Main Area and Open Discussion > General Software Discussion
Stop Windows from calling home
Tuxman:
Fortunately, I'm not a stupid user that clicks yes to everything, and locations that are sensibly set up will have non-trusted users run as exactly that: non-trusted users without admin privs.-f0dder (January 04, 2010, 07:32 PM)
--- End quote ---
So, at least, we're talking on a similar level. Quite a progress yet.
Btw, as for automatic updates: standard users should keep that on. But, while it hasn't happened very often, once in a blue moon and on a subset of configurations, updates have caused trouble.-f0dder (January 04, 2010, 07:32 PM)
--- End quote ---
I know about that, but I wouldn't count this as a reason to disable AU for standard users. We're not talking about important servers right now (which should never run Windows anyway), right?
f0dder:
Fortunately, I'm not a stupid user that clicks yes to everything, and locations that are sensibly set up will have non-trusted users run as exactly that: non-trusted users without admin privs.-f0dder (January 04, 2010, 07:32 PM)
--- End quote ---
So, at least, we're talking on a similar level. Quite a progress yet.-Tuxman (January 04, 2010, 07:46 PM)
--- End quote ---
I don't think anybody claimed you could have a secure environment if you let uneducated users run amok with admin accounts. You're the one who flat-out claimed that packet filters aren't firewalls and that Windows' built-in firewall is useless - which is ludicruous, for reasons mentioned in this thread as well as the previous one.
Btw, as for automatic updates: standard users should keep that on. But, while it hasn't happened very often, once in a blue moon and on a subset of configurations, updates have caused trouble.-f0dder (January 04, 2010, 07:32 PM)
--- End quote ---
I know about that, but I wouldn't count this as a reason to disable AU for standard users. We're not talking about important servers right now (which should never run Windows anyway), right?-Tuxman (January 04, 2010, 07:46 PM)
--- End quote ---
1) I already said this didn't apply to regular users (but I find it worth mentioning nonetheless).
2) why would't I run an important server on a Windows box? Ever checked this list? Which environment you choose depends on the requirements. I wouldn't be comfortable with neither Windows nor Linux controlling nuclear plants or aircrafts - neither were written for realtime demands, and neither of them have strict enough code quality. But web- or database server or DNS or mail or whatever, even for something important? I wouldn't rule out Windows before doing a little research.
My personal fileserver (which can hardly be thought of as a critical machine) runs linux - simply because it's free. Free as in beer.
Tuxman:
You're the one who flat-out claimed that packet filters aren't firewalls-f0dder (January 04, 2010, 08:02 PM)
--- End quote ---
Packet filters and "real" (hardware) firewalls work on the network layer, "software firewalls" mainly on the application layer. (With a driver-thingy on another layer, probably, but then we'll have a packet filter again.)
and that Windows' built-in firewall is useless-f0dder (January 04, 2010, 08:02 PM)
--- End quote ---
... and potentially dangerous.
2) why would't I run an important server on a Windows box?-f0dder (January 04, 2010, 08:02 PM)
--- End quote ---
Because Windows is not known for stability and security, both of them are the most important attributes of servers IMO.
(Oh, and Windows' cmd.exe without [at least] some *ix tools is, at best, a sick joke when it is about configuration and server maintenance. This refers explicitly to this special case. In other threads I'll stick with my opinion that cmd.exe is everything I need. Maybe because I don't have to control a server system with it. But we're drifting a bit OT here, aren't we?)
Ever checked this list?-f0dder (January 04, 2010, 08:02 PM)
--- End quote ---
Uptime depends on various things. That Windows servers are on top of the list doesn't necessarily mean something. (edit: Missed a dot.)
My personal fileserver (which can hardly be thought of as a critical machine) runs linux - simply because it's free. Free as in beer.-f0dder (January 04, 2010, 08:02 PM)
--- End quote ---
Now that's not actually a reason. If it was, no-one would use Windows anymore, as it is not free. :D
f0dder:
Packet filters and "real" (hardware) firewalls work on the network layer, "software firewalls" mainly on the application layer. (With a driver-thingy on another layer, probably, but then we'll have a packet filter again.)-Tuxman (January 04, 2010, 08:55 PM)
--- End quote ---
The personal firewalls I've seen - included Windows' own - have been packet filters, your link talks about a completely different thing. Some of the personal firewalls additionally knows about socket<>app relationship and can do application integrity checking... and then there's the next class that adds packet/protocol inspection. But let's stick with packet filters since that's what Windows' firewall does.
[you claim that] Windows' built-in firewall is useless-f0dder (January 04, 2010, 08:02 PM)
--- End quote ---
... and potentially dangerous.-Tuxman (January 04, 2010, 08:55 PM)
--- End quote ---
Proof? You've come up with one thing so far, which is more than three years old, limited to XP, and requires the ICS service to be on (which it isn't by default, as far as a lazy google says). Using linux iptables can be potentially dangerous; ironically, a lot of "hardware firewalls" run linux kernels.
Because Windows is not known for stability and security, both of them are the most important attributes of servers IMO.-Tuxman (January 04, 2010, 08:55 PM)
--- End quote ---
That's a claim I've heard before... of course we have no way of knowing if any of the servers on the uptime lists have been exploited (my guess is not), but you wouldn't really have multi-year uptime if the system wasn't stable. As for security goes, any internet-facing server set up by a competent sysadmin will only have necessary services exposed, and will have those services running in reasonable security contexts. NT has a lot more flexible security model than your standard run of the mill linux, by the way - adopted from VMS.
And it's not like *u*x daemons haven't had their fair share of exploits during the years. Apache, BIND, wu-ftpd, whatnot. Also, both OS X and Linux kernels have had very interesting local privilege escalation during the recent months, some of which are present in several years worth of kernels... could that with a remote exploit in a single third-party service (or even something as a lowly PHP bug) and boom, you've got root. Non-Windows doesn't automagically equate secure - no matter what you run, you need competent server admins who keep their eyes open.
(Oh, and Windows' cmd.exe without [at least] some *ix tools is, at best, a sick joke when it is about configuration and server maintenance.-Tuxman (January 04, 2010, 08:55 PM)
--- End quote ---
So what, really? Windows isn't unix, things work differently. You can automate settings with policies... sure thing, I use tools like grep on my windows box pretty often. But for the tasks I do here, I don't need a more powerful shell. The few times when a simple batch file won't suffice I'd much rather be whipping up a Python script... if you don't feel that way, go PowerShell or Bash. But yes, we're drifting. My point is that, well, you use different systems differently. Being able to handle configuration via SSH is nice though, especially over slow links (but thanks doyc that the RDP protocol isn't as retarded as VNC).
Anyway, OS pissing contest aside, your premise was that Windows built-in firewall is useless. By this, you're saying that packet filters which require administrative privileges to configure are useless... which I still find to be a ludicrous claim.
Tuxman:
You've come up with one thing so far, which is more than three years old, limited to XP, and requires the ICS service to be on (which it isn't by default, as far as a lazy google says).-f0dder (January 04, 2010, 09:32 PM)
--- End quote ---
http://en.wiktionary.org/wiki/potential
And it's not like *u*x daemons haven't had their fair share of exploits during the years. Apache, BIND, wu-ftpd, whatnot. Also, both OS X and Linux kernels have had very interesting local privilege escalation during the recent months, some of which are present in several years worth of kernels... could that with a remote exploit in a single third-party service (or even something as a lowly PHP bug) and boom, you've got root. Non-Windows doesn't automagically equate secure - no matter what you run, you need competent server admins who keep their eyes open.-f0dder (January 04, 2010, 09:32 PM)
--- End quote ---
Some are "better" however.
Of course you can configure *ix to be insecure, of course you can even have a secure Windows XP server or something. The software running on the server is the bottleneck - and now we're on topic again. The one who installs and maintains the software is responsible for it to work properly. If he fails, not even a firewall of any kind can help him. If he succeeds, he doesn't need paranoia. There might be something in between. Does it really matter?
So what, really? Windows isn't unix, things work differently.-f0dder (January 04, 2010, 09:32 PM)
--- End quote ---
Now this is not a reason for having to use a rather mediocre shell, is it?
By this, you're saying that packet filters which require administrative privileges to configure are useless-f0dder (January 04, 2010, 09:32 PM)
--- End quote ---
... to me. Maybe there are some rare circumstances that might be easier to handle with something like a "packet filter". Using such does not necessarily make your system more secure, though.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version