In this article, Matthew uses nmap and nessus against actual installs of various operating systems as part of his research. A variety of operating sytems were tested including Windows XP, Server 2003, Vista Ultimate, MacOS, FreeBSD, Solaris, Fedora Core, and Slackware. "As far as 'straight-out-of-box' conditions go, both Windows and OS X are ripe with remotely accessible vulnerabilities. Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services. Once patched, however, both companies support a product that is secure, at least from the outside. The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each system generally maintained its integrity against remote attacks."
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-07-08
And Matthew did the same thing for Solaris, so what exactly is your point? If for example, he had selected to limit network services during the installation of Solaris 10 11/06, or ran the netservices limited command (as root) his nmap scan would have looked like this (I used the same options as Matthew):
# ./nmap -P0 -sT -F -O -A 192.168.1.4
Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-01 08:53 EDT
Interesting ports on 192.168.1.4:
Not shown: 1253 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh SunSSH 1.1 (protocol 2.0)
111/tcp open rpcbind 2-4 (rpc #100000)
7100/tcp open font-service Sun Solaris fs.auto
MAC Address: 00:07:E9:39:05:51 (Intel)
Device type: general purpose
Running: Sun Solaris 9|10
OS details: Sun Solaris 9 or 10
Uptime: 0.010 days (since Sun Apr 1 08:40:19 2007)
Network Distance: 1 hop
Service Info: OS: Solaris
OS and Service detection performed. Please report any incorrect results at http:
//insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 45.386 seconds
While the article might not be perfect, compared to other pieces published here Matthew's article is one that draws its facts and conclusions based on actual nmap and nessus scans, as opposed to adding up vulnerability reports or some other nonsense. So let's see, his methodolgy is clear and repeatable by anyone who has the skill to compile nmap and install and use nessus. His results can be independently verified (at least I verified his Solaris 10 results), his article is well researched, so I don't see the problem here!
Member since:
2005-07-06
It does 'straight-out-of-the-box' conditions by going out of the way to enable everything on the Windows and OS X servers?