Linked by Thom Holwerda on Wed 20th Jun 2007 20:07 UTC, submitted by Valour
OpenBSD "If you're a software enthusiast who has never used OpenBSD before, you might enjoy installing it by yourself and figuring it out as you go. If, however, you're looking for a more practical approach to using OpenBSD 4.1 on a desktop or server machine, here's a quick guide to get you started in this spectacular operating system."
Thread beginning with comment 249391
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Secure by default != Secure
by openwookie on Wed 20th Jun 2007 21:11 UTC in reply to "Secure by default != Secure"
openwookie
Member since:
2006-04-25

The idea is that at least you are starting with a secure base, and do not have to take action in order to make it secure. This differs from other OS's where a fresh install is not secure at all unless the administrator does *something* first. Ex: Windows 2003 requires a ton of patches after an initial install (along with turning off extra services) as the first step towards a secure system.

Reply Parent Score: 5

fretinator Member since:
2005-07-06

I think Microsoft is doing better in this regard. If I remember correctly, the default install of Sql Server (or MSDE) used to have an SA password of blank - ripe for the picking! Fresh installs of Sql Server 2005 require a password and have network connectivity shut off until you specifically enable it. WIndows 2003 Server is also much more secure by default that 2000. However, I would still prefer a fresh install of OpenBSD.

One clarification to the article - it says OpenSSH if shutoff untill you specifically enable it. That makes it sound like you have to manually edit a file to enable it after install. The install asks if you want SSH enabled and it does it for you durng the install process (unless they have changed this in 4.1).

Reply Parent Score: 4

flav2000 Member since:
2006-02-08

It's good for OpenBSD to have most services shut off by default. I guess that's a good compromise between usability and security.

In reality, the even better way to be secure by default is NOT to have any UNNEEDED applications installed in the first place.

As I said, the not-enabled-by-default approach is the best compromise between usability and security - I do want to point out that you can get even better security if tools are not installed to be exploited.

Reply Parent Score: 5

openwookie Member since:
2006-04-25

I think Microsoft is doing better in this regard

No doubt that they have improved, they just have a long ways to go, and were an easy target to illustrate my point.


Also, I just installed 4.1 on a server yesterday. Yes, it still prompts to ask if you want ssh enabled ;)

Reply Parent Score: 3

BluenoseJake Member since:
2005-08-11

Actually, installing updates is not the same as having a small attack surface to begin with, and Win2k3 is pretty locked down by default. It's certainly not OpenBSD, but you don't have to run around turning off services in 2003 like you did with Windows 2000 or XP.

Reply Parent Score: 3