OSNews

With Microsoft, security has always been an afterthought. They'll add all that administrator stuff during the final RC3 phase.

If they have time, what with eternity looming since XP was released...

ok, so 'in development' means that you can skip the security ? Interesting thought. If programmers already have trouble in remembering passwords and enabling them, how would the rest of the product be ?

I even know alpha quality code that works better and is more safe than production code of MS.

Security is something that should be written from ground up, not as an aftermarket item that may be purchased separately.

The sad thing is, Microsoft claimed they 'learned' from their mistake with XP.
In XP, security was an afterthought (not just with MS - in 2001 no one gave a damn about security really).

They <em>did</em> do right with Vista... But I mean, you would expect the server OS to be even <em>more</em> secure, wouldn't you?

Yet, it isn't... Sad.

From Wikipedia:

"The term release candidate refers to a final product, ready to release unless fatal bugs emerge. In this stage, the product features all designed functionalities and no known showstopper class bugs."

So no, not still in development.

There is still a deployment process and part of that deployment process could be switching a flag to enables asking for an admin password during install.

IF it's that simple, then why didn't they bloody well turn it on then already?????

Or better yet, during installation, refuse to continue the installation programme until a password has been entered that is of a decent quality - 7 characters long, and not a real, dictionary based word, whch should stop dictionary based cracking attacks.

That's how Windows Server 2003 is... It's REALLY secure - so far since '02 only 6 major vulnerabilities... actually better than linux/BSD... but Windows' has a legacy and a curse, and with LH, it's back.

True, but the issue is more to do with the Microsoft culture rather than NT itself; NT has the potential to be the most secure operating system out there, had they stuck to the original NT design, but they chose to compromise for the sake of convienence, ease of use and compatibility - its all coming back to bite them in the ass.

Personally, if they did do the above, it would be the *perfect* opportunity to offer customers *deep* discounts on upgrades and competitive upgrades for Microsofts middleware.

There is still a deployment process and part of that deployment process could be switching a flag to enables asking for an admin password during install.

There is simply no reason whatsoever to do that. You don't just turn these things on. They need to enabled right throughout the development process so people can actually see that it works.

Longhorn isn't in the release candidate stage. Do not confuse Vista and Longhorn server -- they're two seperate products.

Longhorn Server is not at the Release Candidate stage, only Windows Vista is.

What if you are testing the installation for security and where it is at with it??? I would think that security would play a role in any evaluation of a server product...

If its not there now I would feel little off knowing that it can be added at a whim... To me that says that it can be removed as easily.

I believe you are right.

Who said anything about local?
That's what makes it so disasterous: the DOMAIN admin account, the one that has complete control over everywhere and all over the domain - over every single PC joined to the domain, over the AD, over the DNS, over the DHCP and the ISA server and Exchange.

That one password controls everything that's why it's THIS serious and that big of a deal..

Thank god for organizations like NST that point these things out - I think if no one said anything LH would ship with "admin" as the default password and no way to change it.

You cannot connect remotely to an account on a Windows system (XP and above) that does not have a password set.

"Yet you can log onto any PC AS a user with no password and from there you can do whatever the hell you want.

It is a catastrophe."

Not in a domain model you can't, and only in very special circumstances should local accounts be used.

Only if you are doing it locally. If you have local access, you can do whatever you want anyway. No one can login remotely to the account whether it is on a domain or not.

That's bullshit.
MS does care, obviously that is how they get their money... But they have something wrong in their heads that just how hard they try they can't get the very simple stuff right.

Anyway, I don't care about Windows at all. Not using it at all.. Only as gaming console with all services, funky colors turned off

I always find it amusing when I see posters claim they don't care about Microsoft, yet they open threads about Microsoft products, and post comments.

What the HELL does that have to do with Security????

Go talk to spamhaus and Brightmail.... and stop ranting about garbage.