Security Issues with Windows 2000 Datacenter? 357
"My company is currently looking to cluster our SQL 7 servers. We're
considering Win2000 advanced server or datacenter. Around a month ago I sat in a meeting with our VP of IT, and the rest of the network admins I work with. Compaq tried to pitch their Windows 2000 Datacenter or Advanced Server solution. Here is the way the compaq people explained it:
You get datacenter only from an OEM. They look at the apps you're running
and customize a solution for you in their lab. Every datacenter implementation is different, and every datacenter CD is different. Since we would be using an EMC SAN as our clustered storage system they said our implementation would take special customization. They would have to contact EMC engineers and work together. Once you deploy it, the OEM monitors it. And you can't install any service packs or anything without getting an OK from your OEM. Any service packs are customized for your enviroment. The SLA guarantees a 99.999% uptime or your money back. Part of your money at least. Datacenter isn't an OS, but a program in their words.
Now here is the problem. With Code Red and Nimda, how do you patch IIS
running on datacenter in a timely manner? The reason IIS servers became
infected was because the admins didn't patch them in the first place. So say
a new worm comes out in a few months and it takes a few days for MS to
create a hotfix. Datacenter admins can't install it until they get their
customized copy from their OEM. And almost every 2000 server runs IIS for
terminal server. It can take a few days and in the meantime your servers
could be down. And I don't see the SLA covering a situation like this. Meanwhile you're explaining to your CEO how this $500K supposedly guaranteed solution is sitting dead in the water and you can't do a thing about.
Is there something I'm missing, or did Microsoft look over something like
this? Especially when they are trying to push Datacenter as 'Big Iron'."
Whats it needed for? (Score:2, Interesting)
Re:Whats it needed for? (Score:3, Informative)
Straight from http://www.microsoft.com/windows2000/datacenter/ev aluation/business/overview/default.asp [microsoft.com]:
From http://www.microsoft.com/windows2000/advancedserv
Other pieces of information not listed in that blurb about AS: supports up to 8-way SMP and 8 GB of RAM (compared to DC's 32-way and 64GB).
You're obviously not going to have a DataCenter machine sitting underneath your desk at work, but it's quite possible to do so with Advanced Server.
Re:Whats it needed for? (Score:2, Troll)
#define MAX_CPUS 32
#define MAX_MEM_GB 64
You pay only a few dollars for that mod. The remainder of the huge expense goes to pay for a special team of engineers whose purpose in life is to try to keep your systems up and running.
Comment removed (Score:5, Informative)
Re:Whats it needed for? (Score:2)
If you want to address large amounts of RAM (> GB), you are better off with a 64 bit architecture.
Which you can download from RedHat today.
Re:Whats it needed for? (Score:3, Informative)
This, of course, is crap. To say that "any other OS" has the same scalability problem that Linux has is simply not true.
Take IRIX, for instance. I wrote some image processing code that runs on Origin servers. The 8-processor server in my lab runs my code about four times faster than my 2-p servers. And, surprise, the 32-p server in my friend's lab runs my code about four times faster than my 8-p machine.
To generalize the problems you see on Linux and Windows to "any other" operating system is simply hogwash. Your point about Windows scalability is well taken, though.
Re:Whats it needed for? (Score:2, Informative)
There are scalability limits beyond 4 and 8 processors. Part of it is hardware and a lot of it is software. SGI/IRIX does both very well (hello, they make/made the CRAY!) The scheduler used for small SMP systems does not work well with large SMP systems. And PXE, the 36-bit address extensions, is a significant performance hit for machines not acutally requiring it.
Performance does not scale linearly -- on any system. "About 2x" is not "2x". IRIX scales better than most, but it still isn't perfect. And, surprise, Windows scales better than Linux (or used to.) BeOS is about the best thing I've seen for standard PC hardware -- too bad it never caught on.
Datacenter is a great deal different from the other windows'. Unlike the difference between NT Workstation and Server (two registry keys), Datacenter is very different.
Re: (Score:2)
Re:Whats it needed for? (Score:2)
Actually, that's not right, either. IRIX 6.2 scaled about the same on the Challenge-series architecture (up to 36 processors) as IRIX 6.5 does on the Origin (up to 512 processors), two radically different designs.
It really has more to do with operating system architecture and scheduler design than it does with hardware.
Re:Whats it needed for? (Score:2)
That's one of the things that bug me about Microsoft: they try so hard to be All Things to All People. Gee, it's like they want to conquer the world or something.
Re:Whats it needed for? (Score:2)
ostiguy
Corruption (Score:2, Insightful)
Modify the SLA (Score:5, Insightful)
Re:SLA... (Score:2)
Basically, what is and is not covered in your support contract. For big orders, you get to negotiate your own EULA not just take what they hand you.
For example, an SLA might cover finacial losses due to system failure, whereas every normal EULA under the sun absolves hardware vendors of liability for secondary losses.
- JoeShmoe
Re:Modify the SLA (Score:2)
Which means being hit by nimda would be a good thing since it 'enhances' machine accessability :) :) Root access for everybody! :)
Problem of the vender (Score:1)
The vender probably has a fix quickly, although it are special computers, they're still i386 compatible (sort of) so the vender won't have to port.
Datacenter? (Score:3, Insightful)
Its a waste to use Datacenter as a web server or front end machine for applications, its best use is for big honking SQL applications like MS SQL server. Datacenter is a waste for Oracle/NT because Oracle on NT is the worst implementation of Oracle in existence. If you want a big honking box to do oracle for gods sake get a Solaris/HPUX/AIX monster. Big ass database servers should never be directly exposed to the internet anyways, the connectivity should be happening thru a balls to the wall firewall.
Re:Datacenter? (Score:5, Informative)
Re:Datacenter? (Score:2)
hope this helps, though.
Datacenter _is_ vulnerable (Score:3, Insightful)
Sybase (Score:2)
Originally, it was:
Is your Sybase database accessed outside your company? Yes? More money please!
Now its:
Is the data in your Sybase database accessed outside your company? Yes? More money please!
Nte the subtle difference. We've got many front end applications in a DMZ talking to Sybase in our datacentre - the users never see Sybase, nor even know where the data comes from - but now Sybsae want more money...
So our CIO has done a deal with the Great Satan of Software, and we're going to
1. Sell all our Sun kit we use for hosting Sybase
2. Buy shit-loads of cheap x86 servers
3. Have MS "consulting services" port all the DBs and integrate them with our existing applications.
Firewall didn't help us against Code Red (Score:2)
Time from Bug Found to Bug Exploited (Score:2, Interesting)
Is it not also true that only large OEMs offer Datacenter? I don't think you are going to have a huge problem with the likes of Compaq or Dell providing timely fixes. It may not be available the same day the Microsoft Fix is, but I would be guessing that MS provides enough info to the OEMs to get the fix applied within 3-5 days.
All in all I think the amount you need to worry shouldn't be more than the satisfaction you can get from a 99.999% guarentee
Where did you get your advice?! (Score:5, Insightful)
"And almost every 2000 server runs IIS for terminal server"
Erm, I work for a Citrix Gold partner and I've never encountered this before. Installing Terminal Server does not require IIS.
In fact, according to M$ recommendations, you should minimise the services running on the TS box.....That means no IIS.
Also, the "smaller but more servers vs fewer 8 way servers" for TS debate has been done and dusted, and the recommendation certainly isn't for having fewer large servers. The "sweet spot" is a farm of dual processor servers with 1.5Gb of RAM, thus you wouldn't need Data Center anyway - normal W2k Server would be more than adequate.
Re: (Score:2)
Nope. No need for IIS. (Score:2)
Also, you only need it available once.. you don't have to have it on each terminal server. You don't have to have it on ANY terminal server.. you can stick it wherever it's convenient... and use it to connect to as many terminal servers as you want.
Re:Terminal Server but sort of OT (Score:2)
Maybe Microsoft is starting to pull its head back out into the sunshine. Legacy support often purpetuates legacy bugs/exploits. Personaly, if someone is spending $500K on hardware/software system, the life-blood of the corp isn't have a competant admin on site pretty cheap insurance?
Re:Terminal Server but sort of OT (Score:2)
On the one hand you have Citrix at $5000 for 20 users. On the other hand you have Microsoft for $0 for unlimited users ($75 for any user not running Win2000).
That's utterly insane. Why do they make such an absurdly high barrier to entry? Microsoft begins Server and Small Business Server at the 5-client license level so why on earth is Citrix starting at 20? They are immediately discounting almost all of the small businesses out there.
Knowing now that I can't run 256 colors on Windows 2000 Terminal Services...I'm not about to recommend this mom and pop shop plunk down five grand for Citrix...i'm going to recommend they pay a few hundred and upgrade to Windows XP server.
One day, like Novell, Citrix will wake up and wonder where all their customers went. Only then will they realize that people aren't interested in paying a premium for a market leader when Microsoft has a "good enough" option available for free.
Feh! I was already upset I had to install Windows 2000 instead of Windows NT 4.0 Terminal Server...now I gotta install XP! Bleah!
- JoeShmoe
Datacenter (Score:5, Informative)
Re:Datacenter (Score:2)
Your attacker could still use some other exploit [bugnet.com] that doesn't rely on IIS. I hope you don't think we've seen the last of these.
Note that an exploit like the above wouldn't turn into a Ro0t on a Linux/Unix box because the database server typically doesn't run with system privilege.
Re:Datacenter (Score:2)
"Using extended stored procedures, the attacker could essentially gain complete control over the server itself."
Lets not forget.. (Score:2, Insightful)
Besides, say your running *NIX with a specially modified version of apache, and there is some remote exploit that is discovered. Obviously you can't just download the source, compile, and install, for fear of loosing those 'special features'.. You need to patch your source code, which may barf (and then you either have to modify the patch file or do it manually. Which could suck if you have no programming skills, and its heavily modified)...
While most of us would view using a patch trivial (patch, recompile, install), the point is that similar situations could happen.
Re:Lets not forget.. (Score:2)
Not if you know what you're doing. Using the qchain utility, you only have to reboot once after applying all the patches is one go (and can even be scripted). Then check if they all took by using the hfnetchk utility. This can easily be done (yes I've done it) on 12+ servers in less than an hour without ever getting up from your desk.
Re:Lets not forget.. (Score:2)
hfnetchk utility [microsoft.com]
qchain utility [microsoft.com]
Not only MS Datacenter (Score:2, Informative)
I don't know of one bank that uses a non-IIS platform. Kind of scary.
Re:Not only MS Datacenter (Score:4, Informative)
"I don't know of one bank that uses a non-IIS platform."
You need to look harder then. The first 5 banks I could be bothered to look at:
My banks (Score:2)
www.tdcanadatrust.com - IBM_HTTP_Server/1.3.12.2 Apache/1.3.12 (Unix) on AIX
www.ingdirect.ca - Netscape-Enterprise/4.1 on unknown
www.cibc.com - Netscape-Enterprise/3.6 SP2 on Solaris
www.bmo.com - Netscape-Enterprise/3.6 SP3 on Solaris
www.royalbank.ca - Netscape-Enterprise/3.6 SP3 on unknown
IIS for Terminal Server? (Score:2)
Re:IIS for Terminal Server? (Score:2)
Well yeah, seeing as though TSAC is the web plugin for TS. But jsut why the hell yould you use Datacenter server for an app server?
Even if you did, does the IIS server have to be the same machine as the app server. I don't think it does but I can't recall. I know that with Citrix NFuse it DOESN'T and probably SHOULDN'T.
This whole discussion is pretty academic isn't it? Nobody is going to use Datacenter server for IIS or Terminal Services. That is not what it's for, you use Datacenter server for big databases or transaction processing, in which case there is no reason it should be accessable from an untrusted network.
Keep in mind, untrusted includes your users as well as your DMZ. Never trust your own network!
do it yourself (Score:1)
Unpatched MS Data Center box + routable IP == (Score:2, Funny)
I've seen it happen to production servers b4 ">
Re:Unpatched MS Data Center box + routable IP == (Score:2, Funny)
coke | nose > keyboard
Thanks for the laugh
~
When you can't secure it, hide it. (Score:5, Informative)
If you aren't allowed to patch your server, then you should isolate it behind a firewall of some sort, so that the chances of infection are minimized. This may not work well for IIS (beyond simply not running it), but it will serve you well in the general case.
Re:When you can't secure it, hide it. (Score:2)
So, you're suggesting security by obscurity? Hmm, best of luck to you.
Some exploits work just fine through the firewall, so then you've got a compromised server insider your firewall and a false sense of security. There's no substitute for being secure in the first place. If it's not secure, don't connect it to your network.
Re:When you can't secure it, hide it. (Score:2)
So, you're suggesting security by obscurity? Hmm, best of luck to you.
I would prefer to solve the problem, but if i can't patch, I'll do the next best thing: isolate the servers from the rest of the network. Good luck infecting with nimda when you can't even hit port 80 and all mail ports are blocked (in case some nimrod installs outlook on a datacenter.
Re:When you can't secure it, hide it. (Score:2)
You can firewall for this and you can firewall for that
When you let 1, maybe 2 ports through, the next big thing tends to bounce off your firewall. If we don't explicitly need it, it ain't getting in!
Re:When you can't secure it, hide it. (Score:2)
Isn't that the reverse of how a firewall actually should be set up? My limited experience has been that you start by blocking everything, and then open holes for just the things that need to get through. If you leave it open, and then attempt to run around blocking things as you become aware of them, it almost defeats the purpose, doesn't it?
Re:When you can't secure it, hide it. (Score:2)
what is needed is compartmentalization - sure, you run a firewall between the world and the corp, but you also run a firewall in front of anything sensitive. Internal firewalls of this sort have the advantage of being able to be more restrictive because they're protecting at most a few services. Corp level firewalls have to be more permissive in order to prevent open user revolt.
Datacenter (Score:5, Informative)
Part of what you get with a Datacenter purchase is a premier level of support. This includes a named engineer for support, and automatic escalation to the highest level for any support needs. It also includes any updates and or fixes on a priority basis - if you have a Datacenter server you get patches, updates, etc. before anyone else does.
customized solutions&patching (Score:1)
Re:customized solutions&patching (Score:3)
Datacenter is more of a custom solution package than a version of windows. Yes.. it's a version of windows 2000.. but it's really a whole package.
In other words, it's a version of windows used by vendors to create huge custom solutions, usually for databases.
Re:customized solutions&patching (Score:2)
Get a guarantee within the contract (Score:3, Interesting)
It all boils down to trust (Score:5, Insightful)
Then you can negotiate all the details. And remember: 99.999% uptime does not mean that your server stay up that long, but that you have only an unscheduled downtime of 0.001% or less. Applying a patch is, in nearly every case, a scheduled downtime and does not count.
Now imagine you really, really need this patch: you can urge your OEM to install it and keep him free from all responsibility (e. g. a server crash after this does not count to the unscheduled downtime, because it was your decision to apply it). If you trust him to play fair, that's fair for both of you.If the OEM is trustworthy, he'll do what you order him to do, but in that case you will be responsible for the outcome as well.You can't burden someone with responsibility if he can't make the decision (unless you don't play fair).
Re:It all boils down to trust (Score:2)
It depends on who writes the contract. I maintain servers with a 5x9's availability (not uptime, that is something different) guaranteed, the metric is taken at the end of every month for the previous 12 months of operation for a period of 6 years. The 5x9's include no scheduled downtime, we always switch in a fully tested duplicate system for the biannual hardware maintenance. If we ever have a crash that takes out the whole system for more than 7 minutes, we can write our bonuses goodbye for the next 13 months. The bonuses are the only form of profit built into the contract after all the engineering costs are covered.
The real question is: can you trust your OEM?
No, the real question is whether your management is stupid enough to believe a vendor offering a mythical 5x9's availability without a well developed plan for redundant hardware switchover, mirrored machines, raid storage, onsite spare hardware, experienced engineers who live within 30 minutes drive from your site with a goddamned pager surgically attached[end rantlet]. Did I forget to mention the motorcycles in case of large traffic jams
To offer 5x9's, the vendor must provide their own power (a battery room built by a qualified company), local stocks of spare hardware, and be able to supply a complete duplicate system within a few hours. At every one of our 5x9's sites, we have our own office space, with our own phones and our own internet connection.
As you can tell, a real 5x9's contract costs about 5 times as much as a regular installation. A real 5x9's contract always specifies the length of time to measure against, usually over a number of years, often as a moving average for the previous year or 24 months. A real 5x9's system isn't delivered on a custom burned CD-R so the client can fuck up the installation.
the AC
Re:It all boils down to trust (Score:2)
(There are answers, but those folk aren't honest.)
OEM's are required to give 24/7 support. (Score:3, Informative)
This article raises a very good point, but Microsoft's idea behind datacenter was they hat total control over the hardware environment, and they made sure OEMs would stand behind it too, so I'd be very surprised (and dissapointed) if the OEM didn't contact their customers *immediately* with patches whenever there was a hole (and I'd guess they are pretty busy too
Datacenter, advanced server and a firewall (Score:2)
Just my opinion, buy hey, I'm a linux guy...
Re:Datacenter, advanced server and a firewall (Score:2)
Not likely. In this configuration, the database runs SQL server and nothing else. There is a firewall between the web and data tier with one, maybe two ports turned on. Besides, you can patch the web server.
DUH! :) (Score:4, Funny)
It's *just that simple*, can you believe it? Every time Nimda hits your machine, just wipe out the system drives, reformat and re-install! Easy, right? Sure you may have to reinstall 40 or 50 times a day, but again, if you are familiar with M$ software, you'll know you need tons of backup machines that you can swap out as needed with your infected machines. Make an assembly line of it. Have one guy reformatting, another guy reinstalling and a third guy disconnecting the infected boxes and plugging the fresh machines into the network!
Now, where do you want to go today?
Redundancy? (Score:2, Insightful)
But what about Redundancy? That's one thing I don't like about this "datacenter" why should there be only one? Or.. why should an application have to call for just "one" server? Wouldn't it be more wise to develop the application across a dual array of servers? Each one of these servers could be easily patched in a matter of minutes, at the same time. (Say windows2k advanced servers.
I'm personally not a fan of MS server products.. Although I have had to use them for quite a few applications.. but there has to be a way to get by the "necesity" for DataCenter Server.
The good sides of Mainframe Mentality... (Score:5, Insightful)
This is commonly refered to as the Mainframe Mentality: these systems are so critical to a business, you don't make any changes to them unless these changes are a. absolutely critical and b. have been tested extensively in the exact configuration you'll be running them.
Now, it may seem that this would cause every Windows 2000 Datacenter server to be instantly infected with Code Red and friends, but in reality this will not be the case, because:
1. You don't expose your Datacenter servers to the Internet -- never. No matter if you're running Microsoft, AIX, Solaris or Linux: only trusted systems should have strict "need to know" access to your server;
2. Datacenter-type servers typically don't run HTTP servers. You would scale out HTTPDs (more boxes), not scale them up (bigger boxes). Also see rule 1;
3. The config of your Datacenter server is the bare minimum. So, in the case of Windows 2000, you would not ever run IIS or Index Server (the true culprit in case Code Red et al...) on it, just your database server and perhaps your business logic (although that, again, tends to scale out better than it scales up).
In summary: security hotfixes and Datacenter-type environments tend to be mutually exclusive. If you need a patch to your Datacenter server, it pretty much needs to be custom-developed for you. Fortunately, since Datacenter setups are not typically designed by the clueless individuals that gave Code Red free reign, this tends not to be an issue in real life.
Re:The good sides of Mainframe Mentality... (Score:2, Interesting)
1: It got spanked by nimda. It's inside the corp. firewall, but the virus got into the network via email. Once inside, that particular region of the network is largely insecure. We're running it in a lab/demo environment, so security is not a huge concern.
2: The damned thing shipped with IIS installed and running. Since it's the only OEM OS we have in our lab, I didn't notice it there in the three days the box was plugged in.
3: see 2.
Called the vendor. Support was !ofclue about patches. The best I could do was apply all of the IIS-related patches, disable all MS internet services, and clean the hell out of the system. Love me some MS.
Re:The good sides of Mainframe Mentality... (Score:2)
Firewall don't stop users from bringing in infected laptops from home that start infecting production machines. --- Firewalls are a false illusion of safety. Stupid users can always bypass security at any time.
I've seen you before. You were spewing the same tripe then as now
Firewalls do stop users when they lie between the server and everything else. If i were configuring a database server, it would have two ports accessible from the corp - ssh and the database. Nimda can't do much over that.
Also, if your users can get physical access to a datacenter style box, you're boned. That's just a given
Re:The good sides of Mainframe Mentality... (Score:2)
,i>So _trusted_ systems means your tech support teams Windows based computers
Of course not. Trusted means the other machines in the cluster and a port through the firewall to untruster SQL clients or whatever your Datacenter box does. And, if you run IIS on that thing, you had better not allow anything to talk to it. Do that and I will point and laugh.
Unanswered Question (Score:4, Funny)
Does Windows 2000 Datacenter ship with 3-D Pinball installed by default? If so, is it in the Start menu?
That's all. Thanks.
Re:Unanswered Question (Score:2)
I'm guessing (Score:3, Interesting)
Incidentally, the iis vunerability was known since iis 4.0 was released. It was kept secret by MS because of the "If no one knows about it, no one will exploit it". I'm thinking the data center people get the patches that home users don't - sort of like netware's support, there is a $200 per support issue, but they will forward the problem all the way up to the guy who coded the section you are having a problem with.
The lame fuck of the day is 24.202.127.156
Uptime is a poor metric (Score:4, Insightful)
Specs are hard to write and all vendors have weasel clauses. Just look at insurance policies - damage due to acts of war are generally excluded. With cracking being described as a "terrorist act" you could end up with exploits not being covered.
A big common exclusion is "unscheduled" downtime. One of our vendors would see a router or firewall machine starting to act funny and then quickly "schedule" some emergency downtime that night to reboot it thus avoiding having to pay.
I have not had good experience with outsourcing - never forget that these are the same bunch of folks who are getting skewered for lousy tech support for poor end-users who have paid extra for support packages. Attitudes don't change much across corporations.
Before I would spend the bucks for any sort of "managed services" I would make sure that the vendor guaranteed 100% availibility without exception. Availibility must be defined as a maximum latency (ie. no end user will wait more than 750ms for a response or whatever is needed).
Rationale? Any app that requires this type of support must be available to the end user without fail. That's why you pay the bucks.
OS is "up" but web server is compromised or down? It's no good to the user. The downtime was scheduled? End user doesn't care.
Why 100%? Why not. They are already guaranteeing less than 316 seconds per year of downtime. Let them work their payments for that downtime into the contract cost. I don't want to have to total up downtime and argue over when the year started. I want the vendor to know that any downtime costs them bucks. No argument, no weasel clauses, no exceptions (better keep those machines maintained, protected and patched).
Been there - been burned. We moved our servers from a "managed solution provider" to a generic server farm and got far better service for one tenth the cost.
Re:Uptime is a poor metric (Score:2)
Think firewall + watchdog functionality (Score:5, Informative)
the later iptables have a string-patch included, which allow you to target certain port/string combo's, with this it is easy to block worms from the webserver, as long as you know what request it makes.
exampple to block cmd.exe access (taken from my own internal firewall scripts, this will block nimda)
$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
-m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"
$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"
$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset
If you wanted to block codered, filter on
(see iptables docs for more info)
G'luck
Re:Think firewall + watchdog functionality (Score:3, Informative)
Put the datacenter server behind a firewall
better yet, don't run a webserver on your datacenter
Odd question (Score:3, Insightful)
So in short to answer your question when it comes to code red or nimda you really should not have a problem if you are a good admin. The same is true in the linux world and newbie web programmers that do things like system calls without checking out what is going to be called. If you call something that the users passes to you then obviously they can do things like tracrt ip; rm -rf / and your code would let it. This is not perls fault or php's fault or any other languages fault it is the programmers fault.
As much as I dislike windows, mainly because I have been an asp programmer for a long time and I would rather use linux and do perl programming (which I do now), Microsoft is somewhat right in that a knowledgable sysadmin already had the holes fixed. At the same time they should not send out software with issues like that.
No IIS on the terminal servers (Score:2)
Slashdot filter code (Score:2)
Loaded statement... entering Slashdot filter code...
Made by Slashdot author = PASS...
Negative against Microsoft = PASS...
Vaguely positive to Open Source operating systems = PASS...
Good to go.
Thank you for your answers (Score:4, Informative)
As far as terminal server and IIS, you need IIS if you want to use the Terminal Server Advanced Client and go in through the web. I was originally taught to use TS through IE and forgot going in through the TS client.
If we do go with Datacenter, the servers will host SQL 2000 Enterprise in a clustered enviroment. We currently use SQL and have a propritery in house written app for it.
And as far as the Code Red holes being found months prior to infection, I just used this as an example. I remember in 1997 and 1998 NT had new security holes every week. Windows 2000 is slightly better. 6 months ago I remember downloading hotfixes that will appear in service pack 3.
My question still remains, if a new flaw in IIS, the kernel or any other part of the OS is found how long are we supposed to wait for a fix? I forgot the specifics, but I'm pretty sure the compaq people said they customize the source code for your enviroment. They will need a copy of our in-house app, get in touch with the EMC engineers because our EMC box will be our clustered storage and analyze everything else. Then we will get a CD with a customized copy of Windows 2000 Datacenter. Like EMC, the servers will be monitored by another company and they will most likely know of any problems before us. Every so often we will get a new CD with updates, service packs, etc customized for us. But if a new worm comes out in a few months that exploits some currently unknown flaw in Win2000 or any other part of the OS, will we be dead in the water while we wait for a patch? After September 11th we were calling EMC for tech support on our Symetrix and we were basically told get in line. They had richer customers to support first.
Re: (Score:3, Insightful)
Re:Thank you for your answers (Score:2)
Re:Thank you for your answers (Score:2)
Then you will realize you won't have an IIS server on your SQL Server box anyway, because it's unnecessary. So you won't be at risk to Code Red or Nimda or any similar IIS Worm. Even if you did have IIS, you'd lock down the install by removing the various ISAPI filters and such that were exploited, so even without the patches you would never have been vulnerable.
Then your going to go out and subscribe to the advisories from microsoft.com/security, sans.org, securityfocus, ntbugtraq, etc... so you won't have to worry about waiting a few months you will know about them the day they hit the streets.
I think the training will help, in conjunction with a better understanding of exactly what you are doing you can be pretty confident about your installation. If you want to lock it down, you can... and I'd say it's advisable to do so.
No patches needed to block Nimda and Code Red (Score:3, Informative)
Get your facts straight first (Score:4, Informative)
The issues mentioned in this article are null & void, as a situation like that would most likely never, ever happen. (Then again, you picked Compaq as your OEM, so maybe...*insert rim shot here*)
Woah, big misunderstanding... (Score:3, Insightful)
Is there something I'm missing?
Absolutely. You've got your timelines backwards.
Worms come out a few months after the bugs have been discovered and patches have been made available. We're talking months here. Code Red came out more than 2 months after the bug had been discovered and patches created.
Microsoft has had their patches out in the wild within a few days of a major bug being discovered. The worms however take much longer to be created/deployed/spread. Although it is possible for the worms to come out much faster, they will still be lagged behind the discovery of the bug, and the patches are issued almost immediately.
And if you have an agreement with your provider that you will have 99.999% uptime, then you better believe that they will be phoning you at 2am in the morning to tell you that they're coming over to install a new patch lest they break their contract.
Re:Woah, big misunderstanding... (Score:2)
Re:Woah, big misunderstanding... (Score:2)
Re:Woah, big misunderstanding... (Score:2)
I believe this is called playing telephone, where the story distorts itself the further from the source it gets...
Re:Woah, big misunderstanding... (Score:2)
It specifically mentioned one product
Re:Woah, big misunderstanding... (Score:2)
- How about when hackers stole some of the source code from Microsoft?
To what are you referring? I know of nothing of the sort.Microsoft got infected with the QAZ notepad virus (as did my own company) which installs a backdoor on the compromised machine. However, it doesn't actively tunnel out through firewalls, so it's vanishingly unlikely that any machine on the M$ LAN was hit. For the source to have been compromised, it would have had to have been on an employee's home machine, and that employee would have had to not be running a firewall.
It's possible that the source was ripped from an M$ machine, but there are softer targets out there; .edu's and .mil's can get access to M$ source, for example.
Question about Databases and clustering. (Score:2)
Intuition tells me no, which is why you see so many large database servers.
But is it possible at all?
Re:Question about Databases and clustering. (Score:2)
SQL 2000 Enterprise and Exchange 2000 Enterprise support clustering on advanced server and datacenter server. I assume they support network load balancing too.
Thanks. but.. (Score:2)
Load balancing is NOTHING like beowulf.. beowulf is about using appropriate parallel-processing libraries (PVM, etc) to squeeze performance out of a cluster of machines.
As for the machines 'supporting clustering'.. that's an industry buzzword that's not terribly meaningful. ALL operating systems 'support network load balancing' in this respect.
Win2k advanced server & datacenter do NOT automatically cluster anything; clustering is application specific.
My question is whether database servers in particular can be clustered in order to increase performance (some queries to one machine, some to another). My theory is that they generally can't, because, in order to remain coherent, each machine would have to receive all transactions anyway.
(Certianly lookups could be done with replicated databases.. that's not what I mean though.. I mean real transaction processing stuff)
www.tpc.org (Score:2)
Windows 2002/XP Datacenter (Score:2)
Rate parent funny +1 (Score:2)
Let me see, 99.999% uptime on a windows system. That translates to 4 minutes and 12 seconds downtime per year. I don't know about you guys, but on this planet that's not what I call a credible proposition. On windows, that' more like winning the lottery. I surely hope somebody in that meeting had the sense to laugh.
Unisys and Datacenter (Score:2, Informative)
Nice Comments (Score:3, Insightful)
It's nice to see Slashdot as a technical community, not just a Linux one. I know, I know, *nix is the preferred OS of many of the readers/posters, but it's nice to see such an array of comments and extremely constructive ideas and comments. Nice Comments, all.
Hogwash (Score:2)
hogwash.sourceforge.net
Re:Linux (Score:2)
It's open source. if the maintainer of that specific package don't come with a solution in less than 24h FIX IT YOURSELF. you have the code for G_d sake...
Re:Linux (Score:2)
2 Things you can do if you find a security hole in a linux server:
1. You can
2. You can hire anyone else to do it for you, not just the vendor.
Those are 2 things you can't do with things like win2000 datacenter.
Re:Uptime guarantee (Score:2, Insightful)
None of my NT boxes can do that. My SCO box (nicknamed "The Uptime Server") is down only when I wish it down.
Re:Patching Rant... (Score:2)
I have nothing against him getting laid. My problem is he doesn't do his job, and when he does do it he screws everything up. The fact that our production servers got infected with the Nimda virus was just one example.
And just for the record, I DO go out, get drunk and get laid. I also rock climb, dance and hang out with friends.
Now, to the intelligent AC - Thanks for the tips.
I'm already working with the CTO and CIO to get the ports blocked. Sadly, the chucklehead is the one who would make the change in the firewall, so I have to figure out a way to get the change assigned to myself or the CTO.
The monitoring software is on the way. I've wanted it for ages, but the company owner didn't OK the purchase until we had a CTO. It's interesting that when I (25 year old tech) propose an idea it gets shot down, but when our CTO (Early 40's, an experienced tech, but studying for law exams) puts fourth the exact same idea it gets snapped up and hailed as revolutionary. If the CTO wasn't a damn smart guy who has a bunch of other good ideas I never thought of I'd be annoyed.
The CTO knows this guy is a nit-wit, and is forcing him to take the A+ exam. Once he fails....
Restricting his bandwidth is an excellent idea. I could cut him down to 1k and he'd never realize there was anything wrong (except for the plummeting performance that is) Knowing him, he'd reinstall Windows before he checked anything else, and that would take him out for a good three days.
Anyone know off hand if Morpheous or Limewire keep any logs of downloaded files?
After my initial post I read the most recent edition of the BOFH, and liked the changes the BOFH made to some text he got off the Internet...
http://www.theregister.co.uk/content/30/22378.h
Sadly, starting an STD rumor with this group might give one of the females an "It's OK, he already has it, I won't infect him," moment
Where did I put that copy of "Evil Geniuses for Dummies?"