Re: Recommended Windows Hosts
From: Jim Cheshire (contactme_at_www.jimcoaddins.com)
Date: 04/09/04
- Next message: Andrew Murray: "Re: Validate a Form"
- Previous message: Gary James: "HTML Help file (.CHM)"
- In reply to:(deleted message) Bob: "Re: Recommended Windows Hosts"
- Next in thread: Bob: "Re: Recommended Windows Hosts"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 9 Apr 2004 07:34:41 -0500
Your comments seem to indicate that you are simply another anti-Microsoft
zealot. For example, you say, "While MS is making (at least publicly) an
attempt to repair security flaws...". In fact, Microsoft IS repairing
security flaws. Perhaps you can explain how you can publicly repair
security flaws without doing so internally. If you've been reading tech
news over the last few years, you would know that Microsoft is absolutely
committed to security. You would also know that Windows is the most secure
operating system available today.
You disagree with me because of your lack of information and you bias. As
an example of my assertion, there was recently a security hole in Linux that
allowed someone hitting a Web server to easily elevate their privileges to
root. It was widely reported. You know how long it took them to fix it? 8
months! That's just unbelievable, and it's laughable that anyone would
claim that Windows is less secure than that. By the time you read of a
security flaw in Windows, Microsoft has already patched it, and Microsoft is
the only company that has a very simple and effective way to ensure that
your OS is always up-to-date.
Concerning the parent-pathing issue (../../), for YEARS, Microsoft has
recommended not allowing parent paths on the Web server. In fact, the IIS
Lockdown tool (available for a few years itself) disallows this and other
security holes. It is up to the server administrator to enable parent
pathing. Most do because they don't want to have to tell developers not to
rely on parent pathing. Make that choice and the consequences are yours,
not Microsoft's.
Concerning the requirement to have a Windows account in order to be
authenticated to the Web server, how in the world do you perceive this as a
security flaw? Your criticism of this approach shows a bit of
short-sightedness. Do you develop multi-tier Web applications? I don't
think you do, because if you did, you would realize how critical such a
system is to a good user-experience. In a multi-tiered environment, I may
hit five or six different resources that require authentication. You think
it's actually a good idea to require users to enter their credentials over
and over and over and over? Worse yet, do you think it's acceptible to
allow multiple systems to authenticate me by proxy? Microsoft systems don't
allow that unless you have explicitly configured delegation. Once again, a
very secure architecture.
It is also much more secure to use integrated security for data source
connections than it is to use the credentials in plain text in the
connection string. People who understand complex application architecture
and security issues across systems understand how critical Windows
Integrated authentication is, and with Kerberos authentication and
delegation, Microsoft has a very good story to tell in this area.
To close, I think it's clear to those who think about these matters that
security holes in Microsoft products (even though they are already patched)
are more publicized than in other systems simply because of the fact that a
very high percentage of computers in the world are running Microsoft
software. If you were a virus or worm writer, would you target a system
used by single-digit percentages, or would you target systems in use by a
wide majority of people in the world? I know the answer, and I think you do
too!
-- Jim Cheshire Jimco http://www.jimcoaddins.com ================================ Author of Special Edition Using Microsoft Office FrontPage 2003 5 Stars on Amazon and B&N ================================ The opinions expressed by me in the newsgroups are my own opinions and are in no way associated with my employer or any other party. Jimco is not associated in any way with any other entity. "Bob" <uctraingNOSPAM@ultranet.com> wrote in message news:iivb70ho4jhs1lafs1rmotivimfqj26bqn@4ax.com... > On Thu, 8 Apr 2004 20:29:53 -0500, "Jim Cheshire" > <contactme@www.jimcoaddins.com> wrote: > > >Bob, > > > >Your thinking is flawed. You should not trust the system that's NOT being > >patched, not the one where security holes are aggresively addressed and > >corrected. > > > >-- > >Jim Cheshire > > I respectfully disagree. > > <rant> > While MS is making (at least publicly) an > attempt to repair security flaws, their system is full of them. Much > (most?) of this stems from an architectural flaw in MS's business and > technical plans. They consistently sacrifice security in the name of > integration as part of their "integrate all applications" strategy. > In a secure environment, applications run *on* the operating system, > not *in* the operating system. MS doesn't know the difference (well > actually they do, but they ignore it because it interferes with their > business strategy). > > As one example, take a look at MSIE, a veritable piece of swiss cheese > when it comes to security - yet I can't run a web server without it > installed. Why ? What has a browser got to do with a web server ? > Only in MS's non-sensical courtroom statements can we find an > explanation of that oddity - and it's laughable. The real reason is > that MSIE is part of the MS OS/application/all products integration > strategy - and they've sacrificed security for integration. > > As another example, take a look at the IIS bug where an errant program > could make a cgi request like "/../../../cmd.exe" (abbreviated here) > and it *ran*!!! Why would a web server, ever, ever, ever be able to > call a program as a cgi application from *outside* the web server ? > It makes no sense at all - unless you are MS, and you are calling > various components of your architecture in this way as part of > your product integration design. Again, it makes sense to no one but > MS - for them it was just a great way to integrate other SW on the > server with the IIS server - heaven forbid they should consider a > security hole the size of Mt Everest as an issue. > > OR, take a look at the IIS secure account strategy. EVery vendor > except for MS sets up a user/pass system for the web server that is > totally separate from the other security systems on the server. Even > MS did that for their other applications. But, when it came to IIS, > they used the NT user/pass database as the security for the web > server. Why ? Because it allowed them to sell IIS to the corporate > environment as a "one login" solution - log on to your system in the > morning and gain access to web resources through the same login. It > also allowed them to avoid writing a security layer for the web > server and instead they layered a calamity on top of the NTFS > security. So, as an IIS administrator, anyone who needs access to > any restricted resource now has a *user* account on my server. > Tell me how that makes sense in terms of security. > > Those are just three examples. The point is that they don't keep a > safe and secure distance between the applications and the OS > because their business goals and plans are in direct opposition > to that. They consistently sacrifice security when it comes up > against "features" or development time. Instead of redesigning > Windows to actually run applications in a secure, isolated fashion, > they integrate, integrate, integrate. I'g say that "they don't know > squat about security" but actually I know better. They do know squat > about security - they just choose to ignore it. You can't fix a broken > architecture by treating the _symptoms_ as they do with these constant > patches, you have to treat the _problem_. MS's goals and business > strategies are the problem and they refuse to revise them as it > might affect profits. > </rant>
- Next message: Andrew Murray: "Re: Validate a Form"
- Previous message: Gary James: "HTML Help file (.CHM)"
- In reply to:(deleted message) Bob: "Re: Recommended Windows Hosts"
- Next in thread: Bob: "Re: Recommended Windows Hosts"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
