[Techtalk] WHY everyone should use Linux

Devdas Bhagat devdas at dvb.homelinux.org
Thu Jul 22 15:05:19 EST 2004 

On 21/07/04 10:15 -0700, vatsan wrote:
> 
> > Charlie Swain wrote:
> > > I tell them our desktops along with our servers need to be linux/unix
> > > based. Why they keep asking especially since I am actually a MCSE.
> > > BECAUSE .... you dont get the majority of the viurs's/worms.  
> 
> [Vatsan] I hope you are not running Win2K or older OS... There are many
> basic things  you can do even in a windows environment to make life safer...

Win2K is just fine. If you are using the NT family, those operating
systems *can* be made secure with sufficient effort. The NSA has guides
on how to do this. It is quite hard to get everything right, and usable.

> I run windows xp on my home machine, and in the last two+ years, I've never
> been infected by a virus/worm, or even had a system-reboot because a worm is
> trying to (unsuccessfully) attack the rpc interface in my box... 
> 
> Some of the things I do (and some that I would suggest) are...
> 1. run a firewall on my computer (Norton's personal firewall is very good!
> The firewall integrated into XP SP2 is also very good)

SP2 isn't out yet. There is a stateless firewall on the Windows systems.

> 2. can run a firewall in your network, and turn off access to every port
> except those I need.. 

Basic security needs. Quite a lot of ranting has happened on this topic
on firewall-wizards. I thought of pointing you to specific threads, but
in this case:
http://honor.trusecure.com/pipermail/firewall-wizards/2004-May/thread.html
http://honor.trusecure.com/pipermail/firewall-wizards/2004-June/thread.html
http://honor.trusecure.com/pipermail/firewall-wizards/2004-July/thread.html

Reading that should be instructive, to say the least.

> 3. turn on automatic sig. download on AV software... keep it high frequency
> - I check for updates at least once a day. 

The mail servers I maintain update 12 times a day. They also block a lot
of executable content outi, by extension and by file type. This policy is
draconian, but it works.

> 4. Enable automatic updates and set it up for automatic installation - this
> one sounds a bit scary, but in recent times, windows updates have been very
> stable and reliable (assuming you are in an small/medium/large office
> environement). There are reports of regressions almost every time, but they
> are usually esoteric in nature... 

Actually, the right way to do it is to test it in a test network, then
deploy.

> 5. Do not forget office updates - there is no automatic mechanism to do it,
> but it is fairly important! 

Not just office, all software you have installed.

> 6. Remove all services/startup programs that are not needed

Good advice. 

> 7. Don't let the users act as local admins... lock down the systems using
> group policy 
> 8. in an AD environment, you should probably be using SMS server to control
> the clients... (and not just relying on group policies and SUS server)

Good advice. Needs time, and a skilled Windows administrator.

> 9. When XP SP2 comes out, install in asap... 
Test first. This is not a home system.

> 10. if you are using an exchange environment, shut down the pop/imap servers
> if noone needs 'em..
And use the undocumented Exchange interfaces instead?

> 11. disable non-ssl connections to outlook web access interface
Good advice.

> 12. lockdown IIS using the IIS Lockdown tool... disable FTP/SMTP/WebDAV etc
> from ISS server. "Buy" your certificate from a CA for use in the SSL
> connections to your web server - don't run your one root CA..
Why not? Running our own CA is fairly easy and you don't need to waste
money in getting the certificate signed by a third party if you never
deal with outsiders using that certificate.

> 13. Do not allow simple auth VPN connections to your business network...  It
> should be a cert auth or smart card auth system
> 
> 
> I can make a bigger list, but just doing most of the above should keep
> worms/viruses away... it is called reducing the attack surface.
> 
> > > OK..I quit ranting....I just want to know how to convince them
> > > DUHH....look at the numbers!  
> 
> [Vatsan] worms/viruses are logically not the users problem - they are the
> network admin's problem. so the users should not be asked to switch to a
> different system just so that the admin's life becomes easier. the only good

There are administrative costs associated with any system. There are
also running costs. The business needs to evaluate if the cost of
running that system is worth the returns it generates.

> reason to switch to a different system is because the new system is more
> useful to the folks using them, and makes them more productive and leverages
> their time better. If you are convinced of these things, you can try to get
> permission for setting up a prototype system with some volunteers and run a
> pilot... 

Actually, the only thing to consider is the budget. If the cost of
downtime, frustration and administrative hassle is less than the cost of
running $platform, then it is worth using $platform.

Management will only be convinced by $ values. That, after all is their
job.

Devdas Bhagat

More information about the Techtalk mailing list