October 2003 - Posts
Many of you that know me know that I am very active in circles where my expertise is strong. Over the past 6 months, I've spread a little further into the Security realm, and this has been an eye opening move. However, it's also a good growth step.
But - this has nothing to do with any of this. My wife and I have purchased a new house and we are busily trying to get our current one on the market by the end of October. I live in Nebraska, and once Football season starts and the snow flys, the house market begins to slow. Football season has started, so all I'm waiting for is the snow to assure that houses will go unsold until the Nebraska tundra turns green again.
So, if this space is sparse (I'm still trying to figure out the theme and direction.... this blogging is no where near as easy as I though it was going to be. It requires CREATIVE thought. ;o), you know what I'm doing. Also, once we get into the new house - Mid-January to Early February, I'll post some pictures.
Rick Kingslan
Microsoft MVP - Active Directory
Like a bad horror flick sequel, the argument keeps getting dredged up, propped into position, and sent out on it's merry way to cause senseless death and destruction. The initial arguments of 'My OS is better than your OS' were bad - now they're just getting ludicrous. And, much like the junk that Hollywood churns out to continue movie franchises that never should have made it past the first movie, the battle just moves to more unbelievable territory.
The Linux Camp will have you believe that Linux, by default, by design, by golly, is more secure. It's not subject to worms, virus attack, Act of God, or bad hair days. If you mess it up - it's your fault. Now, that's a way to win friends and influence people. But, we're going to get to that - it's an endemic problem.
Similarly, the Windows Camp would have you believe that Windows is now 'Secure by Default', is a strong contender in the secure OS arena, and is just the victim of bad publicity by folks that just don't like the idea that a publicly held company wants to protect its intellectual property to make money. I really hate it when capitalism and the American Way creates a roadblock to progress.
Two articles, point and counter-point, (I wonder if these folks will get sued by 60 Minutes? I mean, why not? I'm sure that 60 Minutes is just as litigious as the rest of America, and it just seems chic these days to sue a computer company or computer people in general.) present good arguments either way.
One proposes that Microsoft's Windows is a festering pool of code, waiting to be infected by worms, virus, demons, and should be spewing pea soup anytime soon. The other defends the Windows OS by proposing that Windows is not the only OS that has issues with exploits and exposures - in fact, Linux has 3 to 5 times the number of vulnerabilities as Windows. In both articles, the browser seems to come under direct fire, and rightly so. IE (Internet Exploder) in this corner, Mozilla (Bugzilla) in this corner. Freddy vs. Jason.....
All in all, the articles present compelling evidence that, regardless of which OS you choose, it's probably a good idea to be security aware. Wow - like this is some kind of earth-shaking revelation. Anyone who has spent more than 3 days supporting an OS in a business setting is aware of this. It's like watching that horror flick and really being surprised that the villain has to be killed 5 different times at the end of the film just so the one lone heroine can walk proudly (though drenched head to foot in water, mud, blood, etc) out of the house at dawn. Yawn.
The mantra that Microsoft put out as the initial rally cry, even in advance of the now famous Bill Gates memo on the 'Trusted Computing Initiative', is 'Get Secure, Stay Secure'. I've been critical of this particular stance in light of the fact that illegal software cannot be patched in the primary methods that Microsoft proposes to make the task easier, but the stance of getting and staying secure is a correct one. The challenge is how do you get all of those 600 million copies of Windows secure? And, to that same point, how does one keep those uncounted numbers of Linux secure? Again, putting on the OS agnostic hat, an insecure system is an attack platform just waiting for the launch orders to be given.
Should all computers have a smart card reader (non-removable - unless however, you don't mind destroying the system) attached - and the OSs made aware of the requirement and refuse to work if a valid smart card is not available? Think about it - if a smart card is REQUIRED to operate the PC, then we can start treating this like a Driver's Exam. Show us that you can Safely and Securely operate your PC, and that you know HOW to update the system - then a smart card will be issued to you. If you go out of security compliance, or you operate your PC in a manner which harms others - Zap! Certificate revoked, thanks for playing.
Yes, I know - literally impossible to implement. Plus, the technical challenges are far from trivial, or even manageable. It's also impossible to enforce. If I can't get Porn Mongers out of my Library, how the heck am I ever going to convince anyone that 'Certified Computer Operator' is a good idea?
So, barring this - let's just blame the OS. Clearly the OS must be the problem. Obviously, the code is faulty (and, yes - in some cases it is - I've said this before, Get over it. People write code. People err. Any questions?) I'd suggest a different tact. Stop blaming the OSs and start attacking the real problem. Educate People. Last I checked, someone still had to set up and operate the computer. Or, did I really miss something, and the machines have taken over and I just haven't been put into my little pod in the 'energy collection tower'?
I guess if that happens, the fight over the OS is going to end. It's about time.
Rick Kingslan
Microsoft MVP - Active Directory
In Omaha, NE (the quaint city in the middle of nowhere that I make my home), we have really only two claims to fame. We've got a really cool Air Force Base just south of the city, Offutt Air Force Base which is the home of STRATCOM. You might remember it - Offutt AFB is where President Bush went on 9/11/2001 to determine what the threat was and to confer over super secure, super secret communications equipment with his advisers,while sitting in the security of a bunker complex that would awe the general public beyond belief.
But, to many football (and non-football) fans Nebraska's real claim to fame is what is in a city just 45 minutes South West of Omaha - Lincoln, NE - Home of the University Of Nebraska at Lincoln, or just NU. Yeah, The Huskers, The Big Red. And, folks in Nebraska take the Big Red very seriously. In some cases, it's taken to an unhealthy obsession, but that's just my opinion. For goodness sakes - it's just a game played by a bunch of young 18 - 25 year old guys.
I do know one other thing - when you get a collection of 18 - 25 year old students together, away from home for the first time, lots of things are going to happen. One of those things will be something that seems so innocent, so trivial - they are going to find and steal software. IRC, alt.warez newsgroups, their buddy, mail order from Hong Kong - doesn't matter. Students typically don't have a lot of cash, and sometimes, once you're out from under the watchfully eyes of Mom and Dad - morals slip. Yes, I know that this is a shock to many of you (OK, unless you watched 'Animal House' - trust me - it's closer to the truth than you really want to know.....)
Many of the copies of Windows 2000, Windows XP, Windows Server 2003 that are in the dorms and off-campus apartments of the typical college student is not a 'legally obtained or rightfully owned' copy. This may come as a huge surprise, but students steal. And, they also share the wealth. But, this is not unique to Lincoln, NE. This is rampant across the country, and I dare say, is even more prevalent outside the United States.
I traveled to Japan on business a couple years ago and was able to make it to the Akihabara district of Tokyo. This area of the city is known as an electronic mecca where shops the size of a WalMart down to those the size of a closet co-exist. We're talking blocks and blocks of nothing but shops catering to the electronc and computing nerd and consumer. And, you can buy ANYTHING on any given day if you know who to ask. Illegal software is just a nudge, nudge wink, wink away. And cheap, too. $15 to $30 US is what I found typical for a copy of Windows 2000 Pro. Windows 2000 Server, $50 US. Granted - no warranty, no support, no return - all sales final, blah, blah.
By now, you're wondering what the heck is he getting at? Is there a point to all of this? Yes. There is. We know and are all very aware that Microsoft has been beating the drum for patching our systems: 'Get Secure, Stay Secure'. But, honestly - this only works if everyone does it, too. I can train a monkey to go to Windows Update and to get the latest and greatest updates, and security fixes. It's not hard - my 70 Year old Mom can handle this one (no comparison between you and the monkey here, Mom - honestly!).
But, are you aware that the illegal software from Windows XP and onward cannot go to Windows Update? Microsoft does 'blacklist' the illegal keys, and will not service a system that has not been properly activated via WPA (Windows Product Activation). Most illegal software has been circumvented in some manner that is not going to allow it to be properly activated - and those who steal it aren't interested in doing so anyway. Therein lies the crux - if you're blacklisted, no updates. If you don't activate, no updates. How many of these illegal systems are attached to the Internet, would you suppose? How many are attached to networks with fully compliant and legal netizens? How many are on your local cable segment with a clear shot at you once they are infected with Nachia, MSBlaster, or worse?
The counter-argument to this is - Microsoft has every right to protect their intellectual property and not allowing the software to be updated is one way to force users into compliance. In my opinion, I fully support the right to protect the property , but the whole argument doesn't hold water. If the illegal software is infected AND does damage to other systems, then who really gets hurt? The thief, or the law abiding citizen?
I said in one post, arguing this point, that I'm not willing to be the innocent bystander who gets hit in the forehead by a bullet in the war on piracy.
Anything that is going to apply a Security Patch must be allowed on all systems - legal or not. Make no mistake - I'm not advocating making it easy on thieves. I think they should be caught and prosecuted fully. And, that they should not be gaining any added function and feature through service pack or other enhancement. However, it's been a stated policy that there will be no added feature or function to Service Packs, but we'll see if that trend truly continues.
Microsoft, you lose nothing by allowing hot-fixes and security patches to be applied to illegal systems. You gain EVERYTHING in the public eye BY allowing patching of ALL systems. If the interest is to continue to look like the newer, kinder Microsoft is truly accurate, then this is a big step in the right direction. Your number one priority in the Security game must be to secure the current products. Your second, but a very parallel, goal must be to “Cause no harm”. Until you have all systems patched, you will cause harm by inaction. Can you really afford that?
Do the right thing - allow the patching of all systems, regardless of legal status. Protect your customers from those who steal from you. We're just the innocent by-standers.
Rick Kingslan
Microsoft MVP - Active Directory
Microsoft CEO Steve Ballmer addressed the Worldwide Partner meeting in New Orleans, indicating that the next front for the security initiative is on the desktop - providing more tools and..... oh, yeah - that patch management thing again - in trying to stem the tide of difficulties that the Company has faced.
During his keynote, he asked how many people had deployed SUS (Software Update Services) internally, and to customers? Getting the response, he indicated that this was the point he had been making to his internal people - that it wasn't getting done. But, there was one more question to quantify what he thought he already knew:
“How many people really KNOW what Software Update Services 1.0 is? OK, that's kind of what I was afraid of....”
These are the PARTNERS, folks. These are the people that train, consult, develop - if they don't know what it is, how does anyone in Redmond truly expect that the average small to medium business (not to mention Mom and Pop shops) is going to?
I know from personal experience that SUS is a good tool. It's not great - but I'm anxiously awaiting SUS 2.0 - due maybe Q1 2004. But, it's a lot better than a team of techs going from machine to machine with a floppy, CD, USB storage device, what have you.
In my most humble opinion, the response in New Orleans indicates one good reason why security is a problem on Windows systems: The tools that are available are not being leveraged. Point the blame where you will, but the bottom line is Microsoft cannot patch your machine for you. That's your job. If you think that Windows or Microsoft products in general are the only ones with problems, I suggest you take a look at a more impartial outlet - say, SANS? They published the Top 20 Vulnerabilities, 10 going to Windows / Microsoft, the other 20 going to *NIX. Oh, and just for fun - trot over to Red Hat and see how many security bulletins are posted for their Linux 9.0 - 53. Yes, that is a Fifty, with a Three added on. I'm not bashing Red Hat or Linux in general - I'm simply trying to bring things into perspective. I admit that Windows has problems - but the work continues to correct the issues - political, technical, monocultural.
Operating systems, regardless of who puts it out, are vulnerable to flaw. That's it - simple, concise. the good thing is that there are smart people out there (and whether it's for personal gain or not - I don't really care) who report these flaws. Some are reported to the vendor (Microsoft, Red Hat, etc), and then findings divulged with the vendor and credit given, while others are posted directly to the public forum. Obviously, some get their tail feathers ruffled by the latter. If the outcome is a patch to fix the hole, it's a 'good thing(TM)'.
Humans write code, humans make errors, code has errors. Remember the movie “Westworld” (OK, not Oscar material - whatever) “Where nothing can possibly go worng” That's your software development cycle in action - and after the product has shipped.
Rick Kingslan
Microsoft MVP - Active Directory
The term 'Tuna' means more to me than a nickname for Dallas football coach Bill Parcells. It's also the nickname for Robbie Allen's new book on Active Directory prescriptive advice and How-To's.
For those of us who have even a concept of what Active directory is, likely the name Robbie Allen has been either mentioned or you've read his posts and words of wisdom. Regardless, Robbie is not to be taken lightly. To paraphrase an old Investment Company commercial:
When Robbie Allen speaks, people listen.
That's just how authoritative he is. And, his mannerisms are not the 'in your face' type of advice. It's put out there, and you are left to try it, with Robbie's typical explanation of what it does, why it does it, and here's the outcome. And, make no mistake - Robbie has the experience to back up his advice. (His current gig is working as a Sr. Systems Engineer for Cicso - you may have heard of them - make a lot of really cool networking gear?) Rarely are you confused about what's happening with the topic of the moment, be it something as complex as File Replication in Active Directory and domain controllers, or as mundane as 'How do I join a new DC to an existing domain'? You leave with complete confidence that you now KNOW it - not just understand. Plus, to enrich the experience, he will typically toss some VBScript or Perl code (his personal favorite, it seems) in to use to either resolve the problem or just to illustrate the point. Masterful, to say the least.
The 'Tuna' Book
So, the question you might be asking at this point is why the heck am I slobbering all over this guy? You need to read his books to get a feel for that. I'll mention the new one in just a moment, but this isn't Robbie's first foray into writing. He also co-authored (with his partner in crime at Cisco, Richard Puckett) "Managing Enterprise Active Directory" from Addison-Wesley and updated the classic 'Cat' book (originally authored by Alistair G. Lowe-Norris) “Active Directory, 2/e” from O'Reilly.
So, this Tuna book - what the heck is that? As you're likely aware, O'Reilly uses these quaint animal drawings on the cover of all of their books. Hence, the Cat book - and now, the Tuna book. Yeah, it's got a picture of a big tuna on the cover. What the Tuna has to do with the book, I don't know (and, O'Reilly won't tell you WHY they choose a specific animal for a particular book - it's part of the mystique....).
Let's just say that the 'Tuna' book is an Active Directory FAQ on steroids. The true title is “Active Directory Cookbook for Windows Server 2003 and Windows 2000”, and if this book is the cookbook to a happy and healthy Windows 2000 / Server 2003 directory services, count me in - for double helpings! In Robbie's typical style, the prose is easy to read (well, as easy as any technical book can be - I mean c'mon - this isn't a Tom Clancy novel....) and the examples and prescriptive methods are simply fantastic. The book is broken up into specific chapters dealing with subjects ranging from Schema to Deployment, Replication to Security - and all in a recipe for success format that has made the O'Reilly format successful. In each 'recipe' you will find a succinct explanation of what the problem is, the desired outcome and solutions - scripted, command line, and GUI (where applicable). In some cases, these tips are not published anywhere else.
If you are serious about the Administration and Management of Active Directory outside of the common GUI click here, click here, then click 'OK' - this book is truly for you. If you have always wanted to venture outside of the mundane world of GUI, or need to script a task to make it automated, faster, or just more accurate - this book is for you. If you simply want to get deeper into Active Directory, there are going to be things that you didn't know in this book. And, if you are diving head first into Windows Server 2003, don't jump without this book. Tuna swim, remember? This book will save your butt when it's crunch time!
Rick Kingslan
Microsoft MVP - Active Directory