I’m a public supporter of Microsoft Windows, but I also use, respect, and support other operating systems. I’ve been an AS/400 administrator for nearly 20 years. I thought the AS/400 would be long gone by now, but what it does, it does well. I use several flavors of Linux, FreeBSD, and OpenBSD. I even do a little hacking and defence teaching using Sun Solaris.
So it’s my 20 years of professional experience with a wide variety of OSes that leads me to believe that Windows is just as secure as any other popular OS, if not better, despite knee-jerk criticism to the contrary.
The truth is that all OSes and applications contain exploitable vulnerabilities. If you don’t follow general computer security guidelines, you’ll be at more risk. If you follow the vendor’s recommendations and keep your systems patched, you’ll be less at risk. And if your password is “password,” no amount of security will protect you.
Last week, I was helping a new client support their mixed Microsoft and Linux shop. The on-site administrator hated Microsoft and Bill Gates. All his servers were Mandriva Linux, except for the one IIS 6 server he “was forced” to support because of a needed application.
As I normally expect when working with many Linux zealots, he spent our days together dogging Microsoft and Windows at every opportunity. He is absolutely convinced that Windows security is terrible, even though he is “forced” to run Windows on the client desktops.
He tried to replace the Windows clients with Ubuntu, but the “stupid users were too stupid to use OpenOffice”. He did reluctantly agree that there were file formatting issues and education issues (he provided no beforehand training) that ultimately led the users to revolt during the switchover.
Like most Linux administrators I deal with, his environment was highly insecure. Just because you don’t like Windows doesn’t mean you’re free to ignore basic computer security principles.
It took me five minutes to find dozens of gaping security vulnerabilities. His Cisco PIX firewall was running code many years old. (As a matter of fact, I haven’t come across a PIX in nearly a year that had up-to-date code.) He also ran several Secure Computing firewalls, all of which contained old code and wide-open, misconfigured firewall rules.Half of his Linux servers were running old, vulnerable kernels. His web servers were years old and full of flawed PHP scripts. His Windows workstations were all Windows 2000 Professional, unpatched, and without any automated patching solution. All Windows clients ran Firefox 1.0 and Thunderbird, both unpatched. Nearly every piece of software I could find was old and unpatched, whether running on Linux or Windows. His Barracuda Spam Firewall appliance was unpatched, and remained unpatched even after I told him that updates were available.
He ran Clam AV on his Linux servers, but seemed surprised to hear that there were vulnerabilities that needed patching over the last year. See, he doesn’t subscribe to any vulnerability announcement lists. He said they were “too much noise”.
I asked him why he was still installing Windows 2000 and not XP Pro SP2 on client workstations. He said Windows 2000 was all he needed and he saw no reason to upgrade. Forget that SP2 has more than a hundred security improvements, including a host-based firewall and buffer overflow protection. Oh, and Windows 2000 is no longer officially supported by Microsoft.
I know there are millions of Windows 2000 computers out there. I still see Windows 95 and MS-DOS machines in large enterprises. But if you’re buying new machines and installing Windows 2000 over Windows XP, at least tell me it’s an application compatibility issue or something like that. There are so many new security improvements in XP over 2000 that you would have to come up with truly serious issues for me to support your 2000-over-XP decision. Windows 2000 is seven years old now. I wouldn’t support you running a Linux or BSD version that’s seven years old.
Of course, this guy wasn’t using Active Directory, either. He was trying to install OpenLDAP, but said it was only to make user adds and changes easier. He ran VNC on all computers for remote support, and each instance had a password of “password”. I’m sure no hackers can figure that out.
It gets worse. Everyone’s user password is their first initial and last name, the same as their logon account names. This, despite the fact that the company has many fired employees now working for competitors, along with internet-accessible email and AS/400 sessions.
The CEO’s password is “password,” of course, and his “password” is used as the root password on several of the servers and their open source database application. Passwords are never changed.
This would be just one isolated tragedy if I didn’t see it all the time. Just because you’re a Linux or BSD administrator doesn’t absolve you from your security responsibilities. Just because you don’t run Internet Explorer doesn’t mean you won’t be — or haven’t been — attacked.
And let me be clear: Many Linux, BSD and Solaris administrators I know are excellent security caretakers. But they also know that you have to follow basic security guidelines regardless of what OS you run. You have to patch, you have to use good passwords, and you have to keep up with improving technologies.
The Linux administrator recently left his job to become an outside web programmer and Linux administrator for the military. He’s probably walking to his new job in his black t-shirt, jeans, and ponytail thinking he’s a security hot shot because he hates Windows and Bill Gates and can “roll his own” open source solutions. I wonder if he will ever wake up.
Meanwhile, his former boss hired me to “break into” their network because our friend the former admin had left without giving notice, sharing the admin password, or producing documentation.
I connected a PPTP connection to his network and logged in as administrator with the password of “password”. I found his password spreadsheet in OpenOffice. It was called passwd.xls and was password-protected with a password of … you guessed it… “password”.