Forgot your password?
typodupeerror

Longhorn Server's "Improved" Security 151

Posted by kdawson
from the articulate-vegetable dept.
An anonymous reader writes, "The 'most secure Windows ever' may be very secure from hackers and malware — but what do you do when Longhorn Server lets you install the OS, set up Active Directory, and initialize the domain without once asking you even to create an administrator password? From the article: 'What happened to Windows Server? Where did all of the stringent security checks and ultra-protection of Windows Server 2003 go? Windows Server 2000 was quite insecure, and Windows Server 2003 turned over a new leaf... But it seems Microsoft is more than willing to flip that page back — even Windows Server 2000 required an Administrator password at the very least.'" Inevitably, Dave Barry's years-old quote comes to mind: "Microsoft has a new version out, Windows XP, which according to everybody is the 'most reliable Windows ever.' To me, this is like saying that asparagus is 'the most articulate vegetable ever.'"
This discussion has been archived. No new comments can be posted.

Longhorn Server's "Improved" Security

Comments Filter:
  • by also-rr (980579) on Friday October 13, 2006 @01:30PM (#16426021) Homepage
    There are CIOs just lining up to sign the purchase authority forms as we speak.

    Ohhh, new windows? And this one has transparency! That's going to make the spreadsheets* fly!

    *sigh*

    *By which they mean databases. Or possibly Word. Who knows the mind of a CIO?
    • by vtcodger (957785) on Friday October 13, 2006 @03:52PM (#16428965)
      ****By which they mean databases. Or possibly Word. Who knows the mind of a CIO?***

      CIOs have minds? Who knew?

    • There is no ability for an Admin to have remote access to Vista or Longhorn, without a PW assigned to the account. From the network standpoint, the account doesn't exist.

      This means no services running as "Administrator" 'cause some numbnutz in development just brought up a box in the dev DMZ, as "Administrator:password".

      Really, this isn't conceptually very different from what Apple and Ubutu are doing.
      • I don't think so. If I'm not mistaken, not havng a password for Administrator means that anybudy can log into that account simply by pressing Enter when it asks for a password. Instead of total security, a total lack of it by default. I'm not surprised, as security's always seemed to be an afterthought at Microsoft.
  • How Kind of You (Score:5, Insightful)

    by eldavojohn (898314) * <eldavojohn@gm[ ].com ['ail' in gap]> on Friday October 13, 2006 @01:30PM (#16426031) Journal
    In the summary you linked to the text "most secure Windows ever" where the title of the Slashdot article is "Microsoft Says Vista Most Secure OS Ever." You'll notice that the former doesn't really cause my blood to boil because I don't care which Windows is more secure. The latter, however, prompts 440 comments and the tag "lol" to appear.

    You see, one is a logical statement because one would hope that newer OS's become more secure than their ancestors, while the other results in "You have offended my operating system of choice, prepare to die..."
    • by Compholio (770966)
      "You have offended my operating system of choice, prepare to die..."
      When he grows a sixth finger on his right hand and kills your father then we'll start paying attention, get used to people offending your OS. People offend mine and yours and everyone else's, it's just one of those things in life.
    • Well, I guess it depends on whose security Microsoft is talking about. It seems Microsoft has locked the end user out of the OS as much as possible, including a bunch of new DRM and anti-piracy measures. Your OS of choice probably isn't as secure against your own legitimate use as Windows Vista is.
      • Re: (Score:1, Troll)

        by myowntrueself (607117)
        Well, I guess it depends on whose security Microsoft is talking about.

        I thought it was obvious.

        Whenever Microsoft talk about 'security' they don't mean 'computer security for users' they mean 'financial security for Microsoft Corporation'.
      • by BuBu2 (1012367)
        I guess you mean the kind of security by obscurity which consists of hiding the system files in the windows explorer ?

        Making the OS idiot-proof is not true security anyways...

        Maybe, but this does nothing against viruses, spyware and the like...

        It's still not proven that a virus can work on Linux or BSDs, so they have a long time to go before they can claim to be the most secure OS...
        • I guess you mean the kind of security by obscurity which consists of hiding the system files in the windows explorer ?

          No, it was a sarcastic remark, referring to Microsoft's DRM and anti-piracy efforts in Vista.

        • by drsmithy (35869)

          It's still not proven that a virus can work on Linux or BSDs, [...]

          Uh, of course it is. A "virus" will "work" as well on Linux or the BSDs as it does on Windows, all else being equal.

    • by BuBu2 (1012367)
      Microsoft has been condemned by a court in the UK for deceptive advertising...
    • while the other results in "You have offended my operating system of choice, prepare to die...

      My name is Inigo B Montoya, you killed my OS, prepare to die.
      IBM was wronged as a child, who knew?
  • by gEvil (beta) (945888) on Friday October 13, 2006 @01:33PM (#16426063)
    I heard a rumor that the default admin password is "chair"
  • Then the last thing left that MS had promised for Vista just got cut. After cutting WinFS, Monad, IE7 (not exclusive to Vista, anyway), etc [wikipedia.org]. the only thing left that it had going for it was supposedly going to be the tighter security. Well, I guess you still have a flashy (read: annoying) new gui to look forward to.
    • by cnettel (836611)
      A local setup of Vista, with default settings, will deny remote access for accounts with an empty password. (The same is basically true in XP SP2, at least.) The efforts in Vista hasn't been centered on physical security of the machine, "click to login" won't give you malware. I would rather assume that this fact in the current release of Longhorn Server would rather be the very result of the code sharing with Vista, where they probably haven't focused on getting the setup UI right for the server version wi
    • by From A Far Away Land (930780) on Friday October 13, 2006 @01:52PM (#16426465) Homepage Journal
      Don't forget that it includes PVP DRM, meaning Microsoft can compell your monitor not to show video unless it's sure that you've bought a comercial video disc.
      • by gg3po (724025)

        Don't forget that it includes PVP DRM, meaning Microsoft can compell your monitor not to show video unless it's sure that you've bought a comercial video disc.

        I just can't believe how brazen they've become. All these new "features" are really bugs. DRM, Trusted computing, first-born demanding EULA's, annoying swirling, flashing, transparent interfaces -- I don't want any of that! They seem to be relying entirely on their marketing department this go around.

    • by Ucklak (755284)
      ...you still have a flashy (read: annoying) new gui to look forward to.

      Only to those who shell out $250+ for it.
      I believe the under $200 ones don't have that fancy schmancy, hoity toity see through gui.
  • ...both "fud" and "notfud", to save everyone else the trouble?
  • "Most secure ever."

    Then about 10 minutes later there about 30 pieces of malware, and 120 holes in the system.
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      "Then about 10 minutes later there about 30 pieces of malware, and 120 holes in the system." - by zwilliams07 (840650) on Friday October 13, @01:35PM (#16426139)

      It said -> 'most secure Windows ever'

      Note the word Windows there, you slashdot OpenSource Pro-Linux loser?

      Ha... no wonder your OS is always in last place: Your type can't even READ properly!
  • Asparagus (Score:4, Funny)

    by justinbach (1002761) on Friday October 13, 2006 @01:36PM (#16426149) Homepage
    To me, this is like saying that asparagus is 'the most articulate vegetable ever.'"
    I think I'd want to check with the corn on that one--after all, aren't they the ones with *ears*?
    *ducks*
    • Since when has having ears ever made anyone articulate? That's right up there with saying that potatoes must be smart cos they have eyes...Sheesh...
      • by salzbrot (314893)
        Well, that's why he is checking with the corn, because that would be the vegetable that knows... Sheesh, use your eyes, umm, I mean brain :)
    • Well... if we stretch the definition of "vegetable" to include plants that aren't historically eaten by humans, then the Venus Fly Trap would have to win the "most articulate" title.
      • by i.r.id10t (595143)
        Mimosas (clicky for GIS [google.com]) fold their leaves up at night and after touching things like my face when I'm mowing the lawn, and they are much bigger (therefore more moving parts) than a VFT, so maybe they'd be more articulate?
        • by gardyloo (512791)
          Mimosas (clicky for GIS) fold their leaves up at night and after touching things like my face when I'm mowing the lawn [...]

                Man, how *are* you mowing that lawn?
        • by mackyrae (999347)
          But VFTs have mouths, and mimosas don't.
    • by smoker2 (750216)
      To me, this is like saying that asparagus is 'the most articulate vegetable ever.'
      And there was me thinking it was the oesophagus ! [wikipedia.org].
    • Corn isn't a vegetable.

      It's a grass and therefore a cereal crop.
  • Did you know? (Score:5, Informative)

    by Anonymous Coward on Friday October 13, 2006 @01:47PM (#16426345)
    Accounts with blank passwords CANNOT be used as a network credential EVER! No remote service. No terminal server. No shares. No printer. No nothing! Since XP SP1.

    Maybe not the brightest thing in a beta install (will this be in production?). But you would have to have local physical access to the server terminal to exploit this security hole.
    • by brokeninside (34168) on Friday October 13, 2006 @02:21PM (#16427075)
      Physical access to a machine already gives a local attacker everything they need to change the admin password. If it's a Linux box, it's simply a matter of booting into single user mode. If it's a Windows box, it's simply a matter of using any of half a dozen freely available utilities.

      But if there is no admin password, the server cannot authenticate the Administrator account from across the network. This essentially means that by default Administrator is a physical access only account. I don't see how that is startling insecure. In fact, it's a step in the right direction.

      • by dave562 (969951)
        It's good read a post from someone who understands what is going on, and the actual dynamics involved in the situation.
      • by mackyrae (999347)
        On Ubuntu, you can't get past the "log in" screen without a password. If you walk up to a computer that's already logged in, you'll get a password prompt if you try to do anything administrator-ish. Either way, they only way you're getting is if you know the password.
        • by RajivSLK (398494)
          1) Throw in a knoppix cd
          2) boot
          3) vi /etc/passwd OR /etc/shadow and delete the garbled text between colons
          4) eject cd drive
          5) reboot
          • by Gnavpot (708731)
            1) Throw in a knoppix cd 2) boot 3) vi /etc/passwd OR /etc/shadow and delete the garbled text between colons 4) eject cd drive 5) reboot
            6) Find that your /etc/passwd and /etc/shadow is unchanged. Try this command: 'man mount'.
  • Every week a new and more powerful RO-Beast comes out with improved powers capable of defeating voltron but voltron prevails....Not that I'm implying that Voltron is windows of course.
  • by Anonymous Coward
    ...whatever kind of harsh new license will ship with the longhorn server, then it will likely indeed be the most secure server software ever, since by the time longhorn ships, the license will undoubtedly forbid you from installing it on any machine period.
  • Bummer (Score:3, Funny)

    by HangingChad (677530) on Friday October 13, 2006 @01:49PM (#16426381) Homepage
    You mean asparagus isn't the most articulate vegetable ever? Dang, guess that means I'll have to send back that plaque I ordered for the Articulate Vegetable Awards show.
  • As with any operating system, Windows is only as secure as the people allowed to touch it.

    Show me an isolated computer network behind a locked door in an EMF-proof room where nothing unapproved ever comes in or out, and I'll show you a secure network.

    This assumes of course that you can trust your people.

    Short of that, we must do the best we can. As the anonymous reader points out, Microsoft isn't.
  • server then the machine Admin password is the same as domain admin password.

  • by postbigbang (761081) on Friday October 13, 2006 @02:06PM (#16426769)
    Lots of testers and researchers give VERY LOW SCORES when passwords aren't treated like they ought to be. What with machines that can do 100,000+ dictionary attacks per second, busting weak passwords is comparative childs play.

    So it's a bit specious to lob this at Microsoft, when the operating system isn't even due to be at RC for as much as a year. If you use this in production environments, you're not very wise.

    Not that I particularly like Microsoft, but fair is fair-- this is far from release code.
    • by DrScott (4365)
      Until SP2 comes out, it's still a beta.
      • Longhorn Server, a/k/a Windows 2007 Server Editions (seven that I count) are not due until at least six months from the release of Vista. My take is that means roughly May for gold code, and the SP2 is by Microsoft's formula, a year behind that, so 2008.

        But worry? Is there something hot in Windows 2007 Server that I'm missing?
    • by PaxTech (103481)
      If you use this in production environments, you're not very wise.

      And this differs from "finished" versions of Windows exactly how?

  • Those who get the Longhorn Server hopefully aren't dopey attachment clickers, either. Remember who your audience is. As an admin, sure it would be nice if it asked me for the password, but passwords are another item on my checklist anyway. For those who are going to be administering the server, I see it as a non-issue.
    • Re: (Score:3, Insightful)

      by Ajehals (947354)
      You are giving the admins - even some of the non attachment clickers a lot of credit... - This is an OS Small and medium business' use because it "just works"(tm) ad because windows admins are cheap. Its almost completely configurable by wizard for Christs sake, and the wizards do not include everything that you may need to look at from a security point of view.

      Now I am not suggesting that everything should be configured in at a CLI or eve that the admin should just be presented with a load of MMC snapins a
  • Deja vu? (Score:2, Troll)

    by larien (5608)
    Microsoft have been touting the "more secure" and "more stable" line for about 10 years, much as washing powder manufacturers would tout "New Ariel, washes even whiter".

    In short, Windows NT was buggy, unstable and full of security holes. Which we all knew at the time, even if MS didn't admit it. Unfortunately, people don't question them on this and say "so, if this is more secure, runs things twice as fast and doesn't crash, what is this pile of shit you've been selling us for the last few years? Mmm??

    • Re: (Score:2, Insightful)

      by ad0gg (594412)
      Win NT was crashed? Ummm. Yeah. Pass me what your smoking. I count on one hand all the times i've seen NT 4.0, win2k and 2003 crashed on one hand. And thats dozens of servers of the course of 7 years.
      • by kwark (512736)
        So what YOU can't see doesn't exist? My limited experience with NT servers showed me some rock solid machines, but also machines that needed scheduled reboots to avoid unpredictable lockups (similar machines with similar tasks).

        But from the small sample of machine I have personally seen, I can tell that the latter category was bigger.
      • I count on one hand all the times i've seen NT 4.0, win2k and 2003 crashed on one hand.
        Eh? You could count all the times you've seen NT 4.0, win2k and 2003 crashed on one hand, on one hand could you? So how many times have they crashed on one hand then? Perhaps you shouldn't have touched what he was smoking after all...
  • What do you do.... (Score:2, Insightful)

    by LordPhantom (763327)
    when Longhorn Server lets you install the OS, set up Active Directory, and initialize the domain without once asking you even to create an administrator password?

    Some ideas:

    * Hire intelligent administrators who won't put a box without password on the network?

    * Don't use it, or use it as little as possible for your specific needs?
    |
    ->(caveat) If your CIO tells you you -must- use windows servers, explain to him that you would, but they require a "token ring" and all of them fell into the "ethernet" and they
    • by jimicus (737525)
      If your CIO tells you you -must- use windows servers, explain to him that you would, but they require a "token ring" and all of them fell into the "ethernet" and they must be found first. Much like telling an idiot to sit in the corner of a round room, it will distract him for the better part of the next quarter.

      Your CIO doesn't need to demand Windows servers.

      Certainly IME, what actually happens is the powers that be demand something on their desktop which happens to depend on a Windows server - something
      • As Slash____ below this has noted, the *woosh* sound is the humor in that going over your head - obviously the reason the CIO needs to demand Windows servers is that the Users have obviously tried to talk to you before, but a few well placed sexual harassment lawsuits and a mysterious wave of vandalism to employee cars from the HR department has caused them to suspect that the issue might be better taken up with your superior.
  • by PPGMD (679725) on Friday October 13, 2006 @02:52PM (#16427791) Journal
    IMO it simply sounds like a bug in the installer, the Windows 2000 and 2003 both asked for you to set the default administrator password during the install, sounds like someone forgot to put that in the install options. It's an early beta, with 6 months or more until release, bugs like these often happen.

    If it makes it's way into the shipping product at least how it's described I'll eat my own hat.

    • by Joe U (443617)
      Actually, it sounds like it's still mostly Vista.

      Since they both use the same codebase, I'm betting the installer isn't anywhere near finished. They're too busy working on the client to worry about the server beta right now.
    • If it makes it's way into the shipping product at least how it's described, I'll eat my own hat.

      I'm going to hold you to that.
  • Doesn't that mean it's NOT running as administrator? if it gets hacked they don't get admin access to the account .... why that's almost like .... linux. All they need to add now is a chroot jail and they'd be cooking ....
    • "chroot jail"? Is that something for incarcerating cigars?

      BWAHAHAHAHAH!

      (It's 4 p.m. on a Friday, cut me some slack).

  • Wasn't that some product from a few years ago? I can't even remember what it did.
    • Re: (Score:1, Informative)

      by Anonymous Coward
      "Longhorn Server" is still the code name for the successor to Windows Server 2003. "Longhorn" was also the code name for Windows Vista prior to them giving it a new name for marketing purposes.

              -ShadowRanger
    • by vtcodger (957785)
      ***Wasn't that some product from a few years ago? I can't even remember what it did.***

      It did anything you wanted. Imaginary products are like that.

      I'm still waiting for Cairo. I believe that if they ever build it, it'll satisfy my computing needs for a decade or two. Assuming of course that the license allows me to install it.

  • by Jugalator (259273) on Friday October 13, 2006 @03:26PM (#16428503) Journal
    Any admin that have such a non-existant sense of security that he/she don't bother setting any admin password, regardless if the setup routine force the admin to do it or not at some point, has pretty much doomed the overall security of that system anyway. An admin that need to be nannied through every aspect of setting up a server, including such basic things as controlling the passwords are OK, shouldn't really touch a live server somehow related to network connectivity.
  • by Dputiger (561114) on Friday October 13, 2006 @03:43PM (#16428783)
    But I have to, as far as the Dave Barry quote goes, especially since it wasn't even related to the story being linked. I've used every Windows OS going back to 2.0, and run my main system on 95, 98SE, ME (briefly, and just to see if it was really that bad), 2K, and XP. I've done tech support for both businesses and consumers, I've built systems for people, and I've reviewed computer hardware for years--and in the process of doing all that, I've seen a lot of Windows installations on a lot of different hardware, from brand-new to dying of old age.

    There are a lot of things I don't like about Microsoft, and there are a lot of areas where I think their products could be improved and streamlined--but I think a lot of people (both here and elsewhere) throw out disparaging remarks about XP in certain areas just because it's fashionable, or convenient, especially about system stability. XP may have had its kinks early on, but I'd say its been incredibly stable / reliable since at least SP1. I reboot my home rig, on average, maybe once a month--and that's typically a choice, not a forced situation. I've had one hard crash / reboot situation in the past 6 months. It's not just a system that sits idle all day, either--I work from home, game, and do all my multimedia / browsing, IM'ing, etc, all from the same box. Now yes, if you start to factor security updates into the "reliability" equation, WindowsXP starts to look a bit less shiny. If you assume that "WindowsXP" also means "WindowsXP + IE6", that's even worse...but hey, that's why I use Firefox.

    People can argue that they hate the XP GUI--that's opinion. You can argue it's bloated, or you hate WGA, or Product Activation, or whatever, and you can argue about security issues all day long. But measured in terms of basic reliability--no BSODs, no inexplicable driver failures or failed device detection, and no random reboots--XP blows the doors off any of the Win9X products, and is arguably better than 2K in some performance and multimedia areas. (Hyper-Threading is the one area where I distinctly remember XP outperforming 2K--other areas I'd have to dig for at the moment).

    I'm all for calling a spade a spade, but part of doing that fairly means admitting when a company gets something right--and anyone still pretending that Microsoft hasn't made huge strides in stability, reliability, features, and performance since the Win9X days needs to go out and actually try to set up (and then modify) a 98SE box. I've had to do so recently, and it's not a pretty picture. I still remember how to jump through all the various hoops, but that doesn't mean I miss them.

    • Re: (Score:2, Insightful)

      by pandrijeczko (588093)
      I am primarily a Linux user but I also use XP and cannot honestly remember the last time it blue screened or crashed one me.

      Yep, it feels bloated compared to my GCC flag-optimised Gentoo Linux machines running a streamlined GUI like XFCE4 but whether I like it or not, I can knock out the best looking and quickest presentations in PowerPoint.

      May be one day I'll be proficient enough in OpenOffice to knock out documents as quickly in that, maybe one day games companies will release games natively on Linux.

    • XP blows the doors off any of the Win9X products, and is arguably better than 2K in some performance and multimedia areas.

      Windows NT4 and Windows NT 3.51 and Windows NT 3.1 all blew the doors off Windows 9x. So did OS 2, BeOS, AmigaDOS, and... well, the only OS that wasn't significantly better across the board was classic MacOS... and for most users Mac OS (bad as it was) was more reliable.

      So the point is that saying XP was "the most reliable Windows ever" was such faint praise that for most people it made
    • by smash (1351)
      So you do security updates once a month then?
  • Speculations (Score:2, Insightful)

    by bruno.fatia (989391)
    Everybody just keep speculating about Vista and Longhorn server, why don't you just leave Microsoft alone for once and wait for them to lose some money with defective OS? Gee..
  • who in their right mind would use a beta server as a production OS anyway
  • And you can't remotely connect using an account with a blank password. So this is more secure.

"Neighbors!! We got neighbors! We ain't supposed to have any neighbors, and I just had to shoot one." -- Post Bros. Comics

Working...