UCSB Bans Windows NT/2000 in the Dorms 533
nick58b writes "The people in charge of the networks for all of the on-campus dorms at UCSB banned the use of Windows NT and 2000 on their networks citing security and network problems associated with them. While there are problems with NT/2000, Windows 98 and ME computers are still permitted. Students using these are "recommended" to upgrade to XP Home Edition. In other news, sales of Windows XP are way up at the campus bookstore."
What a scam (Score:5, Insightful)
Methinks someone wants to make some money...
Re:What a scam (Score:2, Funny)
Re:What a scam (Score:4, Funny)
"UCSB will require students to use ONLY textbooks published in 2003 which you can conviently purchase at the UCSB bookstore."
Re:What a scam (Score:3, Insightful)
Methinks someone wants to make some money...
For the most part the trouble is not 'as of yet undiscovered security flaws' but known problems that go unpatched. Microsoft or otherwise no OS is 100% secure, so what does UCSB hope to gain by 'encouraging' their students to switch? From the article it sounds like they got burned by holes in win2k in the past so now they're afraid of it?
"While we understand that it is possible to run a secure Windows 2000 environment, past history has shown that this rarely happens on ResNet."
So, uh, why not? Sounds like that's going to be your real problem regardless of what OS you enforce. Unless the problem is the school bookstore has more of a markup on 9x and XP than win2k?
Re:What a scam (Score:5, Funny)
Windows 2000 Professional with its Service Pack 3 and McAfee AntiVirus 7.0 (antivirus + firewall) is actually a reasonably secure OS setup.
Re:What a scam (Score:2)
Since XP is newer it's exploits are less likely to be known about by the "white hats".
Re:What a scam (Score:3, Interesting)
I'm hardly familiar with remote-exploit holes in Windows. Can anyone enlighten me on why 98 is so insecure by default? =\ I'd be interested in any links or whitepapers or whathaveyou.
As to holes relating to the fact that all programs have 'root' access, that's obvious, but most folks seem to run their windows boxen as admin anyway, so I still don't see why 98 is worse off.
My impression is, the more complex (e.g. the more services) Microsoft software gets, the more holes the size of mac trucks will be present. I would think XP would be the worst out of the lot at this point (well, besides an unpatched NT4 server, hehe).
Am I way off?
Re:What a scam (Score:4, Insightful)
Norton corporate script wouldn't run (admin pass again); trying to install one single lab printer so every student who sat at that computer would always see the same printer, impossible without scripts or pushing profiles. This increases the amount of training required for students to use the equipment, or takes a net admin away from LAN/WAN support and puts them in script/profile land. An english teacher just wants to bring a class in without any hassle or setup. Our legacy or propriety software apps - most wouldn't run without admin pass. And why the hell would we want to teach a bunch of students about CTRL-ALT-DEL to logon? I remember when Microsoft used to brag that was a great security feature. Do they really think everyone is ready to handle their own server? Just crazy. We stayed with 98 on desktops and used Win2K on servers. We are finally moving into XP, which is much easier to handle, and much easier to train 5000 users on.
Re:What a scam (Score:5, Insightful)
I don't know what product you're talking about, but Norton AntiVirus Corporate deploys cleanly (via Group Policy) without issues to speak of. The lab printer scenario is a little more complicated, but if you don't want roaming profiles, you can set a mandatory profile and give users a network home. The mandatory profile can include the printer. As far as legacy or proprietary apps go -- open regedt32 or Windows Explorer and change the permissions until it's happy. Then, change your deployment system to do that automatically: problem solved. Don't like Ctrl-Alt-Del? Disable it via Group Policy.
I don't like Microsoft, but things are far more usable under Windows 2000 than most people would think. Get some network imaging software, reasonably standard desktop hardware, and a Windows 2000 domain with appropriate Group Policy entries. It's really not that bad.
Re:What a scam (Score:3, Insightful)
SP3 has blown up every Win2K box I've seen it on (had to nuke my dad's computer to get his MSN working again, and SP3 doesn't seem to like the Orange Micro iBots I have on a couple of my machines). It also has some license nastiness [slashdot.org] that you'd rather not have inflicted on you. You can install the relevant patches to a SP2 system and end up with the same level of security without the problems.
The wool has been pulled over your eyes... (Score:5, Informative)
Oh, boy. You just took that hook, line, and sinker, didn't you? What exploits are running around on a default version of Windows 2000 that would cause problems with your network?
Answer: NONE.
The culprit you're looking for is IIS, which is NOT installed by default on Windows NT Workstation or Windows 2000 Professional. If you install IIS from the Windows 2000 CD, you will be vulnerable until you download the patch -- but to install IIS, you must explictly insert the CD after Windows 2000 is installed, find IIS, and install it. (By the way, this problem could be eliminated other ways, such as not allowing servers on port 80.)
The IIS version that ships with the Windows XP Pro CD is not vulnerable. But to say Windows 2000 is vulnerable to a common remote root exploit out of the box is simply untrue. IIS 5.0 is the scapegoat you're looking for.
Re:The wool has been pulled over your eyes... (Score:5, Informative)
Answer: NONE.
The culprit you're looking for is IIS...
Having worked on dorm computers, the bigger problem with win2k and winxp is usually the presence of an administrator account with no password. There's a good number of exploits out in the wild that use the absence of an administrator password to take over machines, presumably for DDoS. I'm not certain, but I think that if you tell the installer there will be only one person using the win2k/xp system, it skips the part where it prompts you to set a password for administrator.
Re:The wool has been pulled over your eyes... (Score:2, Informative)
Seems like a blank admin password would be a bit of a security risk on ANY operating system. And NO you are spreading FUD when you say it skips the set password dialog. That is ludicrous. *Nix users will say ANYTHING to put down the "Evil Empire" even if they have no idea what they are talking about. Would it have killed you to try it (or look it up) before making a statement about something you're "not certain" of?
alex
Re:The wool has been pulled over your eyes... (Score:3, Interesting)
Re:The wool has been pulled over your eyes... (Score:4, Informative)
Re:Not a scam (Score:3, Funny)
Ultimate security... (Score:2, Funny)
You mean, XP with universal Plug and Play (Score:3, Funny)
What does XP offer that Windows 2k doesn't in terms of security?
Re:You mean, XP with universal Plug and Play (Score:2, Funny)
Obsecurity of course!
Kickbacks? (Score:2, Insightful)
Re:Kickbacks? (Score:2, Informative)
Windows XP Home: $407.40, RRP is $531.46
Windows XP Home UPG: $210.49, RRP is $274.90
So approx 24% profit.
Prices are in NZ$, ex GST.
Re:Kickbacks? (Score:2)
Depends how much the bookshop paid for it. They could be making a nice income from the students.
In other related news (Score:5, Funny)
Not surprising... (Score:4, Informative)
My mom works in the library, and guess what OS she uses? You guessed it! NT!
XP _is_ Windows 2000 (Score:4, Insightful)
Eh, what the hell, just tell UCSB to ban Windows all together, it's a security issue in and of itself
Re:XP _is_ Windows 2000 (Score:3, Informative)
Its not windows 2000 with windowsblinds (shareware theme thing) of course. Its easy to tell from windows versions. XP is Windows 5.1 , not 6 or 5.5.
If you won't get disgusted, here is MS'es document
http://msdn.microsoft.com/msdnmag/issues/01/12/
XP is NOT secure (Score:5, Interesting)
XP automagically sets up a read/write share ('my shared documents') when you enable filesharing, which essentially leaves the doors wide open to MS Networking viruses like Nimda.
On top of that, password protecting network shares from XP Home is impossible.
Re:XP is NOT secure (Score:2, Insightful)
Re:XP is NOT secure (Score:4, Informative)
Distribution
(emphasis mine)* Name of attachment: Sample.exe (this file may not be visible)
* Shared drives: Infects open network shares
* Target of infection: Specifically attempts to infect unpatched IIS servers
Administrator account (Score:2, Informative)
Re:Administrator account (Score:2)
hmmm... (Score:2, Funny)
In Even OTHER news... (Score:4, Insightful)
Re:In Even OTHER news... (Score:4, Interesting)
Of course, there's nothing stopping you from using Windows Catalogue to download updates manually, but that's a little more involved than Windows Update.
good ol' campus LANs (Score:5, Funny)
Re:good ol' campus LANs (Score:2, Funny)
The funniest thing I did with NET SEND was to send out a message asking all the single ladies to IM my roommate.
So, did he get laid?
Re:good ol' campus LANs (Score:2, Funny)
No, actually he got a bunch of IMs from guys who were pissed of because they thought he was the one who kept sending the popup messages. He came closer to getting beat down than anything else.
Re:good ol' campus LANs (Score:5, Funny)
Back in my day... :) (Score:5, Funny)
When I was a freshman at Vanderbilt University [vanderbilt.edu], we used the campus VAX to register for classes. It worked like this: you would go to one of several large computer labs on campus and log onto the VAX as user REGISTER (or something). Once you logged in, the registration program would fire up automatically (via the VMS equivalent of
ALERT: THE REGISTRATION SYSTEM WILL BE CLOSING IN 30 SECONDS. PLEASE MAKE YOUR FINAL CLASS SELECTIONS AT THIS TIME.
The first thing that happened when I sent the message was several hundred PCs beeping loudly all at the same time. And immediately after that...you should have seen the looks of panic on all those sorority girls' faces!
I'll be the first to say it... (Score:4, Interesting)
I just don't get it. I was just at UMBC and they prohibit internet connections from anyone who doesn't have anti-virus software installed.
(you can still get on if you don't, but if they find out you lose your right to get online)
why not just suggest installing a more virus-resistant OS?
Re:I'll be the first to say it... (Score:3, Insightful)
Re:I'll be the first to say it... (Score:2)
OTOH, Win2k Professional does NOT install IIS by default. In fact, you don't really get many choices during setup... you have to go in after the fact and install it additionally off the CD.
Re:I'll be the first to say it... (Score:3, Insightful)
You, sir, are misinformed. Unless Joe User goes and hunts down a really old version of any common distro, or deliberately selects a "Server" installation (which is the equivalent of Joe User installing Win2K Adv Server with default settings), neither apache nor sendmail would be installed, and *especially* not wu-ftpd. The default desktop installs of even not-very-recent versions of Red Had, Mandrake, and Suse do not install these services.
Hey UCSB Linux Users Group! (Score:4, Interesting)
How about all of you get on over and set up a table outside the campus bookstore? I don't think I should have to explain why.
Re:I'll be the first to say it... (Score:5, Insightful)
My problem with this is mostly financial. Obviously, they can restrict usage to their network any darn way they please. But there are inevitably going to be students who simply don't have the money to upgrade from NT/2K to XP. They're imposing a burden on those students that they should try to ease in some manner.
A good alternative would be a carefully crafted Linux distribution that they pre-configure and make secure according to their needs, and make it available on a CD-ROM. Again, though, even if the security issues were resolved with such a distribution (which would be relatively easy), they would still have to face the costs associated with supporting these naive users using Linux--which would probably be more trouble than it's worth. Thus, they simply say, "Use XP".
Keep in mind that in some sense, these types of administrators have less control over their networks than corporate admins do. They don't own the licenses to the OSs--they expect the students to supply their own OS. This gives them a lot less control over what's on their network. They don't have a right to lock the machine's configurations down to control security. They probably don't want to have too much involvement with the student's machines, since that would imply a corresponding degree of liability on their part for how the student is using it (meaning: doing illegal things). It's pretty easy for them to identify the OS that a student is using, so their solution (requiring XP) has the biggest benefit for the least cost.
It is completely absurd for anyone to assume that they are doing this because they have a vested interest in seeing more copies of XP sold.
Re:I'll be the first to say it... (Score:2)
Anyway, the pirated version of WinXP cannot be patched. At all.
The pirated version of Win2k can be patched easily via auto-update.
Once a healthy Win2k worm is developed, UCSB is going to have a lot of hurt due to unpatchable student machines. I did univ tech support with Win2k, and it was cake. XP might have some new dilemmas.
This isn't just plain stupidity (Score:3, Informative)
We will always see through this kind of bullshit. The best we can do is to educate others without seeming too fanatical to be taken seriously.
Legal Implications, hoax? (Score:2)
I could see a whole whack of legal issues of this. It looks like a tough ploy to push students towards buying XP, as it's quite likely a lot of the PC's (laptops etc) won't work in 98.
I'm not sure that "freedom of os" falls in "freedom of choice", but very likely it will be brought up. Out of all the windows, I've found 2k to be the nicest for crashing, and with a lot less security issues than the other MS operating systems.
In other solutions, putting a well configured *nix router or VPN box between the campus and the 2k machines would likely mask what O/S is being used, what info would they be gathering over the network that tells them who is on 2k anyways?
Re:Legal Implications, hoax? (Score:2, Informative)
Re:Legal Implications, hoax? (Score:2)
Bizarre (Score:2, Insightful)
I can't help but feel like there are other motives here than "securing the network." I don't think it's Linux cheerleading either. Linux is potentially a much much larger security risk when it's configured incorrectly.
Ugh. (Score:5, Interesting)
"Residents' computers were compromised with several well-known vulnerabilities and used for all manner of unfriendly purposes such as the installation of viruses like Code Red and Nimda on other residents' computers."
Oh, so you really meant to ban IIS, which is, after all, the software that contributed to most of these worms. Ironically, www.resnet.ucsb.edu is running IIS 5.0 on that very same evil Windows 2000 OS. [netcraft.com]
Want to know my guess at what happened? Since the admins weren't blocking web servers running on port 80 outside of ResNet, someone set up an IIS server and got nailed with Nimda, which then killed their ResNet web servers (assuming that they hadn't patched their web servers, which isn't much of a leap to make, considering they don't seem to understand the difference between Windows 2000 and IIS.)
"OpenSSL and Apache holes? Wow, let's ban Linux!" That's the same ridiculous leap they made in banning Windows 2000.
"While we understand that it is possible to run a secure Windows 2000 environment, past history has shown that this rarely happens on ResNet."
Nothing like insulting your users AND taking away their right to run a particular OS. You know, this IS an educational institution -- why don't you try educating them? Better yet, cut off ports that are spreading Nimda -- that'll make people figure it out really quickly.
This is ridiculous in every sense of the word, and I hope the students there organize and fight against this. If I lived there, I know I would be.
Re:Ugh. (Score:2)
It's not as ironic as you may think. Most of the works that you speak of exploit default configurations (samples directory public, IDC's, etc.). I properlly configured IIS box, with a few exceptions, is reasonably secure.
Re:Ugh. (Score:4, Interesting)
UCSB has all sorts of stupid rules. One of my favorites was that no more then 1 IP per person per room... (which was way too easy to get around...)
When I applied for a job there, they turned me down for not having enough technical knowledge, but I didn't feel like it was a good time to tell them about how easy it was to bypass all their "safeguards".
Re:Ugh. (Score:4, Interesting)
2) When schools try to educate students on how to secure their computers they tend not to listen. You might listen as a computer geek, but I can tell you right now that 99% of the people in my dorm building could care less about installing Windows 2000 SP3. I dont see this as UCSB saying that XP is more secure than 2000 because I believe that XP SP1 vs 2000 SP3, 2000 will win hands down. I believe that UCSB is realizing that 90% of students dont install patches and by having students run XP they are getting machines with 2 years less security holes plus an auto updating system to ensure that patches are regularly installed (assuming students ok the patches).
3) Why dont they just block the ports. Two things here. I was at a school with 350 machines that were regularly updated with security patches. Every box in the building had an image with the latest version of every app reimaged once a week. Even with this an a Cisco PIX firewall and NAT we still got hit by Nimda. All it took was one stupid student opening up an attachment and the thing flew by administrative shares. Blocking ports doesn't always help. Second thing I'm not sure how UCI (the UC system's ISP) works by 4C (The CA State College's ISP) is really tough about blocking ports. If the school blocks the port for Kazaa or Half Life the school loses their internet connection. Pretty tough, but they have strong feelings that the internet should not be censored. I agree with them even if it makes things difficult somethings.
Do I think this is a crazy decision: yes
Do I see why they did it: yes
Re:Ugh. (Score:2)
What you don't seem to understand is that it's no more work for them to verify that a system has been patched and/or had IIS removed than it is to verify that it's not 2k/NT. Enforcement is exactly the same either way, a simple portscan will suffice to identify compliant/noncompliant nodes in either case. So why do they demand the elimination of certain OS instead of removing/patching vulnerable components? I'm betting on incompetence. This particular outfit is pretty well known for that already.
Ban Windows (Score:3, Insightful)
So instead they rather cripple their users with XP Home edition, losing some of the benefits of 2000 Pro. They really should force everyone to use Lindows or some branch of Linux. Or switch them all to OS X. Telling people what operating system to use won't cure stupidity. If they want to mandate the operating system for all university owned computers, that's one thing. But telling me that because some other idiot opens attachments without scanning them first makes my computer more insecure is overdoing it.
If Nimda was such a problem, shut off the connections to those computers that are infected and don't let them back on until they are clean and locked down.
LOL! They did the opposite here at SLU (Score:2, Funny)
just kind of funny
Just curious... (Score:2)
Also, like I said.. no Windows buff, but.. wouldn't the 9x stuff be less secure than NT/2k? Or is 9x just less stable, while the NT/2k stuff has more holes?
I tend not to really think about the differences between Windows versions and just think of it all as 'Windows' so this kinda interested me in a perverse sorta way.
Re:Just curious... (Score:2, Informative)
*sigh* Ok I'll bite.
XP is basically (and has been referred to on occasion by MS as) NT5.1 . Windows 2000 is using the NT5.0 kernel.
XP has had a few speed optimizations here and there as well as some built in "performance boosters" such as automatically defraging and optimizing the boot hard drive when the computer it otherwise idle.
All of this was basically necessary to implement so as to hide how the extra five hundred megabytes of bloat that came just with adding TWO features to Windows XP;
Skins and user switching.
(Yes, it took MS 500 megabytes to add those two features. Go figure.)
Oddly enough even XP pro lacks some of the functionality of Windows 2000. The ability to Lock a workstation is gone (Doh!), or at least hidden some wheres far far away. Horrible for security.
Also killing Explorer.exe in Task Manager is now A Serious Ordeal where as in Windows 2000 it was just another ho-hum task. I have seen killing Explorer.exe bring down an entire Windows XP system.
Some minor encasements to USB Mass Storage was made, and Internet Explorer 6 was shipped by default. There is also a cheesy personal firewall included with XP Home, but it hardly counts as a true security feature.
The Windows 2000 shell can actually be swapped out easily enough and another shell can be dropped in there. The Win9x line is the same way, very customizable. MS seems dedicated towards working against this though and integrating everything into one tight mess of tangled dependencies.
Oh yah, and XP likes telling you what to do. At least in Windows 2000 it was possible to beat some sense into the Machine, but in XP. . . . well the beating is still theoretically possible, but finding the sensitive spot to pound on is not quite as easy as it was with Windows 2000.
Also, like I said.. no Windows buff, but.. wouldn't the 9x stuff be less secure than NT/2k? Or is 9x just less stable, while the NT/2k stuff has more holes?
There is normally a pretty steady correlation between security holes and stability. When you have one, odds are that the other can be found to. Sloppy code is sloppy code.
That said, Windows 9x is both unstable and full of security holes. Quite frankly the poor thing was never meant to go 32bit, mine as well be forced onto the Internet and be made to play around with T1/3s doing DDoS attacks.
98 is rather fun in that you can do almost anything to it and it will take it in stride though.
Really, nobody ever took full advantage of 98, hehe. Active Desktop could have done some nifty things.
Re:Just curious... (Score:2)
Re:Just curious... (Score:3, Insightful)
You're looking at this like a typical office nightmare, the geek wannabe that knows just enough to be difficult. You only see two differences on your desktop, and decide to proclaim loud and long that this is the only difference. Idiot.
The console interface backend is completely different. I mean totally. Through NT5.0, the GDI had a direct interface to console display hardware. Now it's all abstracted through an RDP pipe. This is what allows you to connect directly to the console remotely with an RDP client. It also lets you have sound, printers, etc, on the same client. You can skin it. Sure you can do this with PCAW or VNC, but they are MUCH slower and not as flexible.
What the HELL do you mean that you can't lock a workstation? Maybe you forgot how to? I do it dozens of times a day. Perhaps I can teach you with my next round of primary school students? Killing explorer is hard? Eh? Just the same. The only way it can bring down a workstation is if you have some garbageware or bad video driver installed. Doesn't sound like MS's problem to me (either they'll make it more secure and people will whine about monopolistic practices and taking everything over, or they open it up more and people blame them for third party crap they choose to install).
People like you make me wish there was some sort of basic internet usage license. Sigh.
It _IS_ a security/bandwidth problem (Score:5, Informative)
This has been a topic of discussion recently at our office mainly because there have been a tremendous number of security issues relating to Windows 2000 (not so much with NT since these are students, not corporate users). I personally think that the move is a little drastic, but it will be interesting to see how this pans out at UCSB (especially how they will enforce it).
There will be people talking about how secure/insecure Win2K is. Allow me to give a common trait to all of the compromised machines:
1) Blank Administrator Password
2) Unpatched Windows (i.e. no Service Packs installed)
In nearly ALL the compromised machines, the computer is not updated and has a blank Administrator password.
The easy solution: install SP3!
An easier solution: set an Administrator Password!
All really simple solutions that would prevent 99% of the issues we have encountered thus far.
So I said it was a security problem. How is it a bandwidth problem?
Allow me to point to the DarkIRC and Nimda security bulletins [berkeley.edu] we have written up by our security.
So you've got a zombie, what do you do with it? A number of things:
1) use the compromised machine in a DoS attack
2) use it as a FTP server
3) use it as a IRC bot
A script kiddie can just use a machine on a fat bandwidth pipe at will to his liking. It's definitely NOT fun when the pipe is already clogged as it is with folks and P2P apps.
So there you have... if you don't think it's a problem, it IS a problem. There are too many calls about this to our helpdesk to have it be a minor issue that everyone else makes it out to be.
Re:It _IS_ a security/bandwidth problem (Score:4, Insightful)
First of all, remind them of the security policies, and the consequence of failure to compliant
Second, we do not rely on individual machines in our network to ensure OUR network security. We include in risk accessment that clients machines are subjected to be exploited, and have plans to deal with it.
To minimize and control the damage, we blocks off unauthorized ports across segments. Say they could open port 80 to be access within their own segment, but outsiders cannot have access to it. Now the virus outbreak would only affect their own segment.
Of course, they could apply for the opening of ports with proper justifications and management approval.
Third and most important, install Software Access Management software on all Windows boxes. SAM enables admin to perform license management and remote controlling. Users may complain about about it, but it's your choice to use Windows, you've options to use something else.
Do not think we'd relax restrictions to Linux and Mac, policies require that each box must be tested(and challenged, on password, services and ports opened) by our tiger teams from time to time.
Just my two cents.
Re:It _IS_ a security/bandwidth problem (Score:2)
The problem is that Windows has a negative reenforcement thing going with patches. In fact, I tried to install SP3 the other day and Windows gave me a nice, vague error message. Regular users can get into a "if it ain't broke, don't fix it" attitude, since it seems that upgrading when you're not having problems is just asking to have your system wrecked by some stupid bug.
Have you read the EULA for both XP and SP3 ? (Score:3, Insightful)
I strongly advise anyone who has installed w2k on several pc's to not install media player 7 or sp3. Why? I am afraid ms will accuse me of pirating and will have the power to deactive my os or install god knows what on my system. ALso hackers could use this to pretend their virii are microsoft upgrades. I know xp mainly does product activation but the eula'a are getting more and more similiar and are sharing much of the media player updates and code. Media player is key for Microsoft's palladium strategy. I no longer use my older machine which now uses linux but ms can still accuse me and be the judge and jury over any copyrighted dispute between my pc's. This is true even though I have one valid license for win2k pro. Go read the EULA? It states that ms can kill the license of your os at any time for no reason!
Why should I risk being hacked or bend over to the almighty gates? It really pisses me off that I am held hostage here. Be gald I do not go to your school. I have a very valid case why I should not switch to XP and would certianly bring it up to the deans. Even if ms will noy do any of things mentioned in the euls or deactive my copy of windows, I still will not upgrade out of principal. Security be dammed.
Re:It _IS_ a security/bandwidth problem (Score:2)
huh? (Score:2)
there ARE known vulnerabilities of XP pre-SP1 you know... and it's not like people who doen't do updates will just all the sudden start to religiously do updates. and if the users arn't setting a admin password on 2K, what, you think they suddenly get enlightened at the campus bookstore and decide to set a password for XP?
FURTHERMORE -- i am figuing that most people will come home and do a UPGRADE from their 2K / NT machines -- which means that all the settings (blank password) will carry over nice and happy... worse yet -- the old "do not automatically update my machine" setting will probabbly carry over too, making the upgrade even less effective.
i mean, in the end you are forcing these poor students (hey, i was a student, i was poor, and everyone i knew was poor (or had better place to spend money, like strip clubs or beer)) pay for the equivalent of two service packs. wtf? later you will force everybody to buy palladium because they didn't patch XP up _just_like_now_?
for that kind of effort (helping everyone upgrade etc), hold a fscking 1 hour session on how to manage your computer... add in some talk about how to hide your pr0n browsing so your gf / room-mate don't dig up your history files etc to spice things up / get good attendance. and have a copy of SP3 somewhere local where everybody can get it without killing the bandwidth will probabbly help. (burn some CDs and give out for free, maybe?)
resnet.ucsb.edu is using IIS on W2K (Score:5, Interesting)
The site that is telling students they cannot use W2K is running IIS.
The student's machines get compromised, and resnet get's compromised so some Admin who would otherwise get fired for not installing HIS updates, scapegoats the student's.
Crap sysadmin and non technical management are the cause of this.
If they were so worried, wouldn't they be running Apache?
Blown well out of proportion (Score:4, Insightful)
The univeristy doesn't declare certain types of machines illegal, they just refuse to support them. I'd wager that very few, if any machines destined for college shipped with w2k pre-installed. This means owners of w2k machines either were knowledgable enough to install it themselves, or knew someone who was. Chances are they'll go to their savy friend for support, and not brave the lines at IT.
This isn't nearly the same situation as computers that shipped from Dell or gateway with no admin password set. That's something that could be easily overlooked. In these cases however, chances are the same people who installed w2k knew enough to at least put in a simple password.
And I think we can all agree at this point that a properly patched W2K Pro installation is just as secure (if not more so) as even a properly patched XP one. This really just has to be the case of college IT administrators being wooed by MS hype.
what?? yes they have said it's illegal (Score:3, Insightful)
Read the link; they don't just refuse to give tech support to users of Win2k, they block Internet access to Win2k machines. So, in other words, Win2k is illegal on ResNet.
College Networks ... (Score:3, Insightful)
Re:College Networks ... (Score:2)
Read the story again (Score:3, Informative)
PS: I don't think UCSB is getting anything from Microsoft, because they agreed to run Linux on most of the servers here.
just my $.02
How about requiring updated systems instead? (Score:4, Insightful)
The "problems" they mentioned were both IIS "flaws" which have been corrected for some time now. Any other flaws exploited will also most likely be present on Windows XP Home, which has IIS as well (called Personal Web Server; incidently you can install a version of it for Win9x as well.)
"But how would they be able to tell if you have the latest service pack installed," you ask? I say, "The same way that they will be checking to see what OS you're using."
This kind of thing is almost expected at a University that is dominantly Macintosh. I worked at Brown University, and it was the same way. The general idea is: Mac = Secure, easy, perfect, flawless and PC = Impossible, buggy, useless. And all this because Apple has always pushed their machines on the schools.
Then all these students get out into the workplace and say "Uhh... where's the Macs?"
Interesting (Score:2)
To be honest, I think their problem is that they've got a lot of people running their own machines on their subnet and most of these people will not be very concerned with security - it's always going to be an accident waiting to happen. I would have thought they'd be better off altering their network topology to ensure that the student's computers were sectioned off from the rest of the Uni, perhaps grouping them so that the damage couldn't spread too far. If they're not doing that already, of course.
Probably lack of patching... (Score:4, Interesting)
Will it be any different when XP hits service pack 3 and nobody has it installed (or actually fewer than 2k boxes due to MS anti-piracy measures in their SP updates)? No.
The message is "you're too lazy to patch, so get the latest with the most patches pre-installed"
Kjella
UCSB sysadmins just being lazy.... (Score:4, Insightful)
Things like installing Service Pack 3, setting accounts correctly, banning the use of personal web servers on a client machine, and mandatory installation of a good antivirus and/or firewall program would have saved the UCSB sysadmins a lot of headaches.
I know an IP block to scan to test new XP viruses (Score:4, Funny)
With a little help from Microsoft sales? (Score:2, Troll)
Sounds like a Microsoft sales person is influencing the University. Here are some reasons why Windows XP is less than perfect: Windows XP Shows the Direction Microsoft is Going. [hevanet.com]
What is interesting, and unfortunate, is that Windows XP's faults are mostly avoidable. It seems that the problems are sociological, rather than technical. Microsoft seems to have become self-destructive, like Tyco and Enron [erisafraud.com]. (Okay, even more self-destructive.)
By far the best marketing for Linux and BSD is Microsoft. It doesn't have to be that way. The cost to a corporation for someone working at a desk with a computer is so high that the cost of Windows is not a deciding factor. Linux is beginning to win, not because of the price, but because people don't like to be abused, and don't like the ridiculous security risks: (from the article)
"... as of September 9, 2002, there are 19 security vulnerabilities in Microsoft Internet Explorer [pivx.com] [pivx.com]. (On August 8, 2002, there were 22, so some progress is being made.) This is a terrible record for a company that has $40 billion in the bank. Obviously, with that kind of money, Microsoft could fix the bugs if it wanted to fix them."
Like I said on the resnet forum (Score:5, Informative)
8/30/2002 2:49:15 AM
I'm writing this to the people in charge of Resnet policy, but also to people using Resnet. An outright ban on Windows 2000 will prove to be a costly and ineffective policy for increasing the security of Resnet.
1. Software and Bugs
Windows 2000, like any operating system, is a complex bundle of computer code. Like Windows XP, GNU/Linux, or MacOS, people find bugs in the software from time to time. Certain malicious people try to exploit the bugs to damage networks, reputations, etc. Other people develop software patches to fix the bugs.
Oftentimes, bugs are found with application software, like web browsers, web servers, e-mail clients, and the like. The operating system is generally not at fault. In this case, it just so happened that problems with some Microsoft application software were found in 2001 and combined creatively to create a series of rather devastating worldwide attacks.
2. Who is to Blame
It is important to realize that Windows 2000 was not the vulnerable software in these cases. Rather, bugs in Internet Information Server and Internet Explorer were exploited; they were the cause of the widespread effectiveness of the worms called "Code Red" and "Nimda." In other words, there are computers running Windows 2000 that are not and never were susceptible to Code Red, and there are devices not running Windows 2000 that were susceptible. Similarly, there are plenty of computers not running Windows 2000 that helped spread the problem through the Nimda worm.
Thus, these problems cannot be blamed on Windows 2000. Where does the blame lie? Programmers are bound to make mistakes, especially in an environment where a for-profit company is trying to produce and sell a modern operating system. Since few pieces of software are ever bug-free, it is ultimately up to system administrators and everyday users to make sure that their systems are as secure as possible (or practical). One of the ways to help increase the security of a computer is to apply security patches once they are released.
3. Patching Problems
A properly maintained computer is like a properly maintained car. Using a two-year-old unpatched computer on the Internet is like driving a car too fast on a twisting mountain road during an ice storm on bald tires. Using such a system or driving such a car is asking for trouble.
The bug in IIS that made it vulnerable to Code Red was announced two months before Code Red. The bug in Internet Explorer used by the Nimda worm was announced a full 5 months before Nimda. Yet even today, nearly a year after these attacks, thousands of machines worldwide are still unpatched. In other words, they are either infected with Code Red, or vulnerable to it. Unfortunately, many of these machines are likely to remain unpatched forever.
With that in mind, we turn now to the proposed ban of Windows 2000.
4. What problems does it solve?
Windows XP is not vulnerable to Code Red and Nimda. So upgrading to Windows XP does protect against certain problems.
5. What problems doesn't it solve?
It does not change the fact that improperly configured or improperly managed systems are vulnerable. It does not protect against attacks that have yet to be developed. It does not help educate users about ways to make their systems more secure. It does not help users of other operating systems running vulnerable versions of Internet Explorer. It does not protect against the thousands of other vulnerabilities that plague other operating systems. It does not stop denial of service attacks and port scans (that for some reason were blamed on Windows 2000 by the Resnet web page).
6. What problems does it cause?
Bugs that were introduced during the development of Windows XP could conceivably outweigh the bugs that were patched during that time. It would be naive to think that every bug in Windows XP is also present in older Windows operating systems.
The Products Use Rights document for Windows XP now includes a clause saying that Microsoft may access and change the operating system and its components without your agreement, and in fact without your knowledge. Suggesting that users of Resnet upgrade to Windows XP puts them in a position where they agree to relinquish control of their computers. Incidentally, versions of Windows 2000 up to service pack 2 do not contain this clause.
The ban of an operating system creates a dangerous precedent. Nowhere in the Resnet Acceptible Use Policy has there been any mention of the ban of a specific software product. The AUP does state that users cannot interfere with others, or with the proper functioning of the network. However, anyone would be hard put to prove that Windows 2000 was the sole cause of any problems by virtue of any fundamental and uncorrectable security flaws.
7. What are the costs of the upgrades?
As always, these costs are generally borne by the end users. They must acquire and install the software and learn to use it. This costs time and money and doesn't appreciably increase the security of the network.
8. What are the alternatives?
Requiring that users patch Windows 2000 systems would take less time and money. Verifying that a system was patched by probing the computer for the Red Alert vulnerability is no more difficult than fingerprinting the OS and checking that it is not Windows 2000. Certainly, installing a patch is a less intensive operation than upgrading an operating system and dealing with any problems and incompatibilities that may arise, so support problems faced by the RCCs are fewer.
In conclusion, the proposed Windows 2000 ban is both costly and ineffective. It seems as if the Resnet staff has already decided on implementing this "solution," which is lamentable. As there has been no discussion of or opposition to the ban on this forum, I felt it was necessary to provide a different opinion.
9. Resources:
Resnet Policy:
http://www.resnet.ucsb.edu/information/win2k.html [ucsb.edu]
http://www.resnet.ucsb.edu/information/use_policy
Code Red:
http://www.cert.org/advisories/CA-2001-19.html [cert.org] (exploit)
http://www.cert.org/advisories/CA-2001-12.html [cert.org] (bug)
Nimda:
http://www.cert.org/advisories/CA-2001-26.html [cert.org] (exploit)
http://www.cert.org/advisories/CA-2001-06.html [cert.org] (bug)
Windows XP PUR:
http://www.microsoft.com/licensing/resources [microsoft.com]
http://www.infoworld.com/articles/op/xml/02/02/11
im confused (Score:3, Interesting)
hypocracy U. they use win2k server for that page! (Score:2, Funny)
typical
At my University... (Score:2)
I myself use MacOS X which is also supported, as is OS 9. I can even get access to their Mac software library. It's neat.
If you're a CS student, you can get all MS OSs for free with your MSDN access, as well as Visual Studio, and lots of other fun software. Thanks to that access, my PC is using Windows 2000 Advanced Server, for its AppleTalk support
We've been Slashdotted. Hehe. Thanks (Score:3, Funny)
The site is still up and running though. Thank god I rewrote the site's PHP code, otherwise, we'd actually be down.
So to cut down on root exploits (Score:2)
Why not.... (Score:5, Interesting)
Why don't they do what my university did.....if your machine was detected trying to propogate nimda or code red, the smart switches disabled your jack. Getting it re-enabled meant calling Information Services Division and proving that you had cleaned up and protected your machine (downloading and installing the free copy of Norton Antivirus they provided).
It really seems to be a good system. Plug in an unregisterd NIC - blam - jack turned off and MAC address added to a blocked hosts list. Plug in a hub with more than one machine behind it...jack turned off. Run an unauthorized web server...jack turned off, mac address added to blocked hosts list. etc. etc. etc.
I'm suprised other large institutions don't do the same thing. It sounds like it would save a lot of headaches.
This Is Happening All Over (Score:3, Interesting)
Kings College, London (Score:4, Funny)
I tried emailing them a corrected version, but their email address was down - so much for network integrity.
"You are encouraged to run a Unix based operating system since they dont
suffer serious risks to network integrity like Nimda, Code Red and Outlook
Worms. Any student found running any insecure system (e.g. most windows
boxes) connected to the College network will have that system disconnected."
Confusingly they do allow the unix based Mac OSX.
Wouldn't it be easier (and more enforceable) (Score:3, Insightful)
unbelievable (Score:3, Insightful)
At my place it is other way round. (Score:3, Informative)
So much about objectivity of various security issues...
I guess the jokes about paper MCSEs are true (Score:3, Insightful)
Well, I guess the answer is obvious.
Good news for anyone whose handle is in some form of l33t sP34k and has been looking for a good place to try all the exploits described in BugTraq.
However, if I were a CS student there and got that notice, I'd be looking hard into transferring as of the next semester.
Getting an education in the area of computing is hard enough without having to use a network where the admins have admitted in writing that they are clueless.
I suspect they're going to live to regret this. Unless they really enjoy cleaning up messes.
Voodoo Administration (Score:3, Insightful)
All of this taking place in an institution of higher learning? It's just amazing. I can imagine this happening very easily in some corporate setting, but not in schools. I guess the number of the enlightened isn't as large as I once suspected.
FUD rules the day once again.
Personally, in addition to my Linux boxen, I like my Windows2000 machine. After service pack 3, I can now use my video camcorder again to do video editing... (now if I can just bring myself to erasing all this useless porn to clear spact to do so...) Before I get blasted with "why not use Linux?!" first I'll just say I'm a lazy bastard and I just don't have the urge to read the thousands of HOWTOs associated with whatever is required to do the same with Linux. I think I'll switch to Mac OSX before I try it with Linux.
It's scary and creepy the way some people think. It reminds me of the last time I was ruled out from having a job at my last interview. In this case, I listed Linux, HP/UX and AS/400 as other operating systems I am capable of administering to. They proudly touted "we're a Microsoft only shop here" as if that were some great accomplishment -- a badge of honor. All I could think was "oh, so you only know how to do your job with a mouse running 'wizards' to accomplishing the things MS thinks you want to do."
I heard there is black magic on the WindowsNT and Windows2000 and so I do not allow such magic on my network. Get thee back Devil2000!! Get thee back!!!
What about other OSes ? (Score:3, Insightful)
We recomend 2000 or XP Professional (Score:3, Insightful)
Instead of telling people they can't use an OS cuz it's insecure (even if it's not), they should educate their users on how to make it secure and then deal with those who are still at risk.
Re:Ubelievable (Score:3, Informative)
This sentence should be parsed: Some other options are to (downgrade to Windows 98), (get a free operating system such as Linux).
They're only talking about W98 (Score:2)
I think they meant:
Some other options are to:
o downgrade to Windows 98
o get a free operating system such as Linux
Having said that - superiority is in the eye of the beholder. Seeing as many of the W2K users didn't even set an admin password, I suspect W2K is going to be a better OS in their eyes than Linux, just from a usability point of view.
Re:Security threats from NT/2K? (Score:2)
I'll just say this much. Go put an unpatched NT4 box out there. I'll give it 15 minutes before it's rooted and is sending HTTP requests to riaa.com.
Oh, and from all I know, 9x boxes aren't insecure apart from the fact that everything runs as 'root'. This point is negated by the fact that most folks seem to run their Win2K/XP boxes as admin anyway.
Oh, and *nix is vastly superior to anything Windows if it's updated. We're still waiting on a few patches from Microsoft, however.
Re:In their defense... (Score:2)