[Techtalk] WHY everyone should use Linux

Wed Jul 21 10:15:03 EST 2004

> Charlie Swain wrote:
> > I tell them our desktops along with our servers need to be linux/unix
> > based. Why they keep asking especially since I am actually a MCSE.
> > BECAUSE .... you dont get the majority of the viurs's/worms.  

[Vatsan] I hope you are not running Win2K or older OS... There are many
basic things  you can do even in a windows environment to make life safer...
I run windows xp on my home machine, and in the last two+ years, I've never
been infected by a virus/worm, or even had a system-reboot because a worm is
trying to (unsuccessfully) attack the rpc interface in my box... 

Some of the things I do (and some that I would suggest) are...
1. run a firewall on my computer (Norton's personal firewall is very good!
The firewall integrated into XP SP2 is also very good)
2. can run a firewall in your network, and turn off access to every port
except those I need.. 
3. turn on automatic sig. download on AV software... keep it high frequency
- I check for updates at least once a day. 
4. Enable automatic updates and set it up for automatic installation - this
one sounds a bit scary, but in recent times, windows updates have been very
stable and reliable (assuming you are in an small/medium/large office
environement). There are reports of regressions almost every time, but they
are usually esoteric in nature... 
5. Do not forget office updates - there is no automatic mechanism to do it,
but it is fairly important! 
6. Remove all services/startup programs that are not needed
7. Don't let the users act as local admins... lock down the systems using
group policy 
8. in an AD environment, you should probably be using SMS server to control
the clients... (and not just relying on group policies and SUS server)
9. When XP SP2 comes out, install in asap... 
10. if you are using an exchange environment, shut down the pop/imap servers
if noone needs 'em..
11. disable non-ssl connections to outlook web access interface
12. lockdown IIS using the IIS Lockdown tool... disable FTP/SMTP/WebDAV etc
from ISS server. "Buy" your certificate from a CA for use in the SSL
connections to your web server - don't run your one root CA..
13. Do not allow simple auth VPN connections to your business network...  It
should be a cert auth or smart card auth system

I can make a bigger list, but just doing most of the above should keep
worms/viruses away... it is called reducing the attack surface.

> > OK..I quit ranting....I just want to know how to convince them
> > DUHH....look at the numbers!  

[Vatsan] worms/viruses are logically not the users problem - they are the
network admin's problem. so the users should not be asked to switch to a
different system just so that the admin's life becomes easier. the only good
reason to switch to a different system is because the new system is more
useful to the folks using them, and makes them more productive and leverages
their time better. If you are convinced of these things, you can try to get
permission for setting up a prototype system with some volunteers and run a
pilot... 

Another option is to invest in Virtual PC for windows, and set up a virtual
linux box the way you'd like to. Then announce to the users of your network
that an alternative is available, and they are welcome to try it out. If
many folks like it better than windows, they will create sufficient inertia
to force the management to rethink this issue... 