BIOS BOOT PASSWORD

Developers, Developers, Developers!

When I meant reliability, I didn't mean Windows software was reliable. I mean reliability as in support from the Vendors and from Microsoft. If you have a problem in your enterprise, and you use Microsoft software, they will go to great lengths to fix the problem for you. They really do have great business support (because you pay them a lot for the support and they want your continued business). The same for Red Hat Enterprise, which is why many corporations are switching to Linux servers over Window's Servers. Red Hat did a great thing for the Linux Community.

About the admins.. yeah, when I wrote that I was thinking it might not be right, but I was thinking you need a REALLY good admin to be able to lock down a Linux desktop. That's just not a normal admin, that a specialist admin. That is going to cost your more. It's kind of like those Consultants who do Exchange Server. Exchange server is a beast. Those guys make 150k to 300k a year.

This was exactly my point, and you are the first one to actually agree with me 100%. People have taken this as a flame war against Linux. I love Linux for servers. In fact, I will never use a Windows box as a server, unless the company wants to run SharePoint or something. What's the point? I believe Linux is the best server solution out there, for many reasons. Many businesses concur. Most of the companies I work for have both Windows and Linux servers, but the major systems usually run on Linux (unless they are a .NET shop).

But for the desktop, the business needs [of locking down everything] just aren't as plentiful or powerful as the Windows based solutions. You have countless vendors who offer lockdown software, which hook into the Windows API (probably even hidden API's given to the Vendors by MS themselves), plus the support of MS for locking down the workstations across the enterprise.

I agree, That is one of the benefits, that you can choose what components of the desktop you will deploy. However, this does require greater expertise and I would think it would cost more to a business for someone like this. Maybe not, as Windows System Administrators get paid a lot too.

In fact, the first Unix shop I worked at didn't even use full desktops, but simply as you said, had a Windows Manager and a menu for launching a terminal and a few X applications. It was called Step or something, I believe...

Well, one of this points I was trying to make, since the Windows desktop has been around so long, and vetted, is that there are lots of applications (some pricey) available that let you lock down the desktop really easily. Like it or not, the Linux desktop isn't as mature. Even though, as I have learned in this thread, there are programs, like for Gnome, to lock down aspects of the GUI, they are open source projects not projects made by money making corporations.

As Linux geek myself, this doesn't justify going with Windows in my mind, but to a business, its all about reliability and support. Try to convince your CTO or CEO to go with a Linux desktop and lock it down using open source tools and hire expensive and expert Linux Admins, while the other guy arguing the Windows side simply says "People have been locking down Windows for years, and I have negotiated prices from 5 vendors for their lockdown software, and MS is willing to give us support to help us lock down parts of Windows for deployment in our enterprise as well".

It goes along with the whole notion, no one ever got fired for buying Microsoft. It's the same reason Red Hat is doing so well. They are a company that makes money and offers support. This is why my former company went with Red Hat Enterprise Linux, instead of Fedora or Cent OS, which is basically the same. We virtually NEVER use the support contract with Red Hat, but the business always want to buy the "paid" version just in case. This doesn't exist with Gnome or KDE. But if you have an issue with the Windows GUI, call up one of those many Vendors who sell lock down software or call up Microsoft. And for $100 a ticket or whatever they charge, they will be happy to tell you how to piss off your employees even more when they have to call IT in order to change their classpath for Java on their machine, because that tab in the system properties gives an "Inaccessible, Please Contact Your System Admin" when you click on it...

After doing some reading, I see your point with SELinux.

As far as your application/OS comment, it is my understanding that KDE/Gnome is more of an application to Linux but the Windows GUI is more a part of the OS so to speak. I know X is a part of Linux, so don't get me wrong, but many vendors have programs which tie into the Windows API to "magically" implement restriction settings and change the behavior to cater to every businesses' crazy needs when rolling out the desktop across the enterprise. Whereas in Linux, it up to the makers of the desktop to provide features, or of course, since you have access to the code and underlying structure, you can just manually configure it. Luckily, another poster in this thread talked about a configuration tool for Gnome which should do many of the lock-down settings.

Thank for you the help. I will definitely look into this tool.

Yes, they do, I know all about this and do this on a daily basis. But you can't always lock down a particular executable file. First, this may not be practical in the long run because its so low level, but I could be wrong. Second, one executable could have multiple dialogs and functionality inside it. You may want to block particular functions and dialogs/windows in the executable from certain users, but still have them be able to access the other ones in that executable.

Command line permissions give an all or nothing approach, which will not work here.

Yes, I know all about chmod. But should I have to chmod the binaries of the Desktop Environment at such a low level? Is this really the right approach? This seems too low level to administer a desktop environment. Imagine the upkeep on this. Plus, this will not work in all situations. One executable could have multiple modules that you want to restrict certain people from accessing, but still let them access others in that same executable. chmod or SELinux is useless here.

I am already a seasoned veteran on the Unix command line and securing that environment. It's a steep learning curve but I am glad that I learned it many years ago. That doesn't necessarily translate into having a Desktop System, that is not innately part of Linux, being able to be secured in the same way. Hence, the point of this conversation.

Huh wah?? Obviously you must be from a parallel universe, rather uninformed or a clever troll.

I agree with everything you say, but instead I get modded down into the dirt as your obvious statements falsely manifest as being so informative as to incite a Linux/Window war, which wasn't even the intention of my initial statement. You even incited the mods, good job.

Honestly the amount of fine grained control mixed with sudo (neither run-as or UAC are sudo, they impersonate another user rather then privilege escalation) you get with *nix environment is leaps and bounds ahead of Windows.

The fact is, I only use Linux for servers and have been developing, administering, and project managing them for years. I know locking down a Linux server is easier and better than Window box -- in command line mode. However, I was merely trying to get a meaningful conversion started on locking down machines in a GUI environment, which I imagine is a different beast than GUI, which I am less knowlegable about.

Nice try, but I suggest you undertake a bit of a learning curve and you will be enlightened.

I don't know how you even get good karma or not modded as troll for that comment. I am already a knowledgeable system administrator in Linux as well as a seasoned software developer. However, the Linux Desktop has always been having issues over the years to gain any serious ground through a myriad of development problems. Over the past 2 years, it has improved a lot. However, everyone learns how to lock down Linux using the command line. The GUI environments could be a different beast. Sure, you could create groups and modify the actual binaries for Gnome, or KDE. That is obvious to such "enlightened" people such as us. But there needs to be better ways in order for businesses to jump on board. I know, because I deal with the business types all day, and am partly one myself. Hence my comment for a dialog on this situation. It does seem there is hope, as some people have talked about xguest or gconfig. Other people state that it is easy to control using SELinux -- something I always turn off and avoid like the devil. From what I gather, SELinx may be the solution to securing a Linux Desktop, so I will investigate this avenue. Thanks to everyone that left informative and not trollish comments.
So I guess the conversation was a success, as it spread great information about this topic, even though trolls like you somehow are able to get modded so high while my initial posts get buried.

Wow, I am getting flamed here... I am not being trolly at all, just wanted to gain some more knowledge.

I know you can lock down Linux, I use Linux on a daily basis, but I am not that familiar with the desktop part of it, since technically, the desktop is not Linux, but rather part of another package used with the X framework -- that is a part of Linux. I know how to create user accounts and lock-down users completely in CLI mode.

My other point was that its a hindrance, and it will be IMHO, because most companies do not have the expertise to lock down Linux Desktops.. its not as easy. I am checking out the xguest now. It's good to know programs like this exist out there for securing the desktop. There needs to be more. I often wear many hats and learning and configuring SELinux is complicated. I always turn of SELinux myself and secure the machine using standard Linux permissions and IPTables.

I used to work for a company that locked things down so much, that if you wanted to increase the speed of your mouse, you had to call the IT department, LOL.

This is a bit obsessive, but it's their prerogative. Either its not that easy to prevent a user from accessing the mouse control screen in Gnome or KDE, or most administrators are "Windows Trained" and wouldn't know the steps to lock it down (most just run a 3rd party app that does it for them anyway).

I think one of the hindrances for businesses to move to Linux on the desktop is the lack of programs for Linux that allow the complete lock-down of the desktop. In Windows, there are many applications that let you control which users can access different areas in the GUI, well beyond Windows Access Control.
.
I don't know of anything similar in the Linux Desktop Environment to Windows Access Control or the other programs that are out there. Does anyone else?