Why is it so difficult to network Vista and XP PCs?

[Chuck [MVP]]

Hmm... sounds expensive. Well, it would be expensive to teach me how
to maintain a domain setup... a lot of small networks still use the
physical security model, which everyone understands, i.e.
- if you're at the keyboard, you can do anything
- if you're not at the keyboard, you can do nothing
- we physically secure access to the keyboard

Where the nature of the work is that folks create value on their PCs
and use the network only for printing, Internet and automated peer
backups, then combining the physical model with tight control over
what is shared, can do away with the need for "authentication".

IOW, assume authentication control will be sloppy, and avoid relying
on it where it serves no purpose.


How does that differ from the usual Blogger, as I'm using at...

http://cquirke.blogspot.com

...? I did the conversion to Google sign-in, but haven't digged much
deeper as yet. I do like multiple labels, though.


I hope you don't mean they'll be dropping permalinks? They're still
the best way to link to specific articles from arbitrary places like
these newsgroups, after all.


They're nice and flexible, yes, but how do you retro-fit them to old
content? Permalinks still work there...


I'm still not sure if I'm on the same rig as you are. Is this the
production Google blogging platform, or still beta?

Classic Blogger is no more, nor is Beta. It is all New Blogger.
<http://bloggerstatusforreal.blogspot.com/2006/12/new-blogger.html>
http://bloggerstatusforreal.blogspot.com/2006/12/new-blogger.html

You're using Technorati tags, and Labels. Labels are (MHO) the best feature of
New Blogger.
<http://bloggerstatusforreal.blogspot.com/search/label/Labels?max-results=100>
http://bloggerstatusforreal.blogspot.com/search/label/Labels?max-results=100

The formal name for "Blogger" is (I saw this somewhere) "Blogger One Button
Publishing". I use the formal name when I am describing how easy it is to use
Blogger to create a website. Which is when I'm not ranting how much support by
Blogger sucks. Meh.

Pierre and his rants have nothing over some Bloggers. I personally write about
how coincidental the term "Blogger Support" is to its detractors. Calling it
"BS" is so obvious. We can't cut "MS" anywhere like Bloggers cut "BS".

And I'm aware of the "physical security" concept. And I do my best to teach the
dangers of that. And yes, proper procedures are expensive. But far cheaper
than having your network botted, or maybe confidential customer data stolen and
sold to other hackers.

So I try to teach proper security and system management concepts to Bloggers.
People who manage huge websites, yet know only how to turn the computer on.
Talk about physical security. Meh.

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

 

[cquirke (MVP Windows shell/user)]

Classic Blogger is no more, nor is Beta. It is all New Blogger.

You're using Technorati tags, and Labels. Labels are (MHO) the best feature of
New Blogger.

Cool!

Yep, labels excite me too (I excite easily, from some rest states)

The formal name for "Blogger" is (I saw this somewhere) "Blogger One Button
Publishing". I use the formal name when I am describing how easy it is to use
Blogger to create a website. Which is when I'm not ranting how much support by
Blogger sucks. Meh.

The old Blogger support were pretty cool - you could contact them, and
they would enter into an email dialog with you. I don't think it's
like that anymore; I can't see a point of entry, even after the usual
barriers of FAQs, forums etc. (which I always check first).

And I'm aware of the "physical security" concept. And I do my best to teach the
dangers of that. And yes, proper procedures are expensive.

Which is more dangerous:
- a world before nuclear weapons were invented
- a world where nuclear weapons are "secured"

Which is more dangerous:
- a LAN with no connection to the outside world
- a LAN offering "secured" administration from the Internet

I don't want to spend money on "proper procedures" to "secure" remote
administration from the Internet, when there is not one entity that I
would want to extend that functionality. Why should I? It's far
better and safer to render this as impossible as it should be, given
my installation's requirements.

You're asking ppl with no interest in per-user authentication, to
become amateur corporate sysadmins. How well do you expect that to
work? Would a corporation trust these folks to manage their network,
or would they insist on an MCSE?

If non-MCSE skills are not good enough for corporates, why do you
think they are good enough for us, when simply ripping out all the
remote garbage would work better anyway?

So I try to teach proper security and system management concepts to Bloggers.

Ah, bloggers; different target audience, that.

People who manage huge websites, yet know only how to turn the computer on.
Talk about physical security. Meh.

Sure, fair enough. But how do I bring any of this stuff to bear on
securing the process of blogging, or how well by blog is secured on
someone else's server that someone else adminsiters? Just getting a
full site backup out of such folks is difficult as it is...

--------------- ----- ---- --- -- - - -

To one who has never seen a hammer,
nothing looks like a nail

 

[Chuck [MVP]]

Cool!

Yep, labels excite me too (I excite easily, from some rest states)

OK, that sounds like a physicist joke. Quantum physics, it used to be called.

The old Blogger support were pretty cool - you could contact them, and
they would enter into an email dialog with you. I don't think it's
like that anymore; I can't see a point of entry, even after the usual
barriers of FAQs, forums etc. (which I always check first).

That's the Blogger Silence issue.

Which is more dangerous:
- a world before nuclear weapons were invented
- a world where nuclear weapons are "secured"

Which is more dangerous:
- a LAN with no connection to the outside world
- a LAN offering "secured" administration from the Internet

My personal opinion? There is nothing so vulnerable than an invulnerable
computer.

Invulnerability:
1) Is a perceived state. The owner thinks he is invulnerable, and will relax
and do stupid things like surfing to web sites where he doesn't belong.
2) Is a temporary state. Tomorrow's security exploits are unknown today.

Your nuclear warfare analogy is good, as an analogy. It doesn't go far enough
though.

Back in the 80s, Chris, I was a youth counselor at a church. In one of our
sharing moments, I discussed the nuclear warfare issue, and how much I was
relieved to see it all coming to an end. One of the kids put THAT into
perspective right fast.
"BFD Chuck", "I'm trying to go to school, go in the can to take a piss, and keep
from getting knifed while I am doing that".

Whether it's nuclear ware, or a random gunshot from another car on the freeway,
you gotta be aware. And you gotta worry.

I don't want to spend money on "proper procedures" to "secure" remote
administration from the Internet, when there is not one entity that I
would want to extend that functionality. Why should I? It's far
better and safer to render this as impossible as it should be, given
my installation's requirements.

You're asking ppl with no interest in per-user authentication, to
become amateur corporate sysadmins. How well do you expect that to
work? Would a corporation trust these folks to manage their network,
or would they insist on an MCSE?

If non-MCSE skills are not good enough for corporates, why do you
think they are good enough for us, when simply ripping out all the
remote garbage would work better anyway?

The customer (any given customer) has 4 choices:
1) Pay you to fix the problems now, then hire you permanently to keep the
problems away.
2) Pay you to fix the problems now, and train them now, so they can try to keep
the problems away.
3) Pay you to fix the problems now, then pay you (or somebody else) next year to
come back and fix more problems.
4) Tell you to take a hike, then get their neighbours high school kid to fix the
problems. Then pay you later to fix the problems properly.

Choice of 1 - 4 is up to the customer, based upon business need. Your job is to
negotiate 1 - 3 now, and accept #4 if necessary.

Ah, bloggers; different target audience, that.


Sure, fair enough. But how do I bring any of this stuff to bear on
securing the process of blogging, or how well by blog is secured on
someone else's server that someone else adminsiters? Just getting a
full site backup out of such folks is difficult as it is...

Wanna join my "Blogger Support and other issues" forum? It's quiet right now,
but if you ask those questions in there, I'll bet that we see some reactions.

Google has network problems, they don't acknowledge them (see "Blogger
Silence"), but the Bloggers have to deal with them. And as most Bloggers, as I
said, barely know how to turn the computer on, they have no idea what they are
seeing.

It's taken 2 years to get to the point where "a" "Blogger Employee" will listen
and provide feedback, on a one to many basis, about ongoing problems. Maybe one
on one email is a part of their past, but it sure isn't part of their present.

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

 

[Kerry Brown]

My personal opinion? There is nothing so vulnerable than an invulnerable
computer.

Invulnerability:
1) Is a perceived state. The owner thinks he is invulnerable, and will
relax
and do stupid things like surfing to web sites where he doesn't belong.
2) Is a temporary state. Tomorrow's security exploits are unknown today.

Your nuclear warfare analogy is good, as an analogy. It doesn't go far
enough
though.

Back in the 80s, Chris, I was a youth counselor at a church. In one of
our
sharing moments, I discussed the nuclear warfare issue, and how much I was
relieved to see it all coming to an end. One of the kids put THAT into
perspective right fast.
"BFD Chuck", "I'm trying to go to school, go in the can to take a piss,
and keep
from getting knifed while I am doing that".

Whether it's nuclear ware, or a random gunshot from another car on the
freeway,
you gotta be aware. And you gotta worry.


The customer (any given customer) has 4 choices:
1) Pay you to fix the problems now, then hire you permanently to keep the
problems away.
2) Pay you to fix the problems now, and train them now, so they can try to
keep
the problems away.
3) Pay you to fix the problems now, then pay you (or somebody else) next
year to
come back and fix more problems.
4) Tell you to take a hike, then get their neighbours high school kid to
fix the
problems. Then pay you later to fix the problems properly.

Choice of 1 - 4 is up to the customer, based upon business need. Your job
is to
negotiate 1 - 3 now, and accept #4 if necessary.

This has been interesting reading. I'll interject with an anecdote about
physical security. I have a customer who has three pc's in their shop. Two
run a LOB app. The third is used for online ordering and email. It is used
by several employees who all need Internet access occasionally. I spent
quite a bit of time going over the requirements of the business and the
network with the owner. It was decided (against my objections) to isolate
the two LOB computers on a separate network that was not physically
connected to the Internet. The only disks that were ever used in these two
computers were CD's with updates for the LOB app and CD's with Windows
Updates on them. No AV was installed (again against my objections),
passwords weren't used, the only security was the Windows XP firewall. This
was working well for a couple of years. The computer connected to the
Internet occasionally picked up a bit of spyware but it was relatively well
protected and didn't have any more problems than any computer that is used
by several different users. One day I got a call from the owner. One of the
LOB computers wouldn't boot and the other one wouldn't start the LOB app.
Long story short the owner had connected the switch the LOB computers were
on to the router. This was so he could plug his laptop into the switch and
check his email. Someone had accessed the Internet on one of the LOB
computers and installed a trojan. Things had quickly gone downhill from
there.

On a domain (e.g. SBS) this could have easily been avoided with group
policies restricting the sensitive computers from accessing the Internet and
having proper security for the whole network. I manage several SBS servers
for small business'. With most I can do this by remote and rarely visit the
site. Their monthly charges are usually around one to two hours. I read the
daily reports that SBS emails me. I manage the server and workstation
updates by remote. SBS 2003 R2 has WSUS which makes managing updates even
easier. Domains need not be complicated or expensive to manage. They take a
bit of knowledge to set up at the start but once up and running require less
management than a p2p network if more than three or four computers are
involved. It's only when you start getting into multiple servers that domain
administration starts to get complicated.

 

[cquirke (MVP Windows shell/user)]

My personal opinion? There is nothing so vulnerable than an invulnerable
computer.

Invulnerability:
1) Is a perceived state. The owner thinks he is invulnerable, and will relax
and do stupid things like surfing to web sites where he doesn't belong.
2) Is a temporary state. Tomorrow's security exploits are unknown today.

Agreed on both counts. Enigma was assumed to be invulnerable...

However, the flaw is not in steps taken to protect the system, but
rather the assumption of invulnerability. That goes as much for "I
can't have a virus, I use NORTON" to saying the same about being on a
domain. The beneficial effect may lie in realizing domain
administration is so complex that the chances of you screwing up
somewhere are so high that you aren't certain to be safe

Back in the 80s, Chris, I was a youth counselor at a church. In one of our
sharing moments, I discussed the nuclear warfare issue, and how much I was
relieved to see it all coming to an end. One of the kids put THAT into
perspective right fast.

Yup. I really hope the folks staffing those ex-Soviet facilities get
their paychecks on time, don't you?

Whether it's nuclear ware, or a random gunshot from another car on the freeway,
you gotta be aware. And you gotta worry.

I'd worry less if my OS didn't wave opportunities to the Internet as
if it is was "just a big network". The Internet is not a network, in
the same way that a forest is not a tree.

The customer (any given customer) has 4 choices:

1) Pay you to fix the problems now, then hire you permanently to keep the
problems away.

2) Pay you to fix the problems now, and train them now, so they can try to keep
the problems away.

3) Pay you to fix the problems now, then pay you (or somebody else) next year to
come back and fix more problems.

4) Tell you to take a hike, then get their neighbours high school kid to fix the
problems. Then pay you later to fix the problems properly.

Choice of 1 - 4 is up to the customer, based upon business need. Your job is to
negotiate 1 - 3 now, and accept #4 if necessary.

Fair enough. But I have enough work without needing
artificially-stimulated demand. It's like including dangerous
features that require regulatory compliance when you don't need
either. "Just for the fun of it, we stick a barrel of nuclear waste
in the trunk of every car we make. Please ensure your safety officer
monitors this to remain compliant with AEC regulations."

Wanna join my "Blogger Support and other issues" forum? It's quiet right now,
but if you ask those questions in there, I'll bet that we see some reactions.

Google has network problems, they don't acknowledge them (see "Blogger
Silence"), but the Bloggers have to deal with them. And as most Bloggers, as I
said, barely know how to turn the computer on, they have no idea what they are
seeing.

Hmm... OK. Time's a crushin', and there are more forums than eyeballs
(and more blogs too, of course). If I had time, I'd:
- figure out how to set up a free wiki
- open this to those interested in Bart and WinPE
- write a how-to page so end users can use Bart + (say) Multi-AV
- develop a Bart and/or WinPE based mOS for download
- how-to documents and tutorials to mOS-building in Bart
- learn how to build a mOS on WinPE 2.0
- how-to documents and tutorials to mOS-building in WinPE 2.0

But alas, etc. :-/

It's taken 2 years to get to the point where "a" "Blogger Employee" will listen
and provide feedback, on a one to many basis, about ongoing problems. Maybe one
on one email is a part of their past, but it sure isn't part of their present.

I figured that. Live Spaces seem "hungrier", at least for fedback;
they know they're trying to break through, whereas I think
Google/Blogger see themselves as comfortable incumbents.

One-on-one email support is rare, though. I'm always delighted to
find it, but rarely to I expect it.

--------------- ----- ---- --- -- - - -

Dreams are stack dumps of the soul

 

[cquirke (MVP Windows shell/user)]

On Sun, 22 Jul 2007 10:15:35 -0700, "Kerry Brown"

This has been interesting reading. I'll interject with an anecdote about
physical security. I have a customer who has three pc's in their shop. Two
run a LOB app. The third is used for online ordering and email. It is used
by several employees who all need Internet access occasionally. I spent
quite a bit of time going over the requirements of the business and the
network with the owner. It was decided (against my objections) to isolate
the two LOB computers on a separate network that was not physically
connected to the Internet. The only disks that were ever used in these two
computers were CD's with updates for the LOB app and CD's with Windows
Updates on them.

So far, so good...

No AV was installed (again against my objections),

....that's not so good, though without Internet access, they would not
have av updates (or code patches, for that matter).

passwords weren't used, the only security was the Windows XP firewall.

That could paradoxically be safer that weak passwords, if they were
using XP Pro instead of XP Home. A weak password waves admin shares
wherever F&PS is exposed, on XP Pro; XP Home is safer there.

This was working well for a couple of years. The computer connected to the
Internet occasionally picked up a bit of spyware but it was relatively well
protected and didn't have any more problems than any computer that is used
by several different users.
OK...

One day I got a call from the owner. One of the LOB computers wouldn't
boot and the other one wouldn't start the LOB app.

Long story short the owner had connected the switch the LOB computers were
on to the router. This was so he could plug his laptop into the switch and
check his email.

The point of failure here is not thier policy, which was sound as long
as those with physical access can be trusted not to bring in USB
sticks, modems, WiFi connectors etc.

They failed because they didn't follow their policy, and thier
approach was not deep enough to provide fallback defences for when
thier policy failed to protect them for whatever reason.

Someone had accessed the Internet on one of the LOB
computers and installed a trojan. Things had quickly gone downhill from
there.

On a domain (e.g. SBS) this could have easily been avoided with group
policies restricting the sensitive computers from accessing the Internet and
having proper security for the whole network. I manage several SBS servers
for small business'. With most I can do this by remote and rarely visit the
site. Their monthly charges are usually around one to two hours.

I prefer not to open sites up to amy sort of remote admin, myself
included. I like the sound of SBS, but don't have hands-on with it;
even SBS is too costly for my client base. At best, they will
begrudgingly use XP Pro on a couple of PCs that expect > 5 incoming
LAN connections, and that's it.

I read the daily reports that SBS emails me. I manage the server and workstation
updates by remote. SBS 2003 R2 has WSUS which makes managing updates
even easier. Domains need not be complicated or expensive to manage.

They do have to be set up properly, and kept that way, if they are not
to become risks in their own right. I don't know how well that
installation would have done, over so many years, if it had a domain
setup left in place without an ongoing presence to manage it, as you
were doing via remote access.

If remote access is properly secured, it may be as safe as a VPN
between their LAN and the admin, who manages other LANs. That makes
the admin a potential node, if any of the LANs gets infected with
malware that can propagate via such connections.

So perhaps it depends on the quality of the sysadmin. I know enough
to know that I don't know enough to expose my own clients to that sort
of risk, i.e. I don't know enough to promise safety.

Policy - promises such as privacy policy, SLAs, etc.
Security - ensuring you are the only actor
Safety - ensuring that only what the actor intends, happens
Sanity - ensuring the code only does what it was coded to do

At Policy, you are standing at the top of a very tall ladder.

They take a bit of knowledge to set up at the start but once up and
running require less management than a p2p network

I can believe that, especially if the p2p is doing a lot of networking
and/or there are lots of users milling about.

But pushing desktop policies onto PCs from a server only makes sense
not if you are the only actor "owning" the server, but also if the
policies you push, don't suck for safety. Pushing MS duuuuhfaults
like "don't show extensions", "hide files", "open on content, not
extension", "write-share everything with hidden but automatable names"
etc. can just enforce poor safety, undermining the rest of the ladder.

It's only when you start getting into multiple servers that domain
administration starts to get complicated.

Heh heh... we all have our threshold of pain, yours is just a bit
higher than mine ;-)

Here's an example of depth.

I have no need to faciliatte write access to any part of C:, and (on
some PCs) anything at all. Doesn't matter what credentials you wave,
there is no entity in the universe in the "allowed users" set.

So I do all of:
- avoid XP Pro, preferring XP Home
- kill hidden admin shares via .REG
- use 1 admin account only
- have nul password on that account
- block F&PS at firewall unless needed
- unbind F&PS from networking unless needed

Why "all of"? Any one of those steps woudl eb enough to contain the
risk, but I do all as the assumption is each measure may fail - and
even then, I still wish I had an OS that wasn't so stupid to have
invented admin shares in the first place. If I want the root of a
volume shared, I'll explicitly share it, thanks; if I don't, then I
should know some dome-ass duhfault is not doing behind my back.

So those "not on the Internet" PCs would have firewalls enabled
(though it can be a pain getting LOB apps to play through them), no
admin shares, no WSH, resident av that would update if and when
opportunity arises, \Autoplay.inf processing disabled, boot order C:
before anything else, no auto-rebooting on errors or RPC failures, XP
SP2 applied, safer UI settings, any email apps set to less sucky
duhfaults (there's still a lot of "Internet Zone" Outbreak 2000 out
there) and so on. Would it have helped? Maybe not, or maybe with a
safer UI, maybe that trojan would not have got traction.

IKWYM about "invulerability", though. I think a hard rain's gonna
fall on Apple and Linux if they ever get big enough to be targets.

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[Kerry Brown]

On Sun, 22 Jul 2007 10:15:35 -0700, "Kerry Brown"


So far, so good...


...that's not so good, though without Internet access, they would not
have av updates (or code patches, for that matter).


That could paradoxically be safer that weak passwords, if they were
using XP Pro instead of XP Home. A weak password waves admin shares
wherever F&PS is exposed, on XP Pro; XP Home is safer there.



The point of failure here is not thier policy, which was sound as long
as those with physical access can be trusted not to bring in USB
sticks, modems, WiFi connectors etc.

They failed because they didn't follow their policy, and thier
approach was not deep enough to provide fallback defences for when
thier policy failed to protect them for whatever reason.

That was my point. Sooner or later physical security will be broken, either
by accident or on purpose. You need a layered approach. It's much easier to
layer security with a central management system like active directory.

I prefer not to open sites up to amy sort of remote admin, myself
included. I like the sound of SBS, but don't have hands-on with it;

With SBS you only need two ports exposed to the Internet. Everything can be
done through Remote Web Workplace with SSL on ports 443 and 4125. Port 4125
is not opened until after the user authenticates via SSL on port 443. All
communications are encrypted with SSL. The security is as strong as your
weakest password. With active driectory strong passwords, changed regularly,
can be enforced. By default SBS opens a couple of other ports but they
aren't really needed and can be closed. I like to use a hardware firewall (a
real one, not a NAT router) as well. If you use Exchange you also need port
25 but for a small network of 3 or 4 computers they probably wouldn't want
the added complexity of Exchange. All the ports, Internet access, and
Exchange settings are setup in one wizard that takes a couple of minutes to
run.

even SBS is too costly for my client base. At best, they will
begrudgingly use XP Pro on a couple of PCs that expect > 5 incoming
LAN connections, and that's it.

I agree that for small business' the expense seems hard to justify. I can
put a decent server in for around $2,500 CDN if they are already using XP
Pro (or Vista Business) on the existing workstations. Realistically most
installations are in the $3,000 to $6,000 range. Compared to just sharing
files on an existing computer it seems like an expensive option. It also
introduces a single point of failure into the business so it has to be as
well built with as much redundancy as possible. You really need to use
server class hardware that is designed for 24/7 use. The advantages are
better management, thus better security. One place where data is stored so
the data is easily backed up. The backup wizard in SBS actually makes
ntbackup easy to use. Most small business owners love the remote access part
of it. The can remote into their desktop from anywhere and work just as if
they are sitting at the computer. Even on dialup response is adequate. The
most common complaint of small business owners is they have to spend too
much time at the business. Remote desktop gives them more time at home even
if they are working while they're there. This is a big, big feature for most
small business owners.

They do have to be set up properly, and kept that way, if they are not
to become risks in their own right. I don't know how well that
installation would have done, over so many years, if it had a domain
setup left in place without an ongoing presence to manage it, as you
were doing via remote access.

In a very basic configuration (no Exchange, ISA, or SQL) SBS is very stable.
It is managed by wizards that are very easy to use. This actually trips up
many IT pros who are too macho to use the wizards and end up messing up the
security by trying to do things their way. Once SBS is up and running anyone
who has reasonable networking skills can easily manage it. It does take
someone experienced with it's quirks to set it up right.

If remote access is properly secured, it may be as safe as a VPN
between their LAN and the admin, who manages other LANs. That makes
the admin a potential node, if any of the LANs gets infected with
malware that can propagate via such connections.

With SBS if you restrict remote access to RWW only, the remote computer
can't infect the LAN. All local access is done by RDP over SSL to one of the
local computers. The remote computer only sees screen updates and sends back
key strokes and mouse clicks. It is possible to enable cut and paste from
remote computers but it is easily disabled as well.

So perhaps it depends on the quality of the sysadmin. I know enough
to know that I don't know enough to expose my own clients to that sort
of risk, i.e. I don't know enough to promise safety.

Policy - promises such as privacy policy, SLAs, etc.
Security - ensuring you are the only actor
Safety - ensuring that only what the actor intends, happens
Sanity - ensuring the code only does what it was coded to do

At Policy, you are standing at the top of a very tall ladder.


I can believe that, especially if the p2p is doing a lot of networking
and/or there are lots of users milling about.

But pushing desktop policies onto PCs from a server only makes sense
not if you are the only actor "owning" the server, but also if the
policies you push, don't suck for safety. Pushing MS duuuuhfaults
like "don't show extensions", "hide files", "open on content, not
extension", "write-share everything with hidden but automatable names"
etc. can just enforce poor safety, undermining the rest of the ladder.

The SBS defaults are well thought out. I usually tweak things a bit but in
it's default state it's very secure.

Heh heh... we all have our threshold of pain, yours is just a bit
higher than mine ;-)

Here's an example of depth.

I have no need to faciliatte write access to any part of C:, and (on
some PCs) anything at all. Doesn't matter what credentials you wave,
there is no entity in the universe in the "allowed users" set.

So I do all of:
- avoid XP Pro, preferring XP Home
- kill hidden admin shares via .REG
- use 1 admin account only
- have nul password on that account
- block F&PS at firewall unless needed
- unbind F&PS from networking unless needed

Why "all of"? Any one of those steps woudl eb enough to contain the
risk, but I do all as the assumption is each measure may fail - and
even then, I still wish I had an OS that wasn't so stupid to have
invented admin shares in the first place. If I want the root of a
volume shared, I'll explicitly share it, thanks; if I don't, then I
should know some dome-ass duhfault is not doing behind my back.

So those "not on the Internet" PCs would have firewalls enabled
(though it can be a pain getting LOB apps to play through them), no
admin shares, no WSH, resident av that would update if and when
opportunity arises, \Autoplay.inf processing disabled, boot order C:
before anything else, no auto-rebooting on errors or RPC failures, XP
SP2 applied, safer UI settings, any email apps set to less sucky
duhfaults (there's still a lot of "Internet Zone" Outbreak 2000 out
there) and so on. Would it have helped? Maybe not, or maybe with a
safer UI, maybe that trojan would not have got traction.

IKWYM about "invulerability", though. I think a hard rain's gonna
fall on Apple and Linux if they ever get big enough to be targets.

Pretty much all of that can be done with group policy. Once it's set up any
computer joined to the domain will get the policy. Any computer not joined
to the domain can be severely restricted as to what it can do on the
network. You can even deny them Internet access if you want. The only open
shares are on the server and without authenticating you have zero access to
them. You do need the administrative shares on the workstations for remote
management but these are secured with strong, regularly changed passwords.
The local administrator account can be disabled so that only a domain
administrator can access the hidden shares. If you want to get really secure
you can use IPSEC but that can be an ongoing management burden.

It's been a good discussion. We're getting way off topic but it has been
fun. I love talking about security I always learn something. In the end
there are several ways to the same goal of a secure small business network.

 

[cquirke (MVP Windows shell/user)]

"cquirke (MVP Windows shell/user)" wrote in

That was my point. Sooner or later physical security will be broken, either
by accident or on purpose. You need a layered approach.

Agreed, but the same is perhaps more likely when your entire edge is
complex, fuzzy, and only as good as adherence to policy (which was
what failed in this case)

It's much easier to layer security with a central management system
like active directory.

Security is no substitute for safety. In fact, it applies only when
some risks need to be taken in certain contexts and/or by certain ppl;
then you "secure" access to those risks.

But if no-one needs access to those risks, rather rip 'em out.

With SBS you only need two ports exposed to the Internet. Port 4125
is not opened until after the user authenticates via SSL on port 443. All
communications are encrypted with SSL.

That may serve as a solid pipe between the remote PC and the LAN, but
also exposes the LAN to whatever does on on the remote PC..

The security is as strong as your weakest password.

That's pretty weak, then, because trrying to impliment strong
passwords is a lot harder than "don't plug in the cable, moron".

With active driectory strong passwords, changed regularly,
can be enforced.

See...

http://cquirke.mvps.org/pwdssuck.htm

Strong, changed regularly, non-tokenised. Pick two.

Humans just are not going to remember a new truly strong (random
character, full character set, long) password every month without
tokenizing it somewhere (e.g. writing it down), so your security
becomes as weak as your passwords and/or informal token system.

I like to use a hardware firewall (a real one, not a NAT router) as well.

I haven't really got into that as yet. In there's a firewall built
into the router, as there usually is, I leave it enabled with default
settings; I dunno how useful that is.

You trust what you known, as far as you know you can trust it.

As one who knows networking better than I, I accept you'd trust it
further than I would, and get better results than I would.

I agree that for small business' the expense seems hard to justify. I can
put a decent server in for around $2,500 CDN if they are already using XP
Pro (or Vista Business) on the existing workstations.

Yup, the per-cost per desktop blows out as well due to the need for
Pro or Business, and if you need more than the 5 seats that consumer
desktop OSs can peer, then you need extra CALs too.

That's before you add the cost of hiring the expertise to make it
work, and the value depends on the client following the plan.

So in effect, the client becomes dependent on the hired expert and the
network. If all data is on the server and the network blinks, no-one
can do any work... and if the sysadmin goes rogue (or gets "owned"),
there's very little you can do to get the genie back in the bottle.

Compared to just sharing files on an existing computer it seems
like an expensive option. It also introduces a single point of failure

I think it's an appropriate solution when that point of failure
already exists naturally, e.g. where you have a room full of data
serfs who need access to the same database in order to do anything at
all. You're already forced into some kind of cerntralised system,
whether it be a PICK box and dumb terminals in the 1980s, or a server
and dependent desktop clients in the 2000s.

OTOH, consider a group of architects who work on their own projects
and rarely share data, but who need Internet access, printer sharing,
and hey can't we backup over the LAN as well?

What I do for those cases is XP Home (or Vista Basic) unless "too
many" PCs, then one or two XP Pro (or Vista Business) for the main
points of gathering (printer, basically).

On these, I kill admin shares and create an empty dir that is
read-shared. Nothing else is shared other than printers.

Then I have a batch file archive a small and clean data set (getting
crap like downloads, "My Received Files", massive wads of
pics/music/videos out of there) to the read-shared directory. That's
the 2sm Task; at 4 am, one or more of the PCs will then pull these
backups from the other PCs via the read-only share.

So you can end up with "holographic storage", where as long as as
single PC survives, everyone's work falls back only 1 day.

One place where data is stored so the data is easily backed up.

The name of the game with backup is redundancy, hence the above
peer-based cross-backup system (with "last mile" of all gathered
backups to CDR, DVDR or USB)

Most small business owners love the remote access part of it. The
can remote into their desktop from anywhere and work just as if
they are sitting at the computer. Even on dialup response is adequate.

I'd be concerned about the risks there. One crappy user-defined
pasword between my data and the Internet? I don't think so...

The most common complaint of small business owners is they have to
spend too much time at the business. Remote desktop gives them more
time at home even if they are working while they're there.

I'd rather do that via USB stick sneakernet, which has the advantage
of some built-in data redundancy, at the risk of "syncing" the wrong
way. BTW, my "real" self-backup keeps the last 5 backups for a week's
depth, and does not rely on dates to purge the oldest.

In a very basic configuration (no Exchange, ISA, or SQL) SBS is very stable.
It is managed by wizards that are very easy to use. This actually trips up
many IT pros who are too macho to use the wizards and end up messing up the
security by trying to do things their way.

Sometimes it's just easier. For example, it's easier to find
"Firewall" than "keep my computer safe" or some overly-dumbed-down
langauge that forces you to guess how someone may have over-abstracted
what you are looking for. Even Regedit is sometimes easier than
wading through some app's Tools, Options (or is it Edit, Preferences)
especially for settings the vendor hopes you won't notice.

So yes, I can see how that can happen ;-)

With SBS if you restrict remote access to RWW only, the remote computer
can't infect the LAN. All local access is done by RDP over SSL to one of the
local computers. The remote computer only sees screen updates and sends back
key strokes and mouse clicks. It is possible to enable cut and paste from
remote computers but it is easily disabled as well.

O..K.. I can see how that can help, especially if you believe in
sanity of the code - which I find hard to do these days.

The SBS defaults are well thought out. I usually tweak things a bit but in
it's default state it's very secure.

Can you assert exactly the settings you want?

If installing apps on these PCs, do you have as much control over
installation paths, etc. and can you clean up settings, Start Menu
shortcuts, etc.? Because if you're forced to dumb down to defaults,
you're swapping one bunch of risks foir another.

The only open shares are on the server and without authenticating
you have zero access to them.

And that's as good as your password, right?

I dunno... I see the same suspension of disbelief here.

On the physical model those dudes used successfully for a few years
before they broke their own rules, it was "we don't need to harden PCs
because they aren't exposed to the Internet"

Using pro-grade network admin, it's "oh those risks are OK because
they are secured (by passwords), so we don't mind waving the entire PC
at the Internet". It's a more complex surface with more things to go
wrong, and some failures may leave no footprints.

One could argue that the "physical model" was not properly
implimented. If those PCs were not to be connected to the Internet,
why weren't they set to a fixed and unreachable gateway? If you
cannot trust your staff (as these folks clearly could not) then you'd
have to go to locked cases, disabled USB ports etc. to preclude Wifi
bobbins etc. You may even have to do the "limited user rights" thing
to prevent users fiddling with the network settings, which ideally
wouldn't be TCP/IP based anyway.

Mind you, in this case it was user failure, pure and simple, and would
be a firing offence if the "don't plug in the cable" policy was
properly propagated. The only way to (try to) prevent that is to set
yourself up as the users' overlord, so it's not their network
anymore... and from then on, they'd have to be very, very nice to you.

It's been a good discussion. We're getting way off topic but it has been
fun. I love talking about security I always learn something. In the end
there are several ways to the same goal of a secure small business network.

Yep, and I quite dig the buzz that SBS seems to attract - most big
networking folks don't mention it, but those who know and use it seem
fiercely loyal to it (I'm sure some names spring to mind <g> )

--------------- ----- ---- --- -- - - -

Who is General Failure and
why is he reading my disk?