On Feb. 24, 2000, we had three—count ’em, three—experts on hand. Did they agree on the best security tips and solutions? Read the transcript and see how TechProGuild members matched wits with our editors in this free-for-all. If you couldn’t join us then, we hope to see you on our next live Guild Meeting.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
Jack Wallen, Jr.: hello ladies and gents! the gloves are off and we’re ready to shoot it out. i’ve tossed down the gauntlet and am waiting to be knocked down by Windows security. It’s me and the penguin in this corner!
Erik Eckel: Let’s not discount security in Windows!
Jack Wallen, Jr.: I promise I’ll be nice tonight. ;-).
Thewriterguy: security and Windows: isn’t that an oxymoron? : -)
Jack Wallen, Jr.: Are we ready to rumble?
Thewriterguy: rumble away.
Security solutions being used
Jack Wallen, Jr.: I think I’m going to start out by asking what level of security measures everyone is using, for what purpose and with what software/hardware.
Huevos: I’m new at this, so I don’t have any.
Erik Eckel: Windows 2000 Advanced Server.
Jack Wallen, Jr.: Cool! then to Huevos I’ll ask, what kind of security are you looking for?
Jcarlisle: Who let him in the room?
Josephtursone: We use Windows NT 4.0 and Novell 4.1.
Huevos: I need to bone up on all different types.
Jack Wallen, Jr.: great. Different types are good. i’m going to actually make a very ‘unlike Jack’ statement and say that knowing your options, knowing what each OS and software package can offer you as far as security is concerned is tantamount to success. let’s face it folks, security is essential to IT and business.
Huevos: How is Linux security better than Novell or WinNT?
Jack Wallen, Jr.: heck, I even have pretty high security on my home machine. i use @home and get hit a lot. without PortSentry and a solid /etc/hosts.deny set up, I’d be toast.
John Sheesley: Of course, there are different kinds of security.You want to block outsiders from accessing your network, but you also want to keep your users from getting into too much trouble.
Which OS is more secure?
Jack Wallen, Jr.: I’d say that Linux security is better than WinNT because, out of the box, you can edit one simple file and block out all incoming traffic.
Erik Eckel: I’d venture that a system administrator makes a bigger difference than the OS.
Jack Wallen, Jr.: plus, the open source nature of the OS brings to the security issue a level of configuration and detail that the proprietary OSs can not have.
Huevos: How easy is it to edit that file?
Erik Eckel: You can block all incoming traffic in an NT box without even editing a file! Just unplug the NIC!
Zop12: As far as Windows Security goes here, I have a Linux firewall/router/server between the Windows machines and the outside world. Additionally, all NT 4.0 machines are on SP5 at the least (some run SP6), with all but essential services disabled.
John Sheesley: Yup, unplugging the NIC is the only way to make NT C2 certified, as a matter of fact.
Jack Wallen, Jr.: oh, certainly a sys admin makes the biggest difference. But how many sys admins out there are truly versed in security to the point that they can take an NT box and lock it down as simply as a Linux box?
Zop12: Not many. I know of many security problems with NT’s \\MACHINE\IPC$ ‘share’ that NT and 95, 98, and probably 2000 share, and you can’t disable that heh.
John Sheesley: Unlike NetWare, which is C2 certified even when on the network.
Editing the Linux /etc/hosts.deny file
Jack Wallen, Jr.: to edit that /etc/hosts.deny file all you have to do is (as root) open it up in your editor (I use Pico) and enter the following: ALL: ALL, and your machine will not allow anything in.
Erik Eckel: Configured properly, Windows NT is a very strong and very stable OS. Just ask the US Navy.
Zop12: Which is moving away from it.
John Sheesley: The Navy also chose OS/2 at one point. hardly a ringing endorsement.
Huevos: to Zop12: What essential services are disabled?
Jack Wallen, Jr.: now port scanning is a different beast. it’s nearly impossible to block out a strong port scan (if a cracker or script kiddie really wants in, they’ll get in), but with a simple, and free, application called PortSentry, you can even block about 95% of attacks (100% of attacks by those who aren’t “professional”).
Jack Wallen, Jr.: The army dropped Microsoft and picked up Mac for security reasons.
John Sheesley: A good way to check your network for what hackers can do is to get your own port scanner such as PortFlash, and port scan yourself from an outside access point. However, be aware that some ISPs look for port scanning-like activity and may lock your account if you seem to be doing that.
Jack Wallen, Jr.: Be wary of certain apps and sites claiming to do port scans to test your machine’s security. they don’t always tell you the truth.
John Sheesley: Indeed, Jack. A good site for that is www.grc.com. Select Shields Up!
Josephtursone: I’ve heard one method is limiting port access to certain ports.
John Sheesley: It won’t scan all your ports, but it will look at the most common ones, like 80, 21, 119, and 139.
Jack Wallen, Jr.: there is a newsgroup called alt.ipl.discussion, which is pretty much the definitive place for “the real deal” in security. these guys are the best.
Zop12: Huevos: Non-essential, and none. When I run IIS, I do it in minimal security. And access is only allowed to the NT boxes through forwards from the Linux box. I disable “simple TCP/IP services” and enable only the bare minimum. I also set all but Administrative logins to have the bare minimum of access rights.
Erik Eckel: The Navy saved $20 million by selecting NT over UNIX, namely because NT proved secure and stable with 98%+ uptime over more than 1,000 hours in a mission critical test.
Josephtursone: So Linux is easily configured for total security, and though NT is not C2 certifiable, Novell is.
Zop12: I’d like to know where they got *that* figure from—I can’t even get a full week of uptime from my vanilla NT4.0-SP5 boxes!
Posix (UNIX) threads are efficient
Erik Eckel: All the Navy did was eliminate Posix and add simple firewalls.
Jack Wallen, Jr.: Are you talking about Posix threads?
Zop12: I also make use of NT’s security by setting the security services enabled, block all ports by default, and only open ports I need open (Like the HTTP or SQL port).
Jack Wallen, Jr.: if so, I was under the impression that Posix threads were much more efficient than any other threading.
Zop12: Posix threads are like so much more efficient when implemented according to the specs.
Erik Eckel: Yale University’s H. Morrow Long has said on record that it’s possible to make NT (4.0) secure with relative ease.
Zop12: But that of course depends on implementation.
Erik Eckel: Morrow said the problem is with the administrator.
John Sheesley: Yup, don’t plug it up to a network.
Zop12: But has he done it? Did he demonstrate it?
Can most admins really secure NT?
Jack Wallen, Jr.: yes, a professor from YALE, but the average (and I stress average) IT admin can’t do so.
Zop12: Guest3: I can make a Linux box quite secure with a few simple firewalling commands.
Jack Wallen, Jr.: that’s where I think Linux excels‑in its simplicity.
Jcarlisle: Nor can your run of the mill Paper MCSE.
Jack Wallen, Jr.: can NT do IP chains?
Zop12: NT can barely do routing. heh.
Jack Wallen, Jr.: just checkin’.
Zop12: Even Linux’s old ipfwadm firewalling was better than the NT routing/firewalling.
Jack Wallen, Jr.: ;-).
Erik Eckel: Average admins shouldn’t be responsible for mission critical security.
Companies often overlook security
Jack Wallen, Jr.: no, they shouldn’t, but often they are. most companies don’t even consider security until it’s too late.
Zop12: Most “admins” are just barely a cut above the average user, or maybe power user.
John Sheesley: Jack has a point. Most businesses don’t have a clue, nor can they hire the proper people to administer their networks to begin with.
Jack Wallen, Jr.: exactly. Most admins are point and clickers, and, in my opinion, point and click != secure.
Mikkilusa: hmm…must be why I work 2 jobs?
Jack Wallen, Jr.: (Sorry if some didn’t get my little joke. != means “is not equal to”.)
Zop12: Which is why Linux is so simple. Look at the howto, enter this command, and bam, all ports are blocked.
John Sheesley: Of course, the vast majority of businesses with networks are small businesses with less than 250 employees. Most of those companies don’t have the resources or knowledge about who they need to run their networks.
Josephtursone: So Posix threads and IP chains are plusses in looking at NT security?
Jack Wallen, Jr.: if you’ve ever seen something like PortSentry at work, you’ll know in a flash how simple Linux security is.
Mikkilusa: and thanks to these meetings I think I have convinced my company to use Linux as our firewall server.
IP/IPX gateways and BorderManager are more secure than NT and IP
John Sheesley: Of course, being connected to a network, a Novell network, especially when running BorderManager, is still more secure than NT, although not as easy to set up as a Linux box.
John Sheesley: However, when running an IP/IPX gateway, a hacker can’t even get onto the network past the server. That’s the advantage to running a protocol other than IP on your network.
Zop12: Which is basically what is performed here with the non-forwarding box.
John Sheesley: Zop: Yup.
Zop12: Ohh, and Linux clustering is so much cooler than NT’s. www.mosix.org/I’m using it now, and it works AWESOME : ). Sorry, shameless plug. [MOSIX is a software package that enhances the Linux kernel with cluster computing capabilities.]
Mikkilusa: we will still use Novell for NDS, so if they get past the box they run into IPX. Can you get any more secure?
Zop12: Not by much, but if they break the NDS box, and it’s got all the stuff on it—well, they’ve achieved their goals : ). Security isn’t merely blocking things, it’s keeping the box doing the blocking secure as well!
Jack Wallen, Jr.: and security, in my opinion, is having a back up plan! too many people forget that.
Mikkilusa: If they’re that good can they be stopped anyway?
Jack Wallen, Jr.: no, they can’t. look at how many huge (big dollar) companies have been brought down.
John Sheesley: Well, unless you’ve enabled some type of remote access, you can’t access NDS resources from a WAN using IP any way, if you’re running BorderManager or an IP/IPX gateway.
Mikkilusa: The concern is not so much getting info as much as deleting files or destroying volumes.
Jack Wallen, Jr.: even by simple DOS attacks, which is not really a hack.
John Sheesley: And they certainly can’t access workstations that are only running IPX.
DMZ server method
Zop12: The best thing is DMZ type firewalling, i.e., Internet<->DMZ Servers<->Internal Servers. With the DMZ Servers being able to go out, but probably not in, and internal only being able to get to the DMZ—then like totally secure all DMZ systems.
Jack Wallen, Jr.: what I find useful (which is something that Zop is pointing towards) is having a plan before you set things up.
Zop12: But none of that does any good if you get one bonehead with console access. You have to have physical security as well.
Mikkilusa: that points back to insiders.
Jack Wallen, Jr.: can we say rootkit?
John Sheesley: Physical security is essential. You’ll have many more problems with your own users causing mischief than you will with hackers.
Zop12: Think about how things need to be used BEFORE you plug anything in or even look at hardware‑before the T1 is ordered, heh.
Jack Wallen, Jr.: would that be before the T1 goes down?
Mikkilusa: yes. Previously discussed in a prior meeting, yet very valid.
NT will never be C2 certified in the real world
Erik Eckel: Here’s a correction to Sheesley’s statement regarding NT security:
John Sheesley: Of course that points to what Zop is saying; you have to have a FULL security plan. for your users, for your servers, for your network infrastructure, and for your WAN.
Zop12: The best firewalling in the world won’t protect from Joe Janitor plugging his 14 amp vacuum into your 20 Amp computer outlets and tripping breakers.
Erik Eckel: On December 02, 1999, the US Government announced that Microsoft Windows NT Server and Workstation 4.0 had completed a successful evaluation at the C2 level according to the Trusted Computer System Evaluation Criteria (TCSEC).
John Sheesley: NT is C2 certified ONLY when not connected to a network. Quit reading marketing papers.
Zop12: NT is only non-network C2. It’ll never make C2 in the real world.
Most secure out-of-the-box OS
Jack Wallen, Jr.: here’s a question for everyone: OUT OF THE BOX, which OS would you trust with your security and why?
Mikkilusa: oK John Sheesley‑if not connected to network=useless correct?
Erik Eckel: That’s not correct: The Windows NT 4.0 evaluation included servers and workstations in six different roles, operating in both TCP/IP networked and stand-alone modes.
Erik Eckel: You want the link?
Zop12: : ).
Zop12: DOS w/o a keyboard and video card that is hehehe.
Jack Wallen, Jr.: hehehe DOS=Devoid Of Security.
John Sheesley: Solaris isn’t so secure out of the box. You must apply ALL of the latest patches to make it fully secure.
Josephtursone: UNIX out of the box == a long established OS that’s been tweaked a lot.
Andy_davis: AmigaDOS 1.3 :—).
John Sheesley: Many of the latest DOS attacks came from exploits on unpatched Solaris boxes.
Zop12: But seriously, Linux. Straight out of the box it’d be way more secure than an NT box (I’ve proven it—SP5 is like required, but even Red Hat 5.2 doesn’t have any really nasty holes).
Erik Eckel: www.radium.ncsc.mil/tpep/epl/entries/TTAP-CSC-EPL-99-001.html . Read it and weep, Linux fans!
Mikkilusa: Erik Eckel, can we ask, do you own a lot of Microsoft stock?
Zop12: Erik Eckel, Error 404. egh.
Erik Eckel: None.
Erik Eckel gets more grief about NT security
Jack Wallen, Jr.: that’s odd, ‘cause I ran a check. A lot of those were NT boxes. in fact when the companies that had the credit cards stolen were announced I checked them, and EVERY ONE of them was running NT server.
Zop12: n/, == got that period.
Erik Eckel: Just presenting the facts.
Josephtursone: I’ll use that reference in my project on NT security.
Zop12: Erik Eckel, I’m going to verify this because it is an MS press release.
Erik Eckel: It’s an issue with our Solaris box!
Zop12: Windows NT Workstation and Windows NT Server 4.0 SP6a w/ C2 Update.
Jack Wallen, Jr.: so, out of the box we have Solaris, and UNIX explicitly voted upon.
Zop12: And I’ve never seen a C1 Update in my hot little hands nor anyone else’s. So NT is modified to reach C2 security. And obviously specially modified—so the test is not valid IMHO.
Mikkilusa: must have been paying attention and retaining from these meetings. Pays to be a learning sponge.
Jack Wallen, Jr.: what I think is interesting, and one of my soap box points, is that pretty much ANY OS can be locked down with third party applications and hours of tweaking. but from my own personal experience, only one can be locked down tightly in about 30 seconds, and without any outside intervention.
Zop12: I don’t know what C2 requires, but so long as it doesn’t need full MLS, Linux can reach that out of the box with a few daemons disabled (prolly just the IMAP/POP daemons).
Andy_davis: Security was one of the base design goals for the Windows NT operating system. But they didn’t get there until Version 4.0 with Service Pack 6a.
Zop12: Mikkilusa: Pays to be a knowing one—I got a Rio PMP300 and (if it ever arrives) a new computer from www.buypogo.com/.
Huevos: How did you win the computer?
Mikkilusa: good job, Zop12.
MODERATOR: Zop, we’ll follow up with them tomorrow to find out what’s taking so long.
Andy_davis: Remember, Windows NT 4.0 has been available since August 1996. Service Pack 6a has what date stamp?
Mikkilusa: Zop won by coming to these great meetings 3 weeks ago.
Zop12: Erik, I’d take 2.3.42 (with known file system corruption problems), over NT in a security battle, hehee.
Jack Wallen, Jr.: and go to /etc/inetd.conf and comment out the whole file and BLAM no one can get in…well…thanks to the help of /etc/hosts.deny.
Zop12: Huevos: Yup… I’m generally pretty busy but when I show up I do my best to contribute—I actually felt bad because I only showed up for 15 minutes or so of the first meeting and then the whole last one : ).
Zop12: And I’m running Linux 2.2.14 right now, which has scheduler/performance problems, but it still hasn’t crashed on me at all.
Jack Wallen, Jr.: yeah, I have the kernel-2.2.14-1.3.0 running with GNOME 1.1 and it’s bombproof!
Clustering Linux with MOSIX
Zop12: jwallen: Well, and disable any standalone daemons if need be. Or just set ipchains [ipchains is a way to set up Linux firewall rules] to block all incoming data not bound for other nodes : ). 2.2.14-MOSIX and err three others—they are clustered. Clustering consisted of… ./mosix.install. compile kernel w/ MOSIX enabled. reboot. Answered startup questions for Node-ids and IPs, and then it worked : ).
Jack Wallen, Jr.: another plus of Linux is that I can run beta software (apps that are listed as unstable) and get incredible performance out of them because the writers of these programs are in it for the ego. they want to create that ‘killer’ app.
Zop12: I’ve got a 4 machine cluster for uhm, like nothing—and with MOSIX, apps don’t need to be cluster-aware at all. It moves them to the most available node based on what they are doing, and it does it all securely, if you do it in a normal cluster environ (separate cluster network).
Jack Wallen, Jr.: that and the fact that UNIX pretty much built the net…the architecture and archetype has been in play for so long and it’s one that Linux was based on.
Too many Linux versions
Josephtursone: but what about the disparities between Linux versions and their deployment?
Jack Wallen, Jr.: you mean, say, the differences between Red Hat and Corel?
Josephtursone: Isn’t there a great amount of difficulty in going from one version to the next of Linux?
Jack Wallen, Jr.: i find that once you know one Linux, learning the others is pretty simple.
Huevos: What is the best version of Linux to start out on?
Zop12: The reason Linux and UNIX are so secure is KISS—Keep It Simple Stupid. The Linux/UNIX arch is well separated into functional units. ipv4 here, firewalls/routing here, fs stuff here, etc. And each part is well tested before it goes mainstream. And coders debug as they go.
Jack Wallen, Jr.: and once you learn compiling/installing from sources, you can do pretty much anything on any Linux box.
Mikkilusa: and that UNIX was speaking IP before Novell was invented was one winning point.
Zop12: Joseph: Linux versions aren’t like switching between HP-UX and say, DG/UX or OpenServer.
Jack Wallen, Jr.: i’d say you have to look at Linux from different POVs. for the new user, Corel is pretty killer. for the user wanting to be able to expand and learn, then Corel is not your thing.
Jack Wallen, Jr.: i recommend Red Hat for a couple of reasons.
Andy_davis: just remember, Linux is the kernel; the distributions are wrapping. you need to focus on what kernel version you’re working with.
Jack Wallen, Jr.: 1) I really think it’s going to become the standard. 2) it’s very simple to use, and also incredibly flexible. but I’m also looking at it from a desktop point of view (it’s how I mainly use it).
Zop12: Red Hat is prolly the better of both worlds, though ppl catch crap from ‘hackers’ for running it because RH sorta dumbed Linux down.
Josephtursone: Zop12: OK, I just meant we encountered different permission settings that our prof didn’t catch on to right away.
Zop12: Joseph, well that’s a user problem. File permissions are something that are just weird in ANY security system and have nothing to do with what OS it’s running under (I find NT’s to be the worst but that’s me).
Jack Wallen, Jr.: yeah, you can’t set everything at root permission. Well, you can, but it’s not very nice.
Zop12: I use it in a mainly server role here, and it’s great.
Jack Wallen, Jr.: as far as security is concerned? FreeBSD. but FreeBSD is NOT for the weak at heart.
Zop12: So really it goes both ways. FreeBSD is OK for security, but uhm (IIRC) OpenBSD is more so.
Andy_davis: got version 3.3 of FreeBSD. still looking for a box to install it on.
Jack Wallen, Jr.: as far as I know the BSDs are the closest ‘Linux’ to UNIX that there is.
Erik Eckel: What about the file system security in Windows 2000?
Josephtursone: Great! I’ve got some positives and negatives for my Windows NT project this semester.
Jack Wallen, Jr.: hey I have to give an 8 minute warning…or some such.
Zop12: I’d like to see true ACLs added as an option to Linux EXT2/3, but it’s too much of a performance hit really. And I’d shoot my fellow developers if they did it as a non-unsettable option : ).
Jack Wallen, Jr.: i guess we should wrap up security.
Erik Eckel: It boasts Smart cards, EFS, public keys, IPSec, Kerberos 5…
Jack Wallen, Jr.: hey he’s back! he’s alive!
Erik Eckel: What else is up for discussion, gentlemen?
Zop12: I couldn’t go to the LinuxWorld because I didn’t have enough $$ for airfare, heh (Like tickets are waaay too spendy last minute).
MODERATOR: 8.5 minute warning folks…
Erik Eckel: Sorry, but I’ve just installed Corel Linux, so I need time to get up to speed.
Jack Wallen, Jr.: i’ll say one thing (that’s not really security related) about LinuxWorld.
John Sheesley: LOL… was just reading the C2 security report for NT… it IS indeed C2 certified on a network running SP6a and the C2 update… UNLESS…
Erik Eckel: I wouldn’t lie to ya!
John Sheesley: …you’re running Posix, Streams, RAS, DHCP, NetBeui, Appletalk.
Zop12: Linux has add-ons for crypted file systems, Kerberos 5 was invented on UNIX and runs on Linux—IPSec (v4 and v6) are currently in alpha/beta stages.
John Sheesley: Kind of leaves out a few items…
Josephtursone: gotta go. Lab hours are only till 10PM : -(.
Jack Wallen, Jr.: while I was there I noticed something different. i remember other expos, and feeling that raw desire for world domination and that feeling of being an underdog. well, Linux has been accepted now, both by the public and business, and it (as a whole) is not sure what to do with itself.
Zop12: Joseph: Stick around for just 10 more minutes : ).
Josephtursone: Zop12: with security breathing down my neck.
Zop12: jwallen: Yah, the whole community tone is like that now heh. We are now totally after MS : ).
Mikkilusa: Well, I’m just starting down the Linux road, so I have many questions for future Linux meetings.
John Sheesley: I guess you can still run TCP/IP.
Josephtursone: OK, bye.
A sense of humor kicks in
Jack Wallen, Jr.: hehehe I read today that there’s vast rumors going around that Bill Gates stepped down as CEO so he could take the time to learn Linux. ;-). sorry I took us off track for a moment.
Erik Eckel: Kerberos was an MIT invention. Here’s the FAQ:www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#whatis.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.
Subscribe to the Microsoft Weekly Newsletter
Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays