Re: Windows Server migration (from linux) question
From: JMax (JMax_at_discussions.microsoft.com)
Date: 10/20/04
- Next message: Rebecca Chen [MSFT]: "Re: NT-2003 Stand-alone Upgrade"
- Previous message: Kiwi Si: "Migration from SBS2000 to Windows 2003"
- In reply to: Dana Brash: "Re: Windows Server migration (from linux) question"
- Next in thread: Dana Brash: "Re: Windows Server migration (from linux) question"
- Reply: Dana Brash: "Re: Windows Server migration (from linux) question"
- Reply: Dana Brash: "Links..."
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 19 Oct 2004 18:25:07 -0700
Dana,
Thank you very much for this post - it will prove very helpful. I am at
large a Windows/MS fan, and therefore would like to see the switch
(especially for .NET development). Two questions though, first, what would
you recommend spec wise (memory and CPU) for a Windows webserver? Second, you
made the following quote:
"I'm facing it going the other way 'cause I want to know what y'all are up
to." - what do you mean? We have a normal ecommerce business, and Windows
seems as if it would be a better option, so we've been looking into it. We've
also been somewhat questioning linux's true security. .NET also seems as a
much more seamless way to do this as well.
Thanks again!
JMax
"Dana Brash" wrote:
> Hello JMax and welcome to Windows!
>
> 1) I can't talk directly to the PHP issue, but I do know IIS will host PHP.
> Did a quick google for "PHP IIS" and returned a bunch of sites from places
> that seem to know what they're talking about... might check there, might
> check in the IIS newsgroups...
>
> 2) LIKE Linux, you don't get any database server with the core OS. Some
> distributions package MySQL (and I think RedHat even packages Apache?) but
> in most Linux distributions you're downloading and compiling and installing
> MySQL, or whatever your favorite DB server is. Regardless of whether it's
> packaged or not, whatever bits you've got on your CD are out of date so you
> may as well just go get the download anyway....
>
> However, unlike MySQL, SQL Server 2000 is not free, but it is sweet. Because
> you're hosting a site on this machine, you will need the $5,000 per
> processor license.
>
> check: http://www.microsoft.com/sql/evaluation/overview/default.asp
> and: http://www.microsoft.com/sql/howtobuy/faq.asp
> and: http://www.microsoft.com/sql/howtobuy/default.asp
> and:
> http://download.microsoft.com/download/9/1/1/911e6f4f-4580-4f7b-816b-a947c380d85f/SQL2KLic.doc
>
> 3)
> I'm sorry, I do have a bias. I think Linux is cool, and has it's place on
> the corporate network (Samba, ipchains), but I definitely think Windows is a
> more mature product. I'll try to be fair... ok?
>
> UNLIKE Linux, Windows does come with a web server installation that
> integrates with the core OS. Windows 2003 and IIS are very, very secure
> when managed properly. Some people have called it the most secure product
> on the market, but I don't know all the products on the market so I'm not
> going to say that. Microsoft took a PR beating over IIS 5 default settings
> mostly because everything was enabled by default. IIS even installed by
> default. Since then, they've changed their "open all until closed" policy
> to a "close all until opened" in IIS6.
>
> I think Windows systems get hacked for a couple reasons. Like you said,
> there's simply more of them. Also, Windows sets up easily out of the box,
> and most people don't take the time to secure it properly. Imagine the
> percentage of people installing Fedora that run their systems as root. Now
> take that percentage, give it a bump (because Windows is arguably more
> accessible to the average user, so has newer newbies), and then project that
> percentage on the raw number of Windows machines on the planet. Now how
> many 'rooted' Windows boxes have you got? And what IS that pesky password
> for anyway? If I were a hacker, I know which I would think is the sweeter
> target.
>
> Another reason MS products get attacked is because they're MS products.
> There is a contingent of angry, anti-establishment people out there that
> think MS is some terrible company that deserves to be attacked, and they
> feel justified and vindicated in attacking it. For evidence of this, I
> would respectfully refer you to some Linux based newsgroups. For all the
> 'M$' this and 'Gate$' that (keeping it clean here) that I saw trying to
> troubleshoot my first Gentoo install, I felt a briefly smug smile pull at my
> face when I found people bragging that they'd managed to get their desktops
> 'mostly' running in 'only a week', and by the way 'check out how my cool
> desktop can open 4 windows'.... I'm sorry, I digress... ;-) One of my
> favorite security configurations on IIS is to use URLScan to impersonate
> Apache. Gets you under the radar for most script-kiddie attacks.
>
> Windows Update does fix most of the security issues with Windows code, and
> usually does so in plenty of time to prevent issues. As an example, MS
> released patches to prevent both Nimda AND CodeRed MONTHS before their
> outbreaks. Problem was that most people didn't apply them. MS has since
> made many wonderful improvements to Windows Update, and we have great tools
> like SUS to manage those updates in our environments, and updates are
> generally quite seamless. BUT MS can't make sure that everyone gets their
> updates in time because of one problem: corporate policy.
>
> In most corporate environments, corporations are concerned about updates,
> but have a dozen or more servers floating around on various background
> functions, all implemented at different times as the company grew
> organically, and running various OS versions. This is a huge management
> task. Another issue in rolling out updates is that they really should be
> tested in your environment before they're applied. Sometimes, with critical
> updates, it's important to finish testing and roll out as fast as possible,
> within a day or so ideally. That's a herculean task, and I don't think most
> corporations have fully grasped the importance of proper testing and
> planning in general, but have an extra hard time working the testing of
> updates into their ROI.
>
> And I've run Up2Date and yum and emerge enough to know that it's not just
> the code writers at MS that are busy fixing holes in their code. From my
> limited experience with Linux, I would say that Linux requires more updates,
> but there's no science to that statement at all. (at least I don't have to
> recompile my Windows kernel and re-install my vid drivers every time I
> download a patch...)
>
> How many corporate environments have you worked in where your IT staff had
> all the resources they needed to manage their constantly changing
> environment? Corporate Execs are requiring techs to ROLL OUT
> implementations of .NET server products that MS recommends a MINUMUM of 6
> weeks for the initial planning stage, followed by more testing, training,
> testing and finally implementation, then more training. One week. This is
> simply ludicrous, but happens all the time. So these servers get hacked
> together and put in place, probably without any solid IT knowledge of what
> the security risks are associated with that product line. A lot of these
> servers integrate with SQL server, and instead of learning SQL Server
> security are run with an sa blank password. I patched an RTM SQL Server
> 2000 not 2 weeks ago, blank password and all.
>
> Regarding the management of security, there is still the issue of users and
> groups and permissions. User and group management is essentially the same
> concept, but the built in users and groups are different. And the
> application of those groups is different. For example, in Windows, you
> don't have to be a member of the "games" group to play a game, or a member
> of the "audio" group to listen to music. Almost always membership in the
> Users group will give you these permissions, and have to be turned off
> otherwise. NTFS has the role of micro-managing user permissions, with 13
> available permissions to configure. Usually it's good enough to use the
> standard 5 permissions, but you can get more in-depth if you need to.
>
> On top of NTFS permissions, if you want to share a file over the network it
> will have share permissions as well. These are much more simple than NTFS
> permissions and effectively determine who can access what over the network,
> and then NTFS still has the job of determining what they can do when they
> get there. Coming from Linux, you should be able to apply your
> understanding of CHMOD to the Windows environment quite easily, and you may
> enjoy how much more robust the combination of NTFS and Share permissions
> actually is.
>
> To sum up, I think Windows is pretty rock solid. I suspect that the system,
> when properly managed, is inherently more secure than Linux. I think user
> error (end-user AND administrator), misplaced angst, and bad corporate
> policy/lack of resources are to blame for 99.x% of the 'Windows' problems
> that we hear about.
>
> When you're ready to dig in, I would recommend doing your homework. There
> is a huge paradigm shift between serving on Linux and serving on
> Windows(particularly Web Applications - DNS and DHCP are pretty much the
> same, Samba is an abomination, MySql is quite different...). I'm facing it
> going the other way 'cause I want to know what y'all are up to. And I don't
> think that being a super-power user on Windows makes the shift that much
> easier.
>
> Here's some good reading:
> http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx
>
> And again, welcome.
>
>
> --
> HTH,
> =d=
>
>
> Dana Brash
> MCSE, MCDBA, MCSA
>
> dbrash@gmail.com
>
>
>
> "JMax" <JMax@discussions.microsoft.com> wrote in message
> news:F0A8FF8C-E852-48A8-8B91-6FE4B2CBC6F9@microsoft.com...
> > Hello!
> >
> > We're considering changing our webserver from linux to Windows. However,
> > in
> > considering this, we have several questions:
> >
> > 1) Does PHP run seamlessly on Windows without having to re-write code?
> > 2) We would be getting Windows Webserver Edition. Does SQL Server come
> > with
> > it, or do you have to pay the $5000 for it? It would be very nice to have
> > SQL
> > Server, but for $5000, it is pretty expensive.
> > 3) Without bias (if possible), how does security management/security in
> > general compare with linux? Sure, Windows does get hacked more often, but
> > is
> > it because there are more Windows systems to hack? Does Auto Update fix
> > these
> > issues?
> >
> > Thanks for your time,
> >
> > JMax
>
>
>
- Next message: Rebecca Chen [MSFT]: "Re: NT-2003 Stand-alone Upgrade"
- Previous message: Kiwi Si: "Migration from SBS2000 to Windows 2003"
- In reply to: Dana Brash: "Re: Windows Server migration (from linux) question"
- Next in thread: Dana Brash: "Re: Windows Server migration (from linux) question"
- Reply: Dana Brash: "Re: Windows Server migration (from linux) question"
- Reply: Dana Brash: "Links..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
