I'm not sleepy, so I'll jump in here for a bit. I don't believe having a rooted Windows box on your network is in any way preferable to a rooted Linux box. I consider compromised Windows more insideous/dangerous since it's designed to be a black box that you can't look inside of. As long as the dialogue boxes with their "OK" buttons show up, it tends to appear healthy. #include Tom Bradford wrote: > > KevinO wrote: > > Even a puny Windows box can be made into an attack machine once you > > 'own' it. > > But the method by which j00 0wN a windows box is generally a cooperative > one, where you're relying on user ignorance to perform the attack for > you. In the case of a server, the cooperative element is incredibly > reduced (though not necessarily eliminated), because there typically is > no local user doing stupid things. Organizationally, these types of > attacks can be controlled relatively easily, without having to patch > many boxen. If you mean the total number of abused Windows boxes, I'd agree that you rely on user ignorance. There are plenty of users who'll click on anything that might produce dancing hamsters or pr0n. When I think of Windows being owned, the user's cooperation ends after the box is powered on. The parade of IIS exploits, for example, require no user intervention. You're talking about "Georgi Guninsky" sploits, I'm thinking Eeye, L0pht, Razor, RainForestPuppy remote server hacks. In the IIS unicode exploit (the one the MS corporate websites tend to get hacked with, per Attrition.org), one sends the server malformed HTTP requests that get executed as commands issued as Administrator. You can ultimately do anything you can accomplish at the console with a tiny bit of effort. Modify web pages, have it FTP you the SAM database, install a netcat listener so you can telnet to it, maybe a nice secure tunnel through the firewall, install VNC, BO, SubSeven, SMS. NT even has it's own rootkit under development at rootkit.org. You could choose to use the ASP buffer overflow to accomplish everything listed above. Now, with any flavor of Win2k and IIS 5.0, one uses the network print service. Since IIS 5.0 is written with crashes and spontaneous reboots in mind, it automagically restarts itself to help hide the crime scene. OK. So IIS (for example) has let someone in to set up housekeeping on the server, now what? Well, they can sniff traffic (L0phtcrack again), they can perform man-in-the-middle attacks using SMBRelay (harvest username, data, etc), they can use it as a DOS zombie. The sky's the limit. The only question is "what do you want to do" (today)? > > > Windows gives one much less control over what is and what is not > > installed. (Ever try to remove the web browser? Uninstall ActiveX or > > Outlook Express ?) > > Again, if we're talking about a server, where those programs aren't even > being used, this concern isn't all that much of an issue. The issues Although nobody is typically sitting at the console interacting with Clippy, the server still has Outlook, IE, etc. etc. *installed*. Any dorky piece of code that will execute on a workstation can generally be relied on to do the same thing on a Windows server. > with Outlook, IE, and ActiveX installing worms and trojans are well > known at this point and are almost exclusively the ones cited by Linux > agents of FUD in making their OS look like the better one in the > security race. Granted, the holes in Windows dealing with executable > content are many, but they're easily classified. You can narrow the > culprits to one of two programs in those cases. The holes in various > Linux services/applications are more numerous, and worse, they're much > more diverse in their nature. Sure, Windows is chock full of poorly conceived services and sloppy code. The big problem is that the system admin just has to smile and hope it gets better. How are they going to fix it themselves? Fire up SoftICE and patch the OS? Take the server off the internet until BillCo issues a patch? My perception is that they're screwed. That's not FUD, that's the fact, Jack ;-) I *could* choose to bring up a Linux box that makes Windows look like Fort Knox by comparison - or I can customize every detail and make it as secure as I know how. In my mind choice is the big issue. I choose to run secure systems when possible. I choose to use open source tools whenever possible. I wouldn't deny that Windows has many legitimate uses, but "it's better because it's Microsoft" doesn't fly. > > BTW, there are third party programs that will remove IE and Outlook > express. ActiveX you can't do anything about because, along with DCOM, > it's the next link in the mutation chain of Clipboard->DDE->OLE->COM. > > -- > Tom Bradford --- The dbXML Project --- http://www.dbxml.org/ > We store your XML data a hell of a lot better than /dev/null > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss TTFN, Steve