstore."
XP is NOT secure (Score:5, Interesting)
XP automagically sets up a read/write share ('my shared documents') when you enable filesharing, which essentially leaves the doors wide open to MS Networking viruses like Nimda.
On top of that, password protecting network shares from XP Home is impossible.
I'll be the first to say it... (Score:4, Interesting)
I just don't get it. I was just at UMBC and they prohibit internet connections from anyone who doesn't have anti-virus software installed.
(you can still get on if you don't, but if they find out you lose your right to get online)
why not just suggest installing a more virus-resistant OS?
Re:In Even OTHER news... (Score:1, Interesting)
>that haven't been addressed by patches and those
>patches CAN NOT be downloaded by people with
>pirated copies of the software
Wait... people with the pirated copies can't download patches that don't exist, since the vulnerabilities "haven't been addressed by patches"?
I don't get it.
Either they've been addressed and pirated copies can't download them, or they haven't been addressed, and even legal copies can't download them.
Which did you mean?
Ugh. (Score:5, Interesting)
"Residents' computers were compromised with several well-known vulnerabilities and used for all manner of unfriendly purposes such as the installation of viruses like Code Red and Nimda on other residents' computers."
Oh, so you really meant to ban IIS, which is, after all, the software that contributed to most of these worms. Ironically, www.resnet.ucsb.edu is running IIS 5.0 on that very same evil Windows 2000 OS. [netcraft.com]
Want to know my guess at what happened? Since the admins weren't blocking web servers running on port 80 outside of ResNet, someone set up an IIS server and got nailed with Nimda, which then killed their ResNet web servers (assuming that they hadn't patched their web servers, which isn't much of a leap to make, considering they don't seem to understand the difference between Windows 2000 and IIS.)
"OpenSSL and Apache holes? Wow, let's ban Linux!" That's the same ridiculous leap they made in banning Windows 2000.
"While we understand that it is possible to run a secure Windows 2000 environment, past history has shown that this rarely happens on ResNet."
Nothing like insulting your users AND taking away their right to run a particular OS. You know, this IS an educational institution -- why don't you try educating them? Better yet, cut off ports that are spreading Nimda -- that'll make people figure it out really quickly.
This is ridiculous in every sense of the word, and I hope the students there organize and fight against this. If I lived there, I know I would be.
What the!? (Score:1, Interesting)
In other words,
This must be about money. There's just no logical reason UCSB could possibly come to this conclusion...
resnet.ucsb.edu is using IIS on W2K (Score:5, Interesting)
The site that is telling students they cannot use W2K is running IIS.
The student's machines get compromised, and resnet get's compromised so some Admin who would otherwise get fired for not installing HIS updates, scapegoats the student's.
Crap sysadmin and non technical management are the cause of this.
If they were so worried, wouldn't they be running Apache?
Hey UCSB Linux Users Group! (Score:4, Interesting)
How about all of you get on over and set up a table outside the campus bookstore? I don't think I should have to explain why.
Re:Ugh. (Score:4, Interesting)
UCSB has all sorts of stupid rules. One of my favorites was that no more then 1 IP per person per room... (which was way too easy to get around...)
When I applied for a job there, they turned me down for not having enough technical knowledge, but I didn't feel like it was a good time to tell them about how easy it was to bypass all their "safeguards".
Probably lack of patching... (Score:4, Interesting)
Will it be any different when XP hits service pack 3 and nobody has it installed (or actually fewer than 2k boxes due to MS anti-piracy measures in their SP updates)? No.
The message is "you're too lazy to patch, so get the latest with the most patches pre-installed"
Kjella
im confused (Score:3, Interesting)
Re:Ugh. (Score:4, Interesting)
2) When schools try to educate students on how to secure their computers they tend not to listen. You might listen as a computer geek, but I can tell you right now that 99% of the people in my dorm building could care less about installing Windows 2000 SP3. I dont see this as UCSB saying that XP is more secure than 2000 because I believe that XP SP1 vs 2000 SP3, 2000 will win hands down. I believe that UCSB is realizing that 90% of students dont install patches and by having students run XP they are getting machines with 2 years less security holes plus an auto updating system to ensure that patches are regularly installed (assuming students ok the patches).
3) Why dont they just block the ports. Two things here. I was at a school with 350 machines that were regularly updated with security patches. Every box in the building had an image with the latest version of every app reimaged once a week. Even with this an a Cisco PIX firewall and NAT we still got hit by Nimda. All it took was one stupid student opening up an attachment and the thing flew by administrative shares. Blocking ports doesn't always help. Second thing I'm not sure how UCI (the UC system's ISP) works by 4C (The CA State College's ISP) is really tough about blocking ports. If the school blocks the port for Kazaa or Half Life the school loses their internet connection. Pretty tough, but they have strong feelings that the internet should not be censored. I agree with them even if it makes things difficult somethings.
Do I think this is a crazy decision: yes
Do I see why they did it: yes
Re:What a scam (Score:3, Interesting)
I'm hardly familiar with remote-exploit holes in Windows. Can anyone enlighten me on why 98 is so insecure by default? =\ I'd be interested in any links or whitepapers or whathaveyou.
As to holes relating to the fact that all programs have 'root' access, that's obvious, but most folks seem to run their windows boxen as admin anyway, so I still don't see why 98 is worse off.
My impression is, the more complex (e.g. the more services) Microsoft software gets, the more holes the size of mac trucks will be present. I would think XP would be the worst out of the lot at this point (well, besides an unpatched NT4 server, hehe).
Am I way off?
Why not.... (Score:5, Interesting)
Why don't they do what my university did.....if your machine was detected trying to propogate nimda or code red, the smart switches disabled your jack. Getting it re-enabled meant calling Information Services Division and proving that you had cleaned up and protected your machine (downloading and installing the free copy of Norton Antivirus they provided).
It really seems to be a good system. Plug in an unregisterd NIC - blam - jack turned off and MAC address added to a blocked hosts list. Plug in a hub with more than one machine behind it...jack turned off. Run an unauthorized web server...jack turned off, mac address added to blocked hosts list. etc. etc. etc.
I'm suprised other large institutions don't do the same thing. It sounds like it would save a lot of headaches.
This Is Happening All Over (Score:3, Interesting)
Re:The wool has been pulled over your eyes... (Score:3, Interesting)
No no YOU read it again (Score:2, Interesting)
Actually, no. See the resnet page [ucsb.edu], which says See also the Resnet forum thread [ucsb.edu] where a user says They even went as far as giving all of the students antivirus software
How is this related to Windows 2000 being fundamentally broken? Are you saying that only Windows 2000 users neglected to install their anti-virus software? Is this because they were using Windows 2000 instead of another OS? Otherwise, that statement is not relevant.
I think XP is allowed because it would be hard for them to block XP Profesional without blocking the Home edition.
XP is allowed because there are certain problems in Windows 2000 which do not exist in Windows XP. Nothing more, nothing less. See the above links. Banning one and recommending another hurts the network in general at least as much as it improves certain aspects of security.
Re:In Even OTHER news... (Score:4, Interesting)
Of course, there's nothing stopping you from using Windows Catalogue to download updates manually, but that's a little more involved than Windows Update.