Linked by Thom Holwerda on Thu 12th Oct 2006 15:09 UTC, submitted by Dolphin
Windows 'The most secure Windows ever' may be very secure from hackers and malware - but what do you do when Longhorn Server let's you install the OS, set up Active Directory, and initialize the domain without once asking you to even create an administrator password? "What happened to Windows Server? Where did all of the stringent security checks and ultra-protection of Windows Server 2003 go? Windows Server 2000 was quite insecure, and Windows Server 2003 turned over a new leaf... But it seems Microsoft is more than willing to flip that page back - even Windows Server 2000 required an Administrator password at the very least."
Order by: Score:
Forgive me
by DaBigEnchilada on Thu 12th Oct 2006 15:19 UTC
DaBigEnchilada
Member since:
2006-01-10

Sorry for the stupid comment, but:
Ha ha ha.

I'm not really a Microsoft hater, but following the "saga of Longhorn" has been pretty fun.

Reply Score: 1

funny!
by cmost on Thu 12th Oct 2006 10:24 UTC
cmost
Member since:
2006-07-16

With Microsoft, security has always been an afterthought. They'll add all that administrator stuff during the final RC3 phase.

Reply Score: 1

RE: funny!
by Shaman on Thu 12th Oct 2006 15:58 UTC in reply to "funny!"
Shaman Member since:
2005-11-15

With Microsoft, security has always been an afterthought. They'll add all that administrator stuff during the final RC3 phase.

If they have time, what with eternity looming since XP was released...

Reply Score: 0

Second link
by dylansmrjones on Thu 12th Oct 2006 15:47 UTC
dylansmrjones
Member since:
2005-10-02

The second link leads to the OSN-comments of this story? Woot O_o

Reply Score: 2

in development
by evert on Thu 12th Oct 2006 16:31 UTC
evert
Member since:
2005-07-06

i don't see why setting an admin password is important for installations that will last for a week, installations that will never be used in a production enviromnent.

come on, longhorn server is still in development, the programmers have better things to do than to remember passwords. enabling passwords and complexity rules is trivial as soon as longhorn server leaves the alpha stage and becomes beta.

Reply Score: 2

RE: in development
by linux-it on Thu 12th Oct 2006 16:38 UTC in reply to "in development"
linux-it Member since:
2006-07-13

ok, so 'in development' means that you can skip the security ? Interesting thought. If programmers already have trouble in remembering passwords and enabling them, how would the rest of the product be ?

I even know alpha quality code that works better and is more safe than production code of MS.

Security is something that should be written from ground up, not as an aftermarket item that may be purchased separately.

Reply Score: 3

RE[2]: in development
by Dolphin on Thu 12th Oct 2006 16:51 UTC in reply to "RE: in development"
Dolphin Member since:
2006-05-01

The sad thing is, Microsoft claimed they 'learned' from their mistake with XP.
In XP, security was an afterthought (not just with MS - in 2001 no one gave a damn about security really).

They <em>did</em> do right with Vista... But I mean, you would expect the server OS to be even <em>more</em> secure, wouldn't you?

Yet, it isn't... Sad.

Reply Score: 1

RE: in development
by shiny on Thu 12th Oct 2006 16:49 UTC in reply to "in development"
shiny Member since:
2005-08-09

From Wikipedia:

"The term release candidate refers to a final product, ready to release unless fatal bugs emerge. In this stage, the product features all designed functionalities and no known showstopper class bugs."

So no, not still in development.

Reply Score: 2

RE[2]: in development
by sappyvcv on Thu 12th Oct 2006 17:11 UTC in reply to "RE: in development"
sappyvcv Member since:
2005-07-06

There is still a deployment process and part of that deployment process could be switching a flag to enables asking for an admin password during install.

Reply Score: 1

RE[3]: in development
by Dolphin on Thu 12th Oct 2006 17:14 UTC in reply to "RE[2]: in development"
Dolphin Member since:
2006-05-01

IF it's that simple, then why didn't they bloody well turn it on then already?????

Reply Score: 1

RE[4]: in development
by kaiwai on Thu 12th Oct 2006 17:49 UTC in reply to "RE[3]: in development"
kaiwai Member since:
2005-07-06

Or better yet, during installation, refuse to continue the installation programme until a password has been entered that is of a decent quality - 7 characters long, and not a real, dictionary based word, whch should stop dictionary based cracking attacks.

Reply Score: 1

RE[5]: in development
by Dolphin on Thu 12th Oct 2006 17:53 UTC in reply to "RE[4]: in development"
Dolphin Member since:
2006-05-01

That's how Windows Server 2003 is... It's REALLY secure - so far since '02 only 6 major vulnerabilities... actually better than linux/BSD... but Windows' has a legacy and a curse, and with LH, it's back.

Reply Score: 1

RE[6]: in development
by kaiwai on Fri 13th Oct 2006 04:31 UTC in reply to "RE[5]: in development"
kaiwai Member since:
2005-07-06

True, but the issue is more to do with the Microsoft culture rather than NT itself; NT has the potential to be the most secure operating system out there, had they stuck to the original NT design, but they chose to compromise for the sake of convienence, ease of use and compatibility - its all coming back to bite them in the ass.

Personally, if they did do the above, it would be the *perfect* opportunity to offer customers *deep* discounts on upgrades and competitive upgrades for Microsofts middleware.

Reply Score: 2

RE[3]: in development
by segedunum on Fri 13th Oct 2006 12:32 UTC in reply to "RE[2]: in development"
segedunum Member since:
2005-07-06

There is still a deployment process and part of that deployment process could be switching a flag to enables asking for an admin password during install.

There is simply no reason whatsoever to do that. You don't just turn these things on. They need to enabled right throughout the development process so people can actually see that it works.

Reply Score: 1

RE[2]: in development
by eMagius on Thu 12th Oct 2006 18:21 UTC in reply to "RE: in development"
eMagius Member since:
2005-07-06

Longhorn isn't in the release candidate stage. Do not confuse Vista and Longhorn server -- they're two seperate products.

Reply Score: 2

RE[2]: in development
by n4cer on Thu 12th Oct 2006 19:00 UTC in reply to "RE: in development"
n4cer Member since:
2005-07-06

Longhorn Server is not at the Release Candidate stage, only Windows Vista is.

Reply Score: 3

RE: in development
by jakesdad on Thu 12th Oct 2006 16:51 UTC in reply to "in development"
jakesdad Member since:
2005-12-28

What if you are testing the installation for security and where it is at with it??? I would think that security would play a role in any evaluation of a server product...

If its not there now I would feel little off knowing that it can be added at a whim... To me that says that it can be removed as easily.

Reply Score: 2

In a domain model
by NotParker on Thu 12th Oct 2006 16:56 UTC
NotParker
Member since:
2006-06-01

In a domain model there are no local administrator accounts on a domain controller therefore why ask for a password for an account that doesn't exist?

Edited 2006-10-12 16:59

Reply Score: 4

RE: In a domain model
by Southern.Pride on Thu 12th Oct 2006 16:58 UTC in reply to "In a domain model"
Southern.Pride Member since:
2006-09-14

I believe you are right.

Reply Score: 1

RE: In a domain model
by Dolphin on Thu 12th Oct 2006 17:08 UTC in reply to "In a domain model"
Dolphin Member since:
2006-05-01

Who said anything about local?
That's what makes it so disasterous: the DOMAIN admin account, the one that has complete control over everywhere and all over the domain - over every single PC joined to the domain, over the AD, over the DNS, over the DHCP and the ISA server and Exchange.

That one password controls everything that's why it's THIS serious and that big of a deal..

Thank god for organizations like NST that point these things out - I think if no one said anything LH would ship with "admin" as the default password and no way to change it.

Reply Score: 3

RE[2]: In a domain model
by n4cer on Thu 12th Oct 2006 19:04 UTC in reply to "RE: In a domain model"
n4cer Member since:
2005-07-06

You cannot connect remotely to an account on a Windows system (XP and above) that does not have a password set.

Reply Score: 2

v RE[3]: In a domain model
by Dolphin on Thu 12th Oct 2006 19:49 UTC in reply to "RE[2]: In a domain model"
RE[4]: In a domain model
by DrillSgt on Thu 12th Oct 2006 20:31 UTC in reply to "RE[3]: In a domain model"
DrillSgt Member since:
2005-12-02

"Yet you can log onto any PC AS a user with no password and from there you can do whatever the hell you want.

It is a catastrophe."


Not in a domain model you can't, and only in very special circumstances should local accounts be used.

Reply Score: 2

RE[4]: In a domain model
by n4cer on Thu 12th Oct 2006 20:58 UTC in reply to "RE[3]: In a domain model"
n4cer Member since:
2005-07-06

Only if you are doing it locally. If you have local access, you can do whatever you want anyway. No one can login remotely to the account whether it is on a domain or not.

Reply Score: 2

v MS
by Phoenix49 on Thu 12th Oct 2006 17:50 UTC
RE: MS
by Dolphin on Thu 12th Oct 2006 17:55 UTC in reply to "MS"
Dolphin Member since:
2006-05-01

That's bullshit.
MS does care, obviously that is how they get their money... But they have something wrong in their heads that just how hard they try they can't get the very simple stuff right.

Reply Score: 1

RE: MS
by Harald on Thu 12th Oct 2006 21:03 UTC in reply to "MS"
Harald Member since:
2006-03-10

Anyway, I don't care about Windows at all. Not using it at all.. Only as gaming console with all services, funky colors turned off ;)

I always find it amusing when I see posters claim they don't care about Microsoft, yet they open threads about Microsoft products, and post comments.

Reply Score: 2

v Building Up Anticipation
by bibe on Thu 12th Oct 2006 18:13 UTC
Likely just a function of "Roles"
by PlatformAgnostic on Thu 12th Oct 2006 21:09 UTC
PlatformAgnostic
Member since:
2006-01-02

I think LH server is meant to be configured into a particular role, which sets all of its security policy and installed software. Perhaps the role hasn't been configured yet in the dev build, so password reqs are off. Trust me, MSFT hires a lot of penetration testers and this would be caught right away if it were a problem.

Reply Score: 2

Bravo!
by ccchips on Fri 13th Oct 2006 02:25 UTC
ccchips
Member since:
2006-05-24

"Security is something that should be written from ground up, not as an aftermarket item that may be purchased separately."

As an unfortunate Windows administrator, I have to live this failure every day. Their notion of security is basically a slap in the face to the "worker" side of computer systems. Absolutely pathetic.

Windows 2003 was an improvement, but that doesn't matter, since there are literally millions of improperly-set-up Windows 2000 servers out there, running in production where changes are very dangerous to various companys' businesses.

You're also right that there's absolutely *no good reason* to let developers off the hook in this regard. Most of what runs on Microsoft platforms is applications, and my experience is that application developers couldn't care less about security unless they're forced to.

That is what Microsoft should have done in the first place, right from the start - forced application developers to operate in a secure environment.

Why, for example, did it take them until 2004 to develop an OS that formats hard drives with proper (or reasonably proper) permissions by default?

Reply Score: 1

Dolphin Member since:
2006-05-01

What the HELL does that have to do with Security????

Go talk to spamhaus and Brightmail.... and stop ranting about garbage.

Reply Score: 1

toot
by Weeman on Fri 13th Oct 2006 10:52 UTC
Weeman
Member since:
2006-03-20

Here's a clue:

Windows Vista RC1
Windows Longhorn Pre-Beta 3

Get the idea? I agree with someone on the first comment page that passwords on a beta version are a hassle. And for that matter, hitting C-A-D and setting it is so much goddamn work, ain't it?

Reply Score: 1

What's the problem?
by B. Janssen on Fri 13th Oct 2006 14:14 UTC
B. Janssen
Member since:
2006-10-11

AFAI recall Netware up to 5.1 -- after that we switched to GNU/Linux -- never asked for an Admin password during setup. Depending on the role of the machine we would set a password later on or not. Then, under Netware you could do zilch locally, how's it with MS Longhorn?

Reply Score: 1