clutch

Here is the link to NTComp's thread regarding this topic, although I asked them to post their opinions here for ease of reading: http://www.ntcompatible.com/thread.php?id=30811 Remember, if you guys really want to break this topic down, then what about the security of desktop Linux systems (using some form of X server, the chosen desktop environment and affiliated libraries) versus server-style Linux systems using only the console and SSH connectivity? What really makes one more secure than the other? Also, try to compare current versions of operating systems, as using older versions wouldn't be a best practice to begin with in any software deployment.

I still like the old Phoenix logo much better than either.

Typically, most security configration items fall under DISA STIGs. These are essentially the "rules of the road" when deploying an OS, service, application, etc into a government environment. However, the GS personnel (configuration items are under final review by government civillians, not contractors and especially not vendors or outside consultants) that came up with some of them have not necessarily implemented them to their fullest extent. For example, when reviewing the DISA guidance set forth for the Windows OS, it is possible to completely break communication between it and practically every other OS out there, including Windows. We have to file waivers to correct various settings just to get them to work. This is not isolated to Windows, as there are waivers for just about every OS out there. As for the dismissal, it seemed more like the quote was put there to show that a government agency feels that Linux is more secure than Windows, therefore it must be. I see things like this all the time at work with comparisons between Windows and Linux, Windows and Apple, Apple and Linux, the usage of Samba vs. ADmitMac, and so on. When you see what happens to all of these things in a day-to-day basis, it almost doesn't matter what the opinion is any more since they can all be secured and they can all be broken. Many groups that are supposed to represent the paramount of security (governments, banks, major online retailers, etc) around the world have had all the various operating systems and applications compromised at one time or another. The question of the thread was "which is more secure?", and the answer is "neither". As I am the only one here that is either willing or able to put forth what Windows can do, that has been my role. I was hoping to see more balanced discussion regarding both operating systems, but the only "food for thought" postings held Linux in high regard, and no so much for Windows. Yes, this is a Linux newsgroup and yes opinions are freely available. But, try not to be put off when one dismisses a quote that: 1. Has no qualifiers asking for discussion, but rather listed as "another vote for Linux" 2. Is from an agency known for security vulnerabilities 3. Is not being presented with alternate perspectives, such as a "pro Windows" quote or article However, to further the discussion along the points asked in your reponse: Departmental configuration guidelines? I didn't see anything listed in the article, but I did mention the use of DISA STIGs (here is one public site for them: http://csrc.nist.gov/pcig/cig.html if you are in a .gov or .mil domain then try http://iase.disa.mil/techguid/index.html) Required use of SELinux policies? I checked the STIG for UNIX with Linux additions, and I didn't see any mention of SELinux, so I doubt there is any requirement for it. Not entirely shocking that one government agency isn't aware of the work of another. The number of configuration elements and the number of methods needed to adjust the configuration? Without a STIG to work with, or any information to be gleened from the article, it would be hard to tell. To me, it just looks like another one of those "it's got to be more secure because it isn't Windows" statements rather than anything of quantitative merit. So there you have it, I believe that both OSs are awesome, but have their drawbacks. What I would like to see are opinions of Windows Server 2003 and/or Windows XP SP2 vs. modern Linux distributions, rather than comparisons of older Windows distributions (such as 9x) in this thread. I'll post this in the www.ntcompatible.com forum and see if that can be arranged.

Well, considering the problems that they have had with security in the past (and currently), you'll have to forgive me for not having faith in their opinion on anything. Google it. I work with government agencies, and too much faith gets put into their opinion on what's safe.

This is in reference to a screensaver that this person downloaded, and is in fact a trojan. I would ask that the link NOT be posted again, in any manner, shape, or form. The screensaver name was "bestfriends.scr".

Try this: http://www.short-media.com/forum/showthread.php?t=16748

Um, I think it was a legal requirement that anybody who ran Win9x/ME was not allowed to sleep at night. Well, unless the machine was disconnected from the network, and off, and encased in cement. Even then, it's touch-and-go...

IE for Server 2003 is quite a bit different, much like its installed configuration. By default, IE will not let you do anything, including download stuff, unless you manually list those sites as "trusted" or remove the IE enhanced security configuration. When deploying Windows clients in a work environment, we use Group Policy to strictly control what the machines can do. You can completely remove ActiveX, along with various zones for IE and varying levels of IE security within each zone. MS is slowly limiting the default configuration out of the box, but it's hard to do when so many people want convenience in place of security. Having said that, I prefer Firefox myself for most web browsing because it's faster and has tabbed navigation. I have been using it since it was Phoenix 0.4 in Linux, and went to it on both platforms with 0.5. I do keep IE around with ActiveX enabled mostly for Virtual Server, as the consoles and management interfaces use ActiveX controls (until I can go to ESX server all around, then this will no longer be an issue). What has been interesting, is that with the introduction of a firewall in XP (actually, there was one already but nobody wanted to use it) many places are implementing Group Policy just to turn it OFF. Rather strange, since everybody complains about the seeming lack of security in XP only to go through more effort to completely disable security features ("my car isn't safe, but let's disable the airbags and ABS in the new one because I don't understand them and they are in my way").

Strange, I have been a Windows user for the last 10 years, and haven't had these issues. Must be the user. Remember, the average Linux admin is more knowledgeable of his/her OS than the average Windows admin. Also, I used RH 7.3 in college, and the main reasons we did were because: 1. Cheap (read: free) 2. Supported Java, which is what we were learning Also, having the source code freely available to modify, such as the kernel, makes learning development of kernels and compilers much easier. As for security, well let's say that the administrative procedures of the lab weren't that great...

Originally posted by martouf: Quote: No one has mentioned SELinux technology in this thread. Probably because one could configure just about any OS in one way or another to be secure. This could be done by stripping services, blocking ports, traffic encryption, proper service account usage, etc. I do like how the NSA illustrates in their FAQ the inherent insecurity of the permissions architecture. The ACL-based architecture (along with roles-based permissions) is something that Novell and Windows have had for quite a while now. It's good to see that various distros are providing this as an option. However, until the majority of distros provide this as a default configuration, it should still be considered a specialized item. Most people bash Windows security because of its defaults and not because of how secure it could be (through the use of templates via local or Group Policy, for instance). Quote: No one has mentioned data collected from a honeyfarm. I know that I haven't had a need for one myself, but I don't know about others here. An interesting point of that article is the use of the default installation configuration. This is where Windows used to get nailed, primarily by IIS being installed and then getting pelted by CodeRed traffic that's still out there. Most Linux distributions try to install very little, but many new users go for the "kitchen sink" install, and then not understand why they have 5 text editors, none of which are easy to use. Apple is finding this to be a good learning experience, since they are merging ease of use with BSD and finding that it isn't as secure as they would like. Just because the kernel is famous for being secure, that doesn't mean that all the other stuff you install is inherently secure.

Please be specific as to what registry patch you applied.

There are two answers: 1. None 2. All The idea behind RPMs was to make it easier to install things, but then dependency, installer version, and kernel version issues came about. This is why I don't mess with RPM-based distros, even when using "apt4rpm" because there were too few packages made available on those feeds (it might be better now, but too little too late for me). When you start getting into apps and wanting to use cutting edge stuff, you either need a distro with a package management system that is kept up to date (ala Gentoo, and possibly Slack) or just compile from the latest source on your own. If you want easy, then stick with the first ones I mentioned and gradually start compiling apps, and later on kernels on your own. The biggest hassle is having the libraries needed up front for whatever app you plan on building. However, some distros make getting the kernel a bit of a pain as well. What would be your best bet, is simply get your nVidia card working in *any* distro, as that process alone will teach you a great deal about getting things to work. Personnally, I would recommend compiling it from source, installing the modules, and configuring X to work with it. If you can manage that, then you should be ready for bigger and better things.

Typically, I recommend RH (OK, Fedora), Mandrake, or SuSE for newbies. After that, I recommend they go to a Debian-based distro for a while. Later, they "grow" into Slack, Gentoo, or something similar. If they are willing to pay for a distro, I recommend Xandros initially, as it is something that you can be happy with for quite a while, especially as a desktop OS.

ReFoRMaT, your best bet is to simply stick with a distro, any distro, and get better at it. The more you bounce around, the harder it is to get any real "feel" for that distro or Linux in general. This is why some people try to virtualize Linux (using VMware or VirtualPC) within Windows or OSX before committing a machine to it so they can adjust to it. Dapper Dan, when I used to cruise the Gentoo IRC channel, we had many Slack users that were checking us out, in addition to LFS users or people getting ready to go LFS. I like Gentoo because it installs lean, no matter what stage you use. I imagine Slackware is the same way. I guess I just got so used to Gentoo that I haven't had a need to try any other distro for personal use. Caution: most users to switch to "lean" distros like that rarely go back to ones like RH, SuSE, Mandy, etc. Hope you can adjust...

Have you applied any security templates, or many any security adjustments to your XP box? NTLMv2 could be in the way if it is setup on the XP box, and you would need to manually enable that on the SAMBA DC. Was your firewall off during the testing?

Figures. I used to ask about firewalls being on, but then would get bashed with "of course it's OFF!" If your firewall has a logging facility, you could just re-enable it and then try again. You can then review the logs for the failed ports. The ports that I have to enable for remote management of XP workstations are: UDP: 137, 138 TCP: 135, 139, 445 If you can do without 135, then that would be a good idea. You might need the other four, but lock them all and check the logs first. Only open up what you need.

Yes, it would seem that the vast selection is also what's hurting it at times. It is already an awesome utility, appliance, and administration OS. Now, if we could get some real power behind the major desktop applications...

I guess I have a different view on this. I am an engineer in a really, really large federal environment (approx 500K users in the US alone) and we have everything out there. One of my jobs is to handle configuration management of domain controllers, which includes patching and security policies. Another part of my job is cross-platform interoperability. Now, this provides for a really interesting point of view. When we went to Windows Server 2003 out of the box, it broke almost everything for Linux and Mac systems connecting to them. This was because of a few select security settings that were enabled (SMB Service Signing being the primary one). When we actually started cranking up the security settings, we found that SAMBA could no longer be used for the Apples (I recommended ADmitMac, it's pretty cool) or the Linux systems. In addition, most of the patches for Windows Server 2003 (which are much fewer than the previous generations of Windows) don't require reboots, and when using our stronger templates and default (limited) services being installed the box was indeed rather secure. So, I would say that Windows is moving along nicely, especially with the firewall introduction to XP and coming up in SP1 for Windows Server 2003. Now for Linux. I am a big fan of Linux, and have used it for almost 6 years. In the first couple of years, I didn't find that many patches when compared to Windows at that time. Of course, there weren't that many applications or use for it as a desktop either. As time has passed, and more things are added to it, there have been many more updates needed. All you need to do is keep an eye on this site's homepage to see all of the security updates being released. Many of these updates, however, are for applications and services that have been around for a while. With the increase in popularity of Linux, it has attracted much more attention; the attention of the wrong people. Couple this with bad design decisions (like that of Lindows to have users running around as root, I don't know if that has been remedied) and you can paint a big target on your back. In my environment, it's easier to see patterns in exploits for applications and services. In my world, the more popular something is, the more likely it is to be exploited. If this wasn't the case, then Novell would have to be considered virtually perfect since I can't recall the last security advisory released for it. Is that the case? Probably not. Why attack something that nobody uses? As for security of an application when it's open source, it is fundamentally more secure, but isn't in reality. It *should* be more secure since any user could completely evaluate the code and change it as needed to correct imperfections. After this, the change could be submitted back to the project maintainers and updated for everyone. Having said that, how many people (including yourself) do you know that scour through the source such as this? You will wind up with the same team of people working on the application as usual, along with some others. This is much like what a large software company team would do. So, we have a software team in the closed source company, and a software team for the open source project. It is conceivable that an attacker could either: 1. Read all the code and look for exploits, then mount a large-scale attack to take everyone by surprise or select a specific target for any reason. 2. Alter the source code and then pass of the source and/or compiled binary as legitimate code and "infect" unknowing users (I believe this happened with OpenSSH a long time ago). MD5 usage could possibly negate this (unless the presented MD5 sum was altered as well) but most people don't mess with it. In summary, both have their faults, and neither is perfect. But don't doubt for a minute that popularity among users equates to popularity among hackers. People don't invest that kind of time into something without expecting a result. More targets = more incentive.

I think your last post is missing a couple of words, as I can't quite make sense of it. What was your reference about WINS and profiles? Also, are you getting different errors?

Almost, but a bit backwards: lmhosts file: 192.168.1.101 spike 192.168.1.102 scarface And the following in the hosts file: 192.168.1.101 blak2180.org 192.168.1.101 spike.blak2180.org 192.168.1.102 scarface.blak2180.org What would be ideal is to configure the SAMBA system as a WINS box, and then point the WINS entry in your XP client's IP properties to it. However, it has been a awhile since I have needed to configure a SAMBA server (mostly use them for clients in an AD environment) so I would have to look over the smb.conf to refresh my memory.

374.1 on my first hit (with a skip), and 350 with his nose stuck in the snow.

A couple of things of interest to me: 1. Are you supposed to have a "." zone? Normally, that makes the DNS server authoritative for all zones, and may disable use of the forwarders since the DNS box thinks it knows all. 2. I don't think I would keep the SRV record, as you are trying to provide for an LDAP store location, but it didn't sound like you are running an LDAP service (or are you?). You might just try editing those files on the XP box, and see if that helps your situation. If it does, then you have a name resolution issue, and we need more details of your network (hostnames, IPs, services provided by hosts, etc). Also, check to see if you can properly resolve all of the names using nslookup (or dig, if possible) from your XP client.

I don't believe that he was trying to insult anybody at all. Please refrain from responding like that in the future.

It is *possibly* trying to look up your SAMBA box using a DNS name, and I would bet that it can't resolve it. What you would normally do is host your own DNS, starting with Windows 2000 and Active Directory. If you are familiar with using DNS in Linux, I would suggest setting up that box to do so. If you are not familiar with doing this, you can edit your hosts file on your XP box and enter your DNS domain name, and the FQDN (fully qualified domain name) of your Linux box there. Also, you might want to rename the lmhosts.sam file to "lmhosts", and enter the NetBIOS name of your domain/workgroup ("Home" in your case) and the NetBIOS name of your server. The error itself is pointing to a lack of SRV record for an LDAP server (domain controller), which leads me to believe it's looking for an AD domain to join when you try to connect. Once you have the name resolution dealt with (run nbtstat -R to flush NetBIOS names, and ipconfig /flushdns to flush cached DNS entries on your Windows box) it should run better. At that point, you should be able to join your XP box to your SAMBA domain/workgroup.

Originally posted by mjwebb007: Quote: Yeah but isn't VMWare a little expensive and isn't it also USB keyobard and mouse unfriendly? I am making no assertions, I just remember reading these things somewhere (CPU Magazine maybe?) I have a USB mouse and Keyboard on my PC, and it works fine. In addition, I use a USB mouse with my laptop, and it still works (including the mouse wheel, which I use for scrolling desktops in Fluxbox). As for cost, it might be about twice what a couple of good harddrives cost, but still cheaper than most CPU/Mobo combos and a whole lot less than a new system (about $190). VirtualPC is less, but don't bother with it if you want to use KDE, Gnome, or any other rich GUI as it drags a lot.