“We evaluated the security features of Windows XP SP2 on a test machine, following a clean install of XP Pro with no configuration changes and no third-party software or drivers installed. We installed XP with the NTFS file system, choosing all of the factory defaults, then patched it with each recommended security update including SP-1 (required), before installing SP2.” Read the rest at TheRegister.
The Placebo Effect: XP SP2
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Most people would rather put up with the cheese wholes in their current OS, than install something new and scary. Sad but true. Microsoft knows this too, otherwise they’d be fumbling all over their code to patch things up.
Plus alot of professionals benefit from these security wholes, think about all the firewall guys, the virus checkers, the anti popup, window washers(et al), etc, etc …. For this reason alone you’ll have alot of ardent MS fanatics. Why? Because it puts food on their table.
Same could be said about GNU/Linux, *BSD, Solaris, HP-UX, OS X, etc, etc ….
The author exagerates. If M$ would disable Javascript users would go mad for little added security. Similarily, most users share files on their home network, so it makes sense the protocols are installed by default for that. They just should not be exposed to the internet…
It is true the WinXP security situation remains comparable with collecting water with a colander, but a fundamentalistic stance at security will only make users switch off those security measurus en messa, killing their effect.
The trouble here is that many programs need their system directories, the main example is games. This means you need administrator priviledges. Most people don’t think to right click and hit “run as other user”. Microsoft needs to make an auto-detecting work-around for this, and companies need to fix their code…
According to this guy, the DNS Client is not needed on most home machines and should be disabled! Yeah, home users will really like having! to remember IP addresses of every web site they want to visit. Come on!
I’m not saying that WinXP is not as leaky and insecure as they come, but this guy is positively anal about security. Turning off Javascript and the DNS and DHCP clients would pretty much render the Web unusable.
Did anyone else notice that the author kept refering to networking services that were “uneccessary on home machines?” It was my understanding that the difference between XP Pro and Home is that Pro is suppossed to have more networking tools. If the author is so worried about networking components that are not needed on HOME machines, why is he not trying this with XP HOME Edition?
Don’t complain about a hammer not doing a good job of fixing your glasses. This looks like a case of using the wrong tool for the job and then complaining that it’s not a good tool. Then again, I’m writing from Mandrake 10.
MSFT classify’s Javascript and Activex together. You can’t disable one without taking out the other.
Javascript for the most part is fairly safe. ActiveX is nothing but a target for viruses.
DNS client??? DHCP client you need to get an IP, Why do you need a Cache of DNS servers??? That is why there is DNS servers. Linux users have a local hosts file if they want to override the defualt Domain Name Servers, but windows doesn’t last I checked.
windows has a host file, and it has nothing to do with “domain name servers”, as it as nothing to do with it in linux either
the article is a bit right on some points, and just trolling against microsoft in all other point (as usual)
most of the so called uneedeed services are needed, everything is firewalled etc, stop the damn thing against microsoft already. They ain’t right everywhere but they ain’t always 100% wrong.
MOST people need DHCP enabled unless they aren’t connect to the internet. And then it wouldn’t matter what it was set to. Of course this is for anyone (most people) that don’t have static IP addresses.
The firewall is useless, not because it’s bad. Most users will just click “ok” or “unblock” without even reading the info, to get their work done. Yes, i have seen it done many times before.
Some friend of mine had installed “updates notification” on his w98. It showed up once, and he was like “oh, this? i never read this, what’s it about?”.
Blocking outgoing traffic? Oh, come on! It would be too annoying to them, and they would immidiately find a way to turn it off.
They said that ‘secondary login’ is unneded, and they complain about using administrator account. Well what’s the point of secondary login service? So there would be no need to use an account with administrative rights. Programs that need it could be run with “run as” option.
Yes, most people do use administrators account, they just can’t be bothered with limited priviledges. That would totally piss them off. “I can’t install this pogram, why? I can’t do {this, that, …}!”.
File and printer sharing disabled by defult? Most people i know can’t live without it. And no, they don’t care about it being insecure…
And what more could Security Center do? Even throwing 10 warnings in user’s face won’t change anything.
Automatic Updates disabled and updates installed manually? LOL. Tell it to people who don’t even know that software should be patched. To that millions infected with blasters/sassers. Yes, i agree that some services should certainly be disabled, like remote registry (?), i also fail to see a point in QoS in desktop system, but not Automatic Updates!
(…) limited-access account (…). UNIX-compatible systems enforce this worthwhile discipline strictly
Really? Show me one. Beside some linux distributions, it was added to recently. Nothing stops you from logging in as root and doing ‘rm -rf /’.
SP2 is certainly not perfect, it’s *only* a service pack, but it IS an improvement. Thay had to make some compromises, XP is not 2003 server, where everything can be off by default.
I’m just sick of SP2 bashing
.
Frankly, the benefits of SP2’s new security tools are clear and you’d have to be a fool not to want them
However, a lot of people will never be updating to SP2, among them the owers of Netgear MA101b Wifi adapters, which will connect to networks fine, but only with a 0kb/s transfer speed once SP2 is installed.
One of the patches MS built into SP2 breaks every single item in Netgears wifi range – and several Linksys adapters too.
Ironically, it was the “Wireless Protected Access” patch which was designed to improve wireless network security
Presumably by disabling the wireless network
I’ve seen next to no coverage in the tech press of the disastrous effect SP2 has on wifi networks, probably as most of the affected people are sitting behind their inaccessible routers, fuming, their strongly worded emails of complaint still stuck in their outboxes.
Instead, we get more of…. this. Largely inaccurate and done so many times before.
Let me say this here, again, as no-one else is. If you use Wifi, don’t upgrade to SP2 yet. Wait a while, see if the manufacturer of your parts issues an updated driver. Some manufacturers are pretending there’s no problem. Netgear for instance – the official site says their products aren’t affected by SP2.
this is a lie
I know a dozen users of their equipment and of those who have upgraded to SP2 we’ve seen a 100% network failure rate.
Actually, every unix admin i know disallows any login from root anywhere, console, terminal, ssh, X, etc and relies on su in order to do anything with administrative priviledges.
So no…you can’t just “log in as root and rm -rf /”
it makes you really think about what you are going to do. It’s not difficult to do this, it’s just a change in one file.
the article is about home users not administrators, who won’t even touch config files.
I think those of you that are up in arms over shutting off DNS and DHCP clients are really missing the meat of this review. Seriously, this was a fantastic look at all the garbage in there that spanned 3 pages. And all you guys can say is OMG what an exageration because of 2 small items.
The point the author is making is that all these things should be off by *default* and turned on as needed. The things in question are worth thinking about, but yes some can and are questionable. I run private static address’ on my home network (192.168.2.xx). Therefore I don’t need extra unwanted services running.
The other point the author is making is that they make this too complicated for the average users. You can’t expect Jon Q Homeuser to have the know how to go into Administrative Tools -> Services and have the first clue what to turn on or off. They should have most things off by default and a nice control panel tool that can be dumbed down for users. If they had that then the ISPs or Application venders etc could include the proper instructions for their particular setup. Instead most things are left open for convienence….which is also quite convienent for the bad guys.
Don’t even get me started on the SP2 firewall. Its the most worthless POS Ive seen. Shouldnt even be called a firewall. 1. it blocks all incoming traffic but by default has an exception for remote assistance. 2. It doesnt block outgoing traffic. So if you get a virus or worm your machine can still cause further mayham. 2 doesnt actually mean as much in the case of SP2s firewall though because of…. 3. any third party process can simply shut the firewall off (yes that would include the malware).
SP2 is the first baby step in the right direction for MS. But, they are not even close yet. Even MS own security chief recently told Wired magazine that they are only 2.5 years into a 10 year plan to secure windows. Translation: Windows is not secure now and it wont be for a while.
Well, some folks disagree with the author and to some extent, I do as well.
1)Javascript: needed otherwise most web pages wont work.
2) DNS: No one wants to remember IP address
3) DHCP: Not needed if you have a static IP address behind your router. This would cause some issues for dial up users. But killing off DHCP is one less service, faster boot and more memory.
Services that MS should kill or limit access (home users):
1) DCE there is no way to disable it from listening that I have found. This would be port 135, and no, do confuse this with net-bios.
2) NetBIOS name service. This should be killed.
3) NetBIOS datagram service. This should be killed
4) NetBIOS Session. This should be killed
4a) It shold be noted that if you do not diable netbios completely, it will default to port 445 (raw).
5) Microsoft-ds. Kill this service (not for home)
6) Error Reporting. Kill this off.
7) Automatic Update. Experienced users should knock this one off. Most people forget to update their systems period. So, my opioning can go either way depending on the users experience.
8) ClipBook. diable
9) DCOM Server Process Launcher. Not needed or killed.
10) DHCP Client, needed for dialup and not needed for broadband users behind a router. Set up a static IP address, and dont forget to fill in your DNS server info.
11) DNS Client, needed.
12) NetMeeting Remote Desktop Sharing. Not needed.
13) Network DDE, disabled. Not needed.
14) Network DDE DSDM, disabled. Not needed.
15) Remote Access Connection Manager, Not needed.
17) Remote Desktop Help Session Manager.Not needed.
18) Remote Procedure Call (RPC), Not needed. No way to disable it without disabling your system. DO NOT TOUCH THIS OR YOU WILL BREAK YOU SYSTEM, IT WILL NOT BOOT IF YOU DISABLE THIS SERVICE.
19) Remote Registry. Not needed.
20) Routing and Remote Access. Not needed.
21) Secondary Logon. Not needed.
22) SSDP Discovery Service (UPnP discovery). Not needed.
23) TCP/IP NetBIOS Helper, Not needed.
24) Telnet. Not needed.
Uses SSH instead (IE Putty)
25) Universal Plug and Play Device Host, Not needed.
26) WebClient, automatic Not needed.
27) Additionally, DCOM (Distributed COM). Not needed.
These are not all the services. User will find wireless connections working when they dont even have a wireless card and more.
Windows is easy to setup because ever service is turned on, that would be the problem.
Other things that the author neglected to mention due to the scope of the article:
1) Change web browsers Examples: Mozilla, Firefox, kmeleon. IE is a virus/spyware magnet.
http://www.mozilla.org for mozilla or firefox
http://www.kmeleon.org for kmeleon.
2) Dont run as administrator. Because if your run in god-mode and run into some hostile script, that means that the hostile script runs in god-mode / administrator mode. Come on people, its not like you install software every few minutes.
3) Get a real firewall w/virus protection. Virus protection via Norton, McAfee, Sophous. Firewalls: Sygate, Norton, McAfee. Eventually when, MS comes out with their virus product, do yourselves a favor, buy one. Just like their firewall, it wont be comprehensive.
4) Dont use Windows Media Player, numerous expolits and we cannot forget about that all important sypware that is attached, which lookups your fav, music and videos on the internet for you.
MS specializes in OS not firewalls/virus software. The vendors above cater to this market for corp and home users. Dont depend on defaults.
A good place to start for some replacements is:
http://gnuwin.epfl.ch/en/
Putty, Media players and on and on. Games too, BZFlag, GLTron (fun games). Hey, Open Source is darn awesome.
As a final note, this is for the home user. Many users might have a Lan (or speical needs) in their home and want file/print sharing, Understood. To repeat, this is for the home user with 1 pc.
Before disabling any service, realize what that service is really supposed to do. Yes, I know, most people want to click and go… Well, thats why most users wind up with problems, viri, root kits and the list goes on. These are general guidelines. Understand the service and ports that you use before you disable them otherwise your system wont work the way it is supposed to.
The author makes it pretty clear he doesn’t expect anyone to be running a network at home. I would say the opposite is the case in a good deal of homes these days.(certainly in the U.S.)
While the author makes so good points, he appears really paranoid about security on a home computer system.
Like we’re all going to spend hours attempting to drill into a system connected via AOL Broadband just to checkout the photos of their grandkids. LMAO
One comment on your brief services guide.
If you disable SSDP Discovery Service you can’t share files with Apple Mac computers on your network. Doesn’t affect everyone but caused me a whole world of pain going through settings one-by-one until I discovered this
I have no idea why this should be the case, it certainly doesn’t affect Windows file sharing but OSX shares become unavailable if SSDP-DS is disabled or stopped, and Remote Desktop Client for Mac also plays up or refuses to connect without it.
Regarding the “DNS client”, it’s a badly named service. It is actually a DNS caching client. Disabling it does not disable dns lookups, it disables dns caching. You can still browse the internet no problem. Instead of looking locally, every name lookup will result in a round-trip to your dns server.
Go ahead and disable it – you’ll see for yourself name resolution still works.
This was the most biased article I have ever read in my life. If it was about Linux it would have told the benefits of having a service turned ‘on’. Instead he goes on and on about network services. Also this was on Windows XP Pro not Home edition, the author could find fault with God.
Anyone who takes the ‘Register’ as serious needs
to be buying swam_pland in Florida.
There is NO perfect operating system, code, or any other application that is full proof. If any thinks so they are not living in reality.
But all in all, they were out to bash MS and it software, stating in the end it is too dangerous to use. Come on get serious, I think anyone reading the ‘Register’ needs a mental evaluation (if read on a daily basis).
A real Tech site needs to evalute this SP2 not
some Anti-MS site…
Mr.Greene is living 20 years in the past.
It’s 2004 Mr.Greene, not 1984, and we don’t use punch cards her any more on planet Earth.
Most homes have more than one computer and have them networked to share files and printers.
Most people email their family members some pictures regularly and html email is the norm.
Most kids these days install new games almost daily, run various file sharing and messaging software, administer their own websites and/or forums (i.e. gaming or clan site) and are probably more computer literate than Mr.Greene.
These kids are the administrators of their computers.
Java, javascript, and ActiveX exist to give websites added functionality and better user experience
Turning these off is going back to the early days of the web.
From the artice, one would have hard time guessing wether Mr.Greene is competent or quolified to write about computers and much less about security at all.
Mr.Greene do you have any insightfull tips for us Slackware Linux users? Please, we are all ears, alway eiger to learn some new tricks how to make our computers more secure.
How about a few insights for my Smoothwall? No?
LOL.
After all the negative responses he is getting here, he’ll probably crawl back under his green terminal connected with a 2400bps modem to his $1/month ISP, fire up Pine and email (text only) to his WWII budies about how nasty the Osnews readers are.
Get real man, it’s 2004.
Excellent reply, I agree why not use a ‘text
based browser in a term window’…
After all, the internet is so horrible one may
not survive to tell about it.
Lastly, kids today are POWERUSERS not clicking
on icons, they are writing code and know how to
build pc’s. They know more about operating
system’s tweaks and fixes then 20 year old
vets in the field.
In closing, ‘The Register’ trashes Microsoft
on a daily basis, they blame them for the Green House
effect on the farce of ‘global warming’….
Move along folkes, nothing to read here, more hype
from the super hype ‘Register’.
Oh, yeah, forgot.
When I’m emailing some pictures to my grandma I should tar, gzip, encrypt them, then RAR them with password, then zip them with password, and include MD5 for each.
Encrypt the intire email, have grandma phone me to get the passphrase and talk in secrete code on the phone in case…
(i.e.*lmew8?49sMH(0@!md*lSKHGGES*P_(VD2*2S!IP)G[}@dip92*>2o<)kd9 82402ls,f_9*)mvvsz,di92*$!2?).
lol.
If you think you know more about security than an author who has written a book on it, go buy that swamp land.
Just because he points out the failings doesn’t make him anti-MS, it just means he’s actually investigated it unlike some here who would just install it.
The design of Windows is known to be a pile of sand regards security and until you wake up to that fact, you are deluding yourself. Build on sand and that construction will collapse.
all i have runnimg is:
iPod Service (thx apple >:( )
Windows Audio
Plug & Play (why does win audio need pnp???)
rpc (run without it for some days but i can’t live without copy/paste)
tcp/ip (with static ip/dns/gateway)
and the best is:
with such a config i’m at 99mb ram while watching avis, playing mp3s, chatting on irc and surfing
and i’ve never had a problem with virus/worms etc.
Get a real firewall and don’t use Internet Explorer
The thing that I take away from the article is that you can’t stick security into a box, or a service pack, and say you’ve fixed security problems. Security is a process that requires constant monitoring, furthermore, security, and ease of use are difficult to reconcile. The easier you make a computer to use, the less secure it is (although I’m not sure how Mac OSX fits into that analysis). Security generally results in inconvenience.
So for Anonymous living in 2004, letting teenagers admin webservers, and download games galore with great ease will result in security breaches, viruses and spyware. Good luck to you. I’d prefer a few inconveniences to having to clean spyware, viruses, and reinstall OSes on a regular basis. YMMV.
My personal view is that a computer/OS shouldn’t be hardened out of the box.
Matt
I use my laptop and workstation at home for work and girlfiend uses them. NOT one virus, worm or anyother problem, I take that back a failed hard-drive. But with the operating system NONE.
Linux, I have been using since Redhat6.0 and not really any serious problems other than finding and installing utilities or patches but no biggie.
If the ‘Register’ had Windows XP Pro written by God and the security was so tight you had to be an angel to click on the start button. They would say it was not fit for mankind.
The way I see it, Windows has had some bumps, but name one OS that does not. Second, Windows is the desktop leader with about 96% of the market share.
Third, this is the truth, they are JEALOUS of the success of Bill Gates. I have to admit, he is a BUSINESS man and knows how to make money, PLUS he has created hundreds of thousands of jobs.
Same old story, being jealous of someone successful.
last line “shouldn’t” should read “should”
Matt
***So for Anonymous living in 2004, letting teenagers admin webservers, and download games galore with great ease will result in security breaches, viruses and spyware. Good luck to you. I’d prefer a few inconveniences to having to clean spyware, viruses, and reinstall OSes on a regular basis.***
I think you are treating ‘teenagers’ as too stupid to logon a pc. They are the future of Technology, so don’t knock em if you do NOT know their skills or intelligence.
If they are downloading games off a webserver with a SECURED connection like ‘download.com’ and several others NO harm done. Another FACT if they have the brains to build pc’s, be admins on their webserver they are not going to be downloading UNKNOWN programs/code and running it.
There are SEVERAL thousand of these so called ‘teenagers’ that go to MIT and several other Colleges that you will be working for in the future.
They are the ones who will be improving the FUTURE operating systems and programming code.
I know teenagers and computers. I have built computers for families, and within 24 hours, the firewall has been disabled, running as Administrator, and the thing is virus ridden, and full of spyware. The teenagers you talk about are in the minority. The majority of teenagers use the computer for chat, internet, downloading pretty things that run around their desktop, games, and p2p stuff. They download any crap that takes their fancy, install it, and generally break their computers. They also don’t seem to give a shit, and if it breaks, they just reinstall the OS. I had one situation where a laptop was bought for a mother for work purposes, and the teenagers had to be physically restrained from using it, because they’d already screwed the other two computers in the house with viruses and spyware.
Welcome to the realworld.
Matt
So basically you are telling me that mostly ALL teenagers trash computers, have no respect, download everything in site.
Plus, your ‘computers’ you built for families are like a grain of sand in the universe.
I don’t buy any of that, sounds like you either don’t like kids or you are intimidated by them.
The FUTURE is the ‘teenagers’ of today, they know more now than you did when you were young. This is the ‘realworld’ and there are some really smart kids writing programs for GOOD.
***What you described sounds like ‘Jerry Springer’ material for a TV show***
>>If you think you know more about security than an author who has written a book on it, go buy that swamp land.
Oh Puhlease. So, if I am to understand you correctly, every single person on the face of the Earth has instant credibility because they write a book? O.J., are you listening?
<Fires up Word and starts his book on 1000 ways to fool an OSNews reader>
>So basically you are telling me that mostly ALL teenagers >trash computers, have no respect, download everything in >site.
umm… Yes.
@rtfa
No, I don’t think I know more about security than the author.
But he is giving an advice in his article that is plain wrong.
Turning off all those services will render computers secure but useless for most people.
Here in western Canada both major ISPs, Telus and Shaw, use DHCP to assign IP addresses, so turning off DHCP and DNS clients will have the effect of Internet connection not working.
And many other services he is suggesting to turn off are necessary for everyday computing too.
He’s taken a hard line.
I doubt they know more than I did as a kid. I grew up in a family that had computers in the house from about 1981 on (when I was 6). I programmed, I tweaked, I broke them. Just like the teenagers of today. Don’t get me wrong. I don’t care what kids do with the computers that I build. If they want to break them, and no-one else uses them, then they should go for it. They’ll probably learn more that way. I’m just saying you’re deluding yourself if you think they are all MIT prospects who are very careful with security. It’s in a teenager’s nature to push boundaries – they learn that way.
Good luck.
The place where I work has 21 Windows computers and 17 Linux computers. Maintaining the Windows machines takes nearly all my time. I am constantly cleaning out worms, viruses, scumware and the like from Windows machines. The Linux machines I have yet to have to do anything to beyound a couple of updates.
I do get complaints about the Linux machines though they go like this “gee, I can’t install this nifty game on my workstation” or “How can I get this software I got to install – I’ve installed it on all other computers, uh no, I don’t have extra licences for it.” or “Everytime I click install on this software from (sleezy web site) I get a NOT Win32 COMPLIANT message and nothing happens.” To which my response is That right! – You are not install any software on company machines. Had you succeded you may well have received a writen repremand in your employment file. I will be one very happy Admin when we are all Linux here.
Windows may be easy to use but it is hell for the Admin. The workers here that are using the Linux machines – also have no wasted time waiting on me to show up – their computers are never down.
IMO a firewall shouldn’t even be needed. If you are running a process that needs to accept inbound connections to work (e.g. a webserver or a P2P program) and there is a remotely exploitable weakness in it, then a firewall is not going to help you. The reason you need a firewall when running Windows is because of all the ports it listens on by default and services that shouldn’t be running at all. A fresh install of any operating system should only be listening for SSH connections or something to that effect (and maybe not even that!).
I repeat: A firewall does not mean you are safe!
What a firewall can be useful for is managing outbound connections, doing some logging or maybe making sure that your webserver is only available on your local subnet. It can also be used to plug a hole temporarily when there’s been found a bug in your webserver, and you are not interested in shutting it down. Sure it pretty much has the same effect as just shutting down the server, but removing one firewall rule is probably easier than setting the service/daemon up again.
>So basically you are telling me that mostly ALL teenagers >trash computers, have no respect, download everything in >site.
>>umm… Yes.
I agree. I have done my share of computer cleaning after a teen has been let loose and a majority of them are just thoughtless idiots when it comes to security, trusting software or anything that requires taking their minds off trying to get laid….and I _am_ a teen
As somebody that is pretty close to the teenage years (22), I can tell you that your confidence in teenagers is misplaced. Very few teenagers are actually technicallys inclined. Of course if you sample only engineering students, you might recieve a distorted picture. As an engineering student at an “Ivy League” institution, I can say that even among engineering students networking literacy is not very high. And among non-technical students, the amount of computer literacy is really pretty incredibly low. Yes they are not afraid of their computer (like perhaps their parents), but that does not mean they know how to do things securely.
As far as modern day teenagers setting up forums, bulletin boards, etc… PHAA! Nobody I know has done anything like that. The most technically inclined among us have set up simple ftp servers for personal use… but that is maybe 2 or 3 (including me)
Turning off the dhcp and dns client services strikes me as rather odd too. But maybe those services really aren’t needed on Windows?
This article entirely forgot to notice (either that or the auther never knew), that WinXP SP2 has stackguards, which stops the majority of buffer overflows.. which is what 99% of the other windows exploits have been based on.. Also fails to notice that automatic updating is enabled by default, which has a massive effect on security.
Anyway, I feel that most of the security problems in windows these days are IE based and internal security problems anyway (that fortunately hackers have failed to notice).
So I actually consider this article to be done by a less professional point of view, but otherall, I thought was a good try
@rspickles
Well, be glad you don’t have all Linux machines there.
You might be out of a job or work part time or on consulting basis.
Companies are not stupid and if they can save a dollar they will even if it means leting people go.
Many people, myself included, owe their jobs to Windows faulty design.
I love Linux and run it most of the time, but I sure don’t want all my clients switching to it.
Besides, it’s nice to be regarded as a computer wiz, even though all I have to do is fire up Adaware or Spybot and click start. And then look smart when pointing out how much nasty spyware they have and why their computer is so slow.
“If you think you know more about security than an author who has written a book on it, go buy that swamp land.”
I’ve read a lot of technical books over the past few years. BIG difference between writing a book and being anything close to an expert on the subject. I’ve read enough books, I could likely write one too. Does that make me an expert… Hell NO….
So called technical books are notoriously full of opinion, speculation, and often suffer from a lack of actual facts. Read a dozen books on computer security and you will likely arrive at this conclusion also. Claiming to be a computer security expert is the new “hot ticket”, really being one is another story.
3) DHCP: Not needed if you have a static IP address behind your router. This would cause some issues for dial up users. But killing off DHCP is one less service, faster boot and more memory.
Most ADSL router devices are configured to serve DHCP to the inside network out-of-the-box. The DHCP client will also be needed by dialup users.
If the memory used by the DHCP client makes enough difference to your macine to even be noticable, it’s time to upgrade.
2) NetBIOS name service. This should be killed.
3) NetBIOS datagram service. This should be killed
4) NetBIOS Session. This should be killed
These are needed to allow simple home peer-to-peer networks.
6) Error Reporting. Kill this off.
No, it should be on because it’s useful. I’ve actually had error reporting tell me a patch was available for an error I was experiencing on more than one occasion.
7) Automatic Update. Experienced users should knock this one off. Most people forget to update their systems period. So, my opioning can go either way depending on the users experience.
Most users are ignorant. It should be enabled by default. I fail to see how anyone could possibly make a reasonable argument as to why it shouldn’t be.
10) DHCP Client, needed for dialup and not needed for broadband users behind a router. Set up a static IP address, and dont forget to fill in your DNS server info.
Should be on by default to make setup easier. Most broadband devices serve DHCP to the internal network, making setup a simple affair of simply plugging in the computer. Not to mention things like WiFi. This service is fine to have on by default.
12) NetMeeting Remote Desktop Sharing. Not needed.
15) Remote Access Connection Manager, Not needed.
17) Remote Desktop Help Session Manager.Not needed.
I suspect Remote Assistance uses these and, as such, it should be enabled by default.
21) Secondary Logon. Not needed.
Needed to allow “RunAs” I think you’ll find. So, either this has to be enabled, or users have to run as Administrator all the time.
24) Telnet. Not needed.
Uses SSH instead (IE Putty)
It’s a telnet *server* not a telnet client. Nevertheless, it shouldn’t be on by default on any system.
Dont run as administrator. Because if your run in god-mode and run into some hostile script, that means that the hostile script runs in god-mode / administrator mode. Come on people, its not like you install software every few minutes.
Unfortunately, there’s a lot of old (and even new) broken software that won’t run (or won’t run correctly) without Admin privileges. Often this is because a) they try to write to files in the program directory and/or b) they try to write to the system-wide parts of the registry.
Also, don’t forget, if you disable that Secondary Logon service you probably won’t be able to start applications as an Administrator for things like installation.
His whole rant is written with the assumption that the users will have the knowledge to re-enable things they need. That he tries to insinuate the average home user is going to even know what a DHCP Client service *is* – let alone to enable it – so they can dial in is ridiculous.
Most of the services he thinks should be disabled have perfectly good reasons for being enabled *when you realise the competence level of the typical end user*. That he has no concept whatsoever of the target audience is demonstrated no better than in the suggestion Automatic Updates should be disabled by default.
This is nothing more than Anti-Windows FUD. Even for El Reg, it’s outrageously biased.
You said “Mr.Greene is living 20 years in the past.
It’s 2004 Mr.Greene, not 1984, and we don’t use punch cards her any more on planet Earth.
Most homes have more than one computer and have them networked to share files and printers.
Most people email their family members some pictures regularly and html email is the norm.
Most kids these days install new games almost daily, run various file sharing and messaging software, administer their own websites and/or forums (i.e. gaming or clan site) and are probably more computer literate than Mr.Greene. ”
To which I say “That’s why most Windows PC’s are overrun with spyware/viruses.” Just because “most” people run these things is NO reason for them to be opened up by default. If you want to setup something that requires these services to be running, it should be part of the installation instructions to start those services.
Why is Windows so insecure? Because it’s so damn easy to use.
yes it is easy to use windows yet it is as secure as the person behind it is securityly litiate argue me on that one someone i dare you to. (note i am running in god mode because this is my pos laptop)
“yes it is easy to use windows yet it is as secure as the person behind it is securityly litiate argue me on that one someone i dare you to. (note i am running in god mode because this is my pos laptop)”
Are you speaking english?
quote:
“Most kids these days install new games almost daily, run various file sharing and messaging software, administer their own websites and/or forums (i.e. gaming or clan site) and are probably more computer literate than Mr.Greene. ”
Really? I don’t think so Tim. Most of them are running illegal file sharing applications like Kazaa and illegally swapping mp3s and movies (go on say i’m wrong why don’t you). Most of them don’t know what they’re doing with the o/s and have no idea about networking or security. And no, most of them aren’t more literate with Computers. Just because they can install the latest games on their PCs doesn’t make them a computer genius – that’s Hollywood mentatility.
Most Windows users are dumb – they don’t know what they’re doing. All they want to do is turn the PC on (to some that’s a challenge) and click and point. They don’t care what makes it all tick. That is 97% of Windows users.
Most corporate environments are staying well away from SP 2 and rightly so. It’s a ballsed up PR attempt by Microstuffup to make it look like they’re doing something cos BSD & Linux systems are hammering them and they’re losing sales. Hello Microsoft, you offer crap, people will eventually wake up and move on to better products. Making the products all ‘preety’ doesn’t keep customers. Well, not those with half a brain anyways.
The basic premise is that the Windows kernel itself (nt style kernel) is pretty good. And pretty sure. It’s the crap that’s on top of it and the API layer that’s crud. And that’s what works with your applications. That forces applications to be written for microsoft and microsoft only with great difficulty of porting to other operating systems etc, but also leaves a lot of security/reliability issues.
For those bitching about the DNS stuff, another poster answered the question already – it’s to do with dns caching you morons. If you don’t know what you’re doing or talking about shut up. It’s pretty obvious here that most of the posters on OSNews are braindead idiots with no real concept of computing. I’m being extremely polite here with my comments.
Dave W Pastern
His whole rant is written with the assumption that the users will have the knowledge to re-enable things they need. That he tries to insinuate the average home user is going to even know what a DHCP Client service *is* – let alone to enable it – so they can dial in is ridiculous.
Then they’ll do what they do now: call someone who knows how to do it, or read the instructions that can easily be provided by ISPs or computer manufacturers.
The choice is:
Have to tell them how to turn off the services they don’t need. The average user will be lucky to make it this far. They won’t listen to further advice about safeguarding the services left on.
Or:
Have to tell them how to turn on the services they need and get an opportunity to help them do so in a safe manner by making sure they have the appropriate safeguards in place.
Neither offers any particular advantage in terms of initial complexity. The latter might be slightly easier, as it’s usually easier to turn something on than off.
The latter offers significant long-term gains as it provides an opportunity to educate users about firewalls, AV software, etc. before they can consider the task “finished”.
I agree with you.
I think alot of these people think that if someone trashes on there stuff all of a sudden.. “they must be wrong” right? I say this as a Mac advocate and a Linux advocate. Window users take notice! Mac and Linux have next to zero problems with Spyware, Trojans, e-mail worms, and malware.. and they dont need to install a single 3rd party program to protect them. Secure OS’s dont need firewalls. Help yourself, they get it right, so learn from them, ok.
I think author of this article is dead on. All of those mentioned services should be disabled untill needed.. And it needs to be easy to configure them.
—–
I envision this.. you install your new shiney XP SP2 computer out of the box. turn it on, enter your name yada yada Then it asks you the domain or workgroup question? after that you get a dialog that says.
—–
“How do you conect to the internet?” options *DSL / Cable, *Dial-up Modem, *Other, *Do not conect to the internet.
If you select a service like DSL, then DHCP, and DNS cashing are turned on. If you select Dial-up then that is configured, and the proper services turned on.
—–
Then you get the question “Would you like to share files across your Local Area Network?” *Yes *No
If you say yes then NetBios, SMB and all that is turned on, if no, it remains off.
—–
See? Simple. Turn it on as you need it.. and make it easy to reconfigure with simple questions. That wont break or limit anyones computer. (or your enjoyment of 2k4 flash ad’s, :: cough :: err, I mean, media lifestyle)
So long as Windows “just works” for everone, out of the box, it will never, NEVER be secure. I am well on my way to becoming a computer security speicalist, and the very first thing you learn in Introduction to Computer Security is if your not using it, TURN IT OFF.
7) Automatic Update. Experienced users should knock this one off. Most people forget to update their systems period. So, my opioning can go either way depending on the users experience.
Most users are ignorant. It should be enabled by default. I fail to see how anyone could possibly make a reasonable argument as to why it shouldn’t be.
Perhaps because some OS updates hose applications. It’s gonna be great to have a machine that automatically breaks itself every few months.
Sure seems it would be better for the user to have the ability to opt out of this.
This article is nothing but to bash MS. After while these bashing get’s really old. MS must be doing somthing right because nobody can’t stop talking about them. Why do you care about Windows if you use Linux or Apple? Common since tells you to use an up to date antivirus and most update themselves automatically and a great firewall. I use Bitdefender, it’s a great antivirus and a firewall that doesn’t consume much resources. By the way Bitdefender also stops any software to access the registry unless you tell it to. I just downloaded Windows Media Player, what an awesome jukebox. It now has MP3 coding and it’s lots faster ripping than Music Match which I also like.
By the way when I was talking about Windows Media Player I mean the new version which is 10. The 8 and 9 version wasn’t all that good but version 10 is awesome.
MS must be doing somthing right because nobody can’t stop talking about them.
Well, they do have 90%+ market share for both OSes and Office Suites…it’s also one of the world’s biggest corporation in market cap. I think it’s kind of a given that people will talk about them.
Quote: “MS must be doing somthing right because nobody can’t stop talking about them.”
Just because people talk about something doesn’t mean it’s any good. It doesn’t mean it’s bad either. The odd thing is that pretty much every single operating system designed prior to Windows has had strong security principles in place, and has resulted in few troubles with reliability and security issues. Along comes Windows, ignores all of the security methods and bam! Has lots of problems. Sure the end users like it cos they just want to do their ‘thing’ and don’t care about what happens with the system. They don’t care about the fact that their system has a trojan on it, some cracker is accessing it remotely to use it as a spam relay and I get a shitload of spam emails because of it. Nooooo…see no evil, hear no evil. It’s no reality that Microsoft Windows has more security related issues than any other previous operating system in existance!
I mean in Linux as an example, it has a strong user account policy, normal user, root etc. I can still play my CDs, listen to movies etc because the system has been designed very smartly. In Windows I *need* to be administrator before I can practically do anything useful with the system. That’s not smart, and nor is it safe. And it’s not a well designed system either – the main thing is that most of the Windows users are lazy and PC illiterate to a large extent and they simply do not care.
As to the kids, *most* kids that use PCs make a mess of it. Spyware, Adware, viruses, trojans you name it. The average kid is very much like that. 5% might look after their system properly (if that). I’ve seen it, i’ve been paid to fix PCs that have been messed up by careless kids. And the sad thing is that six months down the track you can guarantee that you’ll have to fix it again for them (at a cost of course). They simply do not learn, don’t want to learn and don’t care. I still think a license to use a PC is a damn good idea. If you can’t demonstrate reasonable knowledge then you’re not allowed to own a PC or use one. It sounds cruel, but sometimes you have to be cruel to be kind.
For those complaining about home networks etc, tell me, do you have “legal” copies of Microsoft Windows on *each* and every machine, or pirated copies? mmm? I bet the latter. And most households don’t have a network running either, even if they do have multiple computers in the household.
Dave W Pastern
MS needs to re-design all the screens that show up from the firewall etc, and EXPLAIN in simple terms what each thing will do if it is enabled or disabled.
If you tell someone – “Hey – don’t click that, you will screw up your machine!” Or, “Are you sure you want to open up a broadcast to chixwithdicks.com?”, They will get the message pretty quickly.
I found out that “Secondary Logon” is mandatory for a secure system. Its the same as sudo on unix.
Do not login as root and dont login with an account that has administrator privileges. Use “RUNAS /USER:Administrator” to perform administrative task. So put this service on manual instead of disabled.
Checkout http://www.technet.com for more information.
http://www.microsoft.com/resources/documentation/windows/xp/all/pro…
http://www.microsoft.com/resources/documentation/windowsserv/2003/s…
Find out more about services at http://www.blkviper.com
Still i refuse to install SP2. There are no updates in my updatelist beside the Bookshelf 7 “critical” update (ahum). Do i really need that second service pack then?
If you are unable/incapable to control your 3rd party personal firewall due to not reading manuals, you will not be able to do so with SP2 installed. Then it only gives a false sense of security.
This is my opinion and so is the article “just another opinion”.
Dont just let Microsoft decide what’s good for you, think yourself.
well, ive heard alot of bad stuff about sp2. from what i can see, your best bet is to either slipstream it or install it right after a fresh install, or run the risk of having it fsck up your computer. ive had four friends tell me horror stories so far, im none too anxious to be number five.
as for the teenager thing, let me tell you about my little sister. she’s fifteen, what she does on her computer is use msn, post messages on several teeny-bopper forums, read email, play the occasional flash game and take quizzes. her browser of choice is msn explorer of all things. i would consider her the “typical” teenage computer user. you my friend, are a geek. theres nothing wrong with that, i was a geek too, but dont think that just because you are eager to teach yourself about computers that everyone else in the age bracket most associated with stupidity and not thinking ahead will have an interest in something like security.
and last but not least, out of linux/windows/mac, most would agree that mac is the most secure out of the box. the reason is that there is a massive amount of people running unpatched linux servers out there, who think that just because its linux means its safe, and procede to blithly ignore hardening their boxes. then theres windows, which has hosts of services enabled again by default, mostly to make things easier for users who dont want to know how to use a computer. finally we have mac, which has everything shut off by default, and only turns stuff on when its needed. (this isnt to say mac has flawless security, far from it. but its security record is quite laudable for a desktop os)
everyone, including microsoft acknowledges huge security problems in windows. sp2 on xp has alot of good stuff in it, but i agree with the author. why not go all the way and just remove these targets too?
Hea Keith, your making the argument that if everyone uses it, it must be the best right?
Lots of people drive Ford cars, maybe not “most people” but they have a big slice of the pie. BMW on the other hand has around 5% market share, so there are alot more Fords out there than BMW’s. If Ford had 97% of the market share and BMW had 3% by your logic that would mean Ford makes better cars then BMW right? No, Ford makes POS cars.
The same thing is true for Apple. They cost abit more than the competition but they run a hell of alot better. Just because everyone agrees on something it dosent mean they are right.
Look at it this way too.. Apple makes the hardware, the OS and most of the software (or they certify it). Microsoft on the other hand basically just makes the OS and Office. Is it any surprise that Apple was able to get all of its programs to sync together they way they do? is it any surprise that the OS runs to well on the hardware? no.
Linux as someone said isent as secure by default (depending on the vendor) as MacOS X. But an expert could make it more secure then OS X (and for that matter prolby any other OS out there) Coupled with the cost.. its an ideal server. As far as its usage on the desktop goes its basically for power users.
Why I care about Windows? Because I work on it all day long, because alot of my friends use it, because I’m sick of fixing other peoples computers, and because I’m sick of fighting with / using it day to day.
I got another little story for ya..
See way back in 1997 I had a conversation with a BSD advocate, at the time I never heard of BSD yet I defended Microsoft. And I rember that my argument was.. “How could BSD be so great if nobody uses it?” Truth is I really wasent lisitning to anything he was saying, and now I really wish I had..
Afew years later I got another computer that wasent fast enough to run Windows 95 and it had Win3.x on it, so I started playing with other OS, one that I came across was called Linux (RedHat 4) and I loved it, eventually I installed it on to my main system and forced myself to learn it. Ive used Linux as my primay desktop ever since, and I have no intentions of ever chaing that..
err well that was till..
About a year ago I got sick and tired of Linux not running properly on my Laptop, I spent maybe 2 years trying to get everything working right and well.. what I really wanted was a Unix portable so.. I eventually decided to fork out the cash and I got an Apple iBook. I was nervous about it but I figured that if I dident like OS X I would just use Linux on it.. I use to thumb my nose at Mac users.. I use to think that Mac’s couldent do much and that there users somehow dident understand computers, and thats why they bought them. Well.. I eat my words yet again because I have _NEVER_ been more happy in my life with a computer than I have been with this ageing G3 iBook. (I’m typeing on it now) I might keep Linux on my Desktop.. but I’m defenataly going to get another Apple one once they get a G5 in there laptops..
I learned my lesson to be sure, and I learned the hard way.. try to keep an open mind, even when people call something you like crap. (because it is 😉 )
“I learned my lesson to be sure, and I learned the hard way.. try to keep an open mind, even when people call something you like crap. (because it is 😉 )”
It might be crap to but not to me. I had a Mac too, wasn’t that impressive with it. I learn to build my own computer and with that experence I have yet had any problems with Windows. Lot of people are quick to blame their problem with Windows when its their hardware that’s piece of junk. I been experiencing Linux but like Apple they don’t have much quality software. When anything comes out it’s always Windows first, heck you might be lucky if it’s ports to a Mac or Linux.
Most homes have more than one computer and have them networked to share files and printers.
—–
hello?. which world are you in?
There where a number of posts saying along the lines of “You have to trade security for userfriendliness”. This is true to a degree, but in a well designed system that degree will be small. Mac OS X is the prime example of this, more secure than Windows and easier to use. Modern Linux Desktop Enviroments are rapidly approaching, and equalling, windows in useability but without sacrificing security. True high security systems like OpenBSD might be a little tricky for Joe six-pack, but you can get significant amounts of security and still have ease of use.
Good security is just there, invisibly, not something you have to struggle with (installing Firewall, antivirus, spyware killer, creating new accounts, changing default browser/email client etc.).
Down at my local computer store I’m getting confused calls about SP2s warning messages. Also plenty of repair service because SP2 caused their systems not to fully boot. Service Pack indeed
I’m packed with services 
“For those complaining about home networks etc, tell me, do you have “legal” copies of Microsoft Windows on *each* and every machine, or pirated copies? mmm? I bet the latter”
While I fully expect you are absolutely correct, your statement begs one question:
Do you really believe there isn’t a healthy dose of illegal software floating in the Linux pool? I suppose your now going to inform us all of those copies of Xandros, Lindows, Suse, Redhat, Codeweavers, VMware, etc. are all bought and paid for? Think for a second the OS changes the moral fiber of the user? Not a chance in hell.
How does the legality of the user impact on the technical competance of the OS?
You imply that the problems stem from illegal copies.
Also, most machines nowadays are bought with OS installed, so yes, they will be legal.
I was under the impression that a medical Placebo was one that had no active ingredients, but still showed positive results. It appears that SP 2 is exactly the opposite, haveing many technical re-shuffles (look how much is breaking due to it), yet with little positive benefits for security.
More like some untested drug with many side-effects, without curing even the symptoms, never mind the cause.
As many other, my knowledge come a few from school (a bit programming and basic about HW etc…) and the most from personal experience. Now I work on embedded systems and I develop software that have almost nothing to do with “home computing”. So I’m far from being an expert of something, but I think I know a little more than an average user (or home user, call it as you want) at least about how an OS and a network work.
The argument “user just want it work” is right, I can say it’s HUMAN, if you can you do it the simplest way.
But if I don’t know how to do something, I learn it or I don’t do it. It’s so simple. If I don’t know how to play football I don’t play it or I train myself. Here seems like someone can play football without ideas of what it is. If a user don’t know how to set up a network he shoulden’t do this, or learn it before.
Windows have the bluff to allow their users to do everything without a knowledge. This is wrong and the results are evident.
At the end the point is: M$ is cannot develop an OS that need no knowledge, I think none can do this, at least at this time (maybe some OS X users won’t agree, and maybe they’re right? I don’t know).
I can also say that if users are so lazy is just for M$ mentality. Keep users ignorant is the main goal they achieved until now. I realized this when I started using other OS 3 years ago. This is only my opinion, sure.
I don’t know if it’s different in XP, but on Windows 2000, I shut down the DNS Client service…and could still web browse.
Isn’t the DNS Client just a DNS *CACHING* client?
WinXP SP2 is no more “secure” than any other Windows OS before it. To demonstrate this, I wrote a few scripts that disable the new “Security Center” and “Windows Firewall”. Read more and download the scripts here:
http://filebox.vt.edu/users/rtilley/downloads/win_fw/Windows-Firewa…
The author of this article was right-on when he wrote that Windows will never be secure until MS begans enforcing appropiate user access on machines. Until that happens watch out for the 60 million plus WinXP home users running as admins. All it takes is clicking one malicious URL and bam… bad things happen.
I think that the WinXP Home Edition should have been installed in order to make the statements “…unnecessary on home machines.”.
It’s a placebo in that it makes the user feel like things are secure, without really delivering anything to make that more than an illusion.
> Do you really believe there isn’t a healthy dose of illegal software floating in the Linux pool? I suppose your now going to inform us all of those copies of Xandros, Lindows, Suse, Redhat, Codeweavers, VMware, etc. are all bought and paid for? Think for a second the OS changes the moral fiber of the user? Not a chance in hell.
Um… there are free editions of Xandros and Suse, as well as Fedora [formerly redhat]. I’m not saying there’s no pirated software in the linux world, but in the Windows world, it’s -much- more taken for granted.
Most Windows users with any technical clue have ‘pirated’ software; relatively few linux users do. It’s not a matter of morality – there’s relatively few linux apps that most people have any reason to pirate, while on Windows, it’s basically impossible to get things done without a lot of add-on apps, almost all of which cost money [yes, I know there are vast legions of freeware]; also, Windows has a lot more proprietary programs which people, for whatever reason, decide they want to use and not pay for.
It’s not ‘piracy’ to use software freely if it’s GPL’d, obviously.
Proprietary distributions, like much proprietary software, are often offered legitimately through alternate channels such as magazines, although often somehow limited/crippled – I obtained both Xandros and Suse that way last month.
So no, there is not a ‘healthy’ dose of ‘pirated’ software floating around in the linux world. It’s an issue which presently is -dwarfed- by ‘piracy’ in the Windows world, for numerous reasons; you are correct to say there is little if any morality involved though [some Windows users refuse to use unlicensed software as well, after all].
[The two cents of a former Windows user who is now a Linux user, who doesn’t have any pirated software installed – I use free distributions, although I will try others which I get through legitimate channels, and I prefer bochs to vmware.]
It might be crap to but not to me. I had a Mac too, wasn’t that impressive with it. I learn to build my own computer and with that experence I have yet had any problems with Windows. Lot of people are quick to blame their problem with Windows when its their hardware that’s piece of junk. I been experiencing Linux but like Apple they don’t have much quality software. When anything comes out it’s always Windows first, heck you might be lucky if it’s ports to a Mac or Linux.
Quality software in this sentence seems to be subjective because it depends what kind of software user is looking for. About Linux, you need to specify which distros you used because you post is vague at best. People know all Linux distros are not identical.
Obviously you don’t like Mac because it doesn’t suit to your need. About Windows, the only thing that looks interesting are the games like MM0RPG with is something both Mac OS and Linux distros have yet to get due to gaming industries behavior.
Good to hear you set your own PC but don’t assume that all people complain about Windows because of their PCs.
Yes, Mr. Greene is promoting security at the cost of usability in places. However, he also rightly points out -many- bad defaults and actual design flaws.
A quick look at computer security shows that concepts such as ‘trusted zones’ are entirely broken. What happens when someone cracks your trusted site? Oops… Not to mention implementation issues, which have plague IE throughout the years.
A DNS caching client really should not be on by default.
I don’t feel, unlike most people here, that Mr. Greene is going overboard when he says things like NetBIOS should be disabled by default. Most home users do not have LANs [it boggles my mind to see people claiming they do; some do, but certainly far from a majority.] Those that do should be able to turn on those services if they actually need them, or have whoever they hire to set up their LAN do it – the minority who do have LANs should really not be overly pressed to do so, while many of those who do not really cannot be expected to turn this off.
“This is why even the sole user of a system should always work from a limited-access account, except when performing administrative chores. UNIX-compatible systems enforce this worthwhile discipline strictly; Microsoft still does not even encourage it.”
How can people reasonably disagree with this? Most UNIX installs prompt you to create a user account, and it’s downright difficult to use UNIX for a while without hearing people yelling “Don’t use root more than necessary!”
In the Windows world, doing everything as an admin user is taken for granted, because too much software breaks otherwise. To the person above who compared this to being able to log in as root and type rm – the point is that you first need to log in as root, which is usually -not- the account you’d usually be using, unlike under UNIX.
UNIX has many design flaws, but it encourages and allows the concept of ‘least priviledge’ far more than Windows does.
‘Unfortunately, “Do not allow anonymous enumeration of SAM accounts and shares” is disabled, although it should be enabled.’ – does anyone actually disagree with that one?
Not all of the author’s suggestions are realistic – Microsoft would face serious wrath for the amount of chaos that all the suggested changes would cause – although from a strictly security viewpoint, they’re defensible.
The main problem with this article is its misleading title. It should be “Simple [yet potentially irritating] ways in which Microsoft could improve security of default Windows installs.” It’s not SP2 bashing so much as pointing out how wrong-headed the defaults are if there is to be any focus on security, and how Microsoft is delivering far more hype than actual security benefits.
Fomer_MS_User reasonably summarises, although I’d disagree with a few points s/he makes; notice how much longer the list of things to change is than of that which is being seriously debated. If I were Microsoft, I’d think -really- hard before changing any of this stuff, due to poorly written software and how much it would break; but if they’re genuinely serious about security, they will need to start tackling issues like these [although preferably not in a service pack.]
I wouldn’t call this article “anti-microsoft/sp2 FUD.” – the article primarily deals with more far-reaching problems than SP2.
Mr. Green seem to be rightfully concerned with needs of home users, yet he offers something a home user can not and, let be frank, should not do.
I am talking about home users. Not uber geeks who can properly run everything that computes. Not geeks that can properly run a single OS of their like. Not pseudo-geeks who can only manage to run Windows by reinstalling it every 6 months and defragging NTFS drive every weekend.
No, it is about home users.
So, lets look at this article.
Page 1: there are many Windows services running that can be abused remotely. This is bad.
Page 2: wait, there is a firewall that keeps everything closed except Remote Assistance.
Too bad, scared home user does not realize that Page 2 nullifies Page 1. If you mix Page 1 and Page 2 in one bottle, you’ll end up with one simple line of advise:
Configure Windows Firewall to not allow exceptions.
Add few screenshots to that to fill rest of two empty pages, and even home user can follow that advise.
Page 3: IE and OE royally suck in terms of security.
Tons of tweaks, but wait: did he keep File Download Enabled? He sure did!!! Wow! Unbelievable.
Well, if you disable file download, all his recommendations fit one line: set up IE security in all Zones to High.
Sure, you’ll end up with extremely secure but very much useless browser.
Do you think that dumpling IE in favour of Mozilla will free you from mundane tasks of securing the browser? Think again!
Here is what Green says: [After installing Mozilla] You’ve now got a Web browser and an e-mail client that you can configure for security considerably better than Internet Explorer and Outlook Express. Only you do have to configure [Mozilla]. What follows is a walk-through of the various settings and available options with recommendations for improving online security, data hygiene, and user privacy, with accompanying screen shots of the correct settings.
Well, it is not seem to be a walk in the park to configure Mozilla either.
So, why can’t Mr. Green tell us in his article, not in his book (http://basicsec.org/) that it is necessary to post-configure Mozilla as well?
Give us list of your recommendations for Mozilla, and lets compare it with the work required to secure IE. By the way, most of this work is unnecessary.
It is also worth to mention that Mr. Green haven’t found any bad words for OE, other than “text is better than HTML” and “it can probably be fooled a number of ways.”
++++++++++++++++++++
This article is a wonderful example of a person showing how bright he is, instead of telling home users what they can understand.
++++++++++++++++++++
Here is my take, security recommendations for home users, on top of default settings imposed by SP2:
1. Disable firewall exceptions. If I need to help you remotely, I’ll direct you over the phone or in email through steps to enable Remote Assistance.
2. Run anti-virus, something like Norton. Keep it update itself automatically and don’t forget to renew subscription (it’ll remind you when it is due).
3. Keep Automatic Updates enabled and updates installed automatically.
4. Once a week, or only when you think computer becomes sluggish, run Ad-Aware. If you can afford and feel the need, buy their service which will monitor real time attempts to install spyware. It does not cost too much.
5. Yes, it is OK to use IE and OE. I do, my friends do. My parents do, too.
I would not have time to post here if I had to babysit and fix their computers- but I don’t have, they just work.
That’s it.
+++++++++++++++++++++
Before you start bashing me or telling me I am not right, or it is too easy: it works for me and for home users I support.
No infections to suffer from, worms to clear, spyware to chase.
If it does not work for you- don’t ask me why. Ask yourself.
May be you are pseudo-geek or helpless home user, after all. There is no shame in that. Just admit it and find real geek or uber-geek to help you with your problem(s).
Sorry, it was Thomas C Greene, not Green. My mistake. Sorry.
Quote:
“Windows have the bluff to allow their users to do everything without a knowledge. This is wrong and the results are evident. ”
Yes – and this is why so many Windows boxes are insecure. And will continue to be. Windows users are typically lazy, they’re not interested in making the effort to *learn* even the slightest degree about their operating system. Microsoft deliberately encourages this and has no real interest in security and reliability, because it knows as soon as it does enforce real security etc their operating system will become more difficult to use, and the average joe blow will stop using it and look elsewhere for alternatives – this means a loss of income for Microsoft and since they have share holders to be responsible to….profits come before security therefore…
A lot of the issues with Windows are based on the APIs that integrate the O/S with the applications – that’s where the real issues are. The kernel itself is pretty good. Unfortunately, to fix the API issue means re-writing it, and that means nearly all 3rd party software application(s) will be broken. This will turn 3rd party software developers away from Microsoft because they’ll have to re-write their code, which costs time, and yep, you guessed it, money.
The Microsoft development process is frozen in place now, developers have went too far down the tracks to easily change design processes/methods.
As to my other comment about pirated software, Windows users a horribly at it. Why? Because as someone else has pointed out software on the Windows platform is quite often third party, quite expensive, and so people pirate to avoid spending money. I would say that most people would be silently saying that the current price on most 3rd party software applications is overpriced, and that’s why they don’t buy it legally. This is true. Adobe products are the most overpriced, poorly designed, pile of crap i’ve ever seen used. Difficult to use, poor in built help, UI is pathetic. And extremely overpriced. For those that use Photoshop, how much time did you spend having to learn it? And truthfully, would you rate it easy/medium/hard/extremely difficult to master? Get my drift? Linux and BSD are different (Mac as well to a large degree). There’s lots of low priced shareware that is quality, freeware that is quality. Some posters make the dangerous assumption that because it’s free it’s crap. This is wrong. There’s lots of good/great quality freeware out there. True, not all of it is great or good, but a fair decent amount is.
Dave W Pastern
Finalzone said “Quality software in this sentence seems to be subjective because it depends what kind of software user is looking for. About Linux, you need to specify which distros you used because you post is vague at best. People know all Linux distros are not identical.”
The Linux I use are Suse 8-9.1 pro, Linspire, Xandros, Red Hat, Fedora, Mandrake 8.2-10, Mephis. I always went back to Windows. For instance I like to rip music but when I use Mplayer it takes forever to rip a cd. Music Match and the new Windows Media Player is like minutes ripping a cd compare to forty minutes using Linux. I don’t know if I’m doing somthing wrong or what but it shouldn’t take that long to rip a cd. I would be lucky to have Mozilla stay open using Xandros. Everytime I’m browsing the web my browser would just disappear and that’s using Xandros Business Edition. For some reason I have had better luck with Windows than I do with Linux. I like KDE a lot better than I do with Gnome, though. Don’t get me wrong I’m not saying Linux sucks because it doesn’t. They’re all good. I just like Windows better, but that can change. Linux is improving alot especially with hardware and KDE.
When anything comes out it’s always Windows first, heck you might be lucky if it’s ports to a Mac or Linux.
Can I get Konqueror for Windows? Because that would be very useful at work.
Use the right tool.. KAudioCreator uses cdparanoia to rip cds in minutes here.
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
Question i have about it (SP2): do they now enable “show all files” in Explorer per default? Show all file extentions? (Note you had to hack the registry and change NeverShowExt to AlwaysShowExt before. Trivial for MS to do, hard – if not impossible – for “joe sixpack” to figure out …)
And does thier “ftp” client now support PASV data mode? SSL/TLS encription of the control-channel?
(The latter goes for IE, Mozilla, et al too … This while widely supported on the server side. (Ie: proftpd, pureftpd, vsftpd, et al can.))
how bout this. if you want to put a computer on a lan, you go through the approprate user friendly wizard that installs and enables the appropriate protocols. if you want to connect to a broadband ISP, it turns on DHCP. honestly guys, this isnt brain surgery, its the Right Way to do things. it would be alot more complicated if windows users tried to do things themselves, but thats not the reality. the reality is that people use wizards to configure such things, which makes it transparent to the user.
if someone has an intelligent reason why to have these services enabled by default on windows, i would love to hear it. but “because they may be needed by some users” isnt one of them.
Then they’ll do what they do now: call someone who knows how to do it, or read the instructions that can easily be provided by ISPs or computer manufacturers.
Fantastic. People have to call up a technician or follow a list of instructions more complicated than “Enter phone number, click connect” just to dial up to the internet. That’s going to be *real* popular with consumers.
Have to tell them how to turn off the services they don’t need. The average user will be lucky to make it this far. They won’t listen to further advice about safeguarding the services left on.
Or:
Have to tell them how to turn on the services they need and get an opportunity to help them do so in a safe manner by making sure they have the appropriate safeguards in place.
Actually the choice is simple: disable services that really aren’t necessary and leave the ones that are and are also practically harmless (like the DHCP client and the DNS cacher) turned on. They’re not doing any harm. The “reduction in security” they cause is miniscule, if it exists at all.
Most of the services this person is whinging about fall into the latter category.
Perhaps because some OS updates hose applications. It’s gonna be great to have a machine that automatically breaks itself every few months.
Very rarely. Certainly not even *close* to “every few months”, not for any significant number of users.
Sure seems it would be better for the user to have the ability to opt out of this.
No-one is suggesting they shouldn’t be able to opt out of it, I’m saying it should be enabled by default because the vast bulk of users are either too ignorant or too lazy to opt *in* to it.
A DNS caching client really should not be on by default.
Yes, it should. Dialup users, in particular, benefit greatly from DNS caching.
Much like a DHCP *client* it’s not something anyone could rationally argue is a gaping security hole.
I don’t feel, unlike most people here, that Mr. Greene is going overboard when he says things like NetBIOS should be disabled by default. Most home users do not have LANs [it boggles my mind to see people claiming they do; some do, but certainly far from a majority.] Those that do should be able to turn on those services if they actually need them, or have whoever they hire to set up their LAN do it – the minority who do have LANs should really not be overly pressed to do so, while many of those who do not really cannot be expected to turn this off.
I agree to a degree, but IMHO setting up a home network should be no more difficult that connecting a bunch of machines (via a hub or just crossover cables) and hitting a button like “Enable File Sharing”. Fundamentally, a computer should be no more difficult to extract basic functionality (and I’d call sharing resources basic functionality) out of than a TV or a microwave.
Certainly, the service shouldn’t be enabled *until* the user hits the “Enable Sharing” button – and should only be enabled on internal network interfaces – but to suggest people should have to call up a computer technician just to share a modem, printer, copy some files between machines or play some networked games is ludicrous.
And, while I don’t think a majority of homes have LANs, I do think it’s a significant number (and growing rapidly). People shouldn’t need specialist knowledge to connect a bunch of computers together for things as simple as file sharing and network gaming.
Question i have about it (SP2): do they now enable “show all files” in Explorer per default?
No. Quite a reasonable decision IMHO as the vast bulk of files on the machine are meaningless to the typical user. Heck, IMHO hiding entire drives by default would be a reasonable step to take.
Show all file extentions? (Note you had to hack the registry and change NeverShowExt to AlwaysShowExt before. Trivial for MS to do, hard – if not impossible – for “joe sixpack” to figure out …)
XP has had a tickbox in Explorer’s preferences since day one to make file extensions visible. You are wrong.
And does thier “ftp” client now support PASV data mode? SSL/TLS encription of the control-channel?
No. Again, quite a reasonable decision given how few users are even going to know what an FTP client is.
(The latter goes for IE, Mozilla, et al too … This while widely supported on the server side. (Ie: proftpd, pureftpd, vsftpd, et al can.))
You shouldn’t be using FTP for _anything_ where security is an appreciable risk (really you dhouldn’t be using it at all – it’s a broken-by-design protocol). Kludging on hacks like SSL’d control channels is just silly.
drsmithy wrote:
> Menno wrote:
>> Show all file extentions? (Note you had to hack the registry and change NeverShowExt to AlwaysShowExt before. Trivial for MS to do, hard – if not impossible – for “joe sixpack” to figure out …)
> XP has had a tickbox in Explorer’s preferences since day one
Yes lots of them. But then:
> to make file extensions visible.
Well, it doesn’t actually do that for all file types … Just try renameing some.txt file to some.txt.shs with that box checked, or whatever.
> You are wrong.
No i’m not.
The only type anyone might want “hidden” (ie: set to NeverShowExt) would probably be “lnkfile”, as otherwise the start-menu looks a bit odd.
(FWIW: i disagree with all points you made.)
Well, it doesn’t actually do that for all file types … Just try renameing some.txt file to some.txt.shs with that box checked, or whatever.
Well, so it does. My apologies, you were right.
Can’t say I’ve ever noticed that before (or cared – why did you even stumble across it in the first place ?).
(FWIW: i disagree with all points you made.)
Why ? People using commandline FTP clients out of the box on Windows are a minority at best. People who want to use commandline FTP clients with an SSL-tunnelled FTP command channel out of the box probably wouldn’t even make a statistically measurable proportion of the userbase.
And even that’s ignoring the simple fact that FTP is broken for anything that requires the sort of security you’re talking about – it simply shouldn’t be used for it.
Windows has a sufficiently-usable PASV-supporting FTP client in Internet Explorer and that’s all it should have. People who want/need something more comprehensive should be searching it out from a third party.
Um… there are free editions of Xandros and Suse, as well as Fedora [formerly redhat]. I’m not saying there’s no pirated software in the linux world, but in the Windows world, it’s -much- more taken for granted.
Doesn’t the GPL stipulate that if you use GPLed software in your distribution you have to make a version of it freely available? Given that the Linux kernel itself is GPL software it would be extremely difficult to produce a Linux distribution that you don’t have to distribute for free. Even embedded versions of Linux (such as the one that powers SnapGear’s range of routers) is freely available to download. I’m pointing this out because it implies a certain lack of knowledge on Dave Pastern’s part. Which is not to say that it negates his own point, which is fairly valid.
Proprietary distributions, like much proprietary software, are often offered legitimately through alternate channels such as magazines, although often somehow limited/crippled – I obtained both Xandros and Suse that way last month.
I’m a little unsure about Xandros, but Suse can be downloaded albeit in a very roundabout way – it’s years since I’ve installed it but if I remember correctly, you could do a network install that would use an FTP site to retrieve the media. It didn’t include most of the Suse proprietary (non-GPL) software though.
(FWIW: i disagree with all points you made.)
> Why ?
FTP is an efficient and reliable file-tansfer protocol (in design) never mind it being _the_ standard way of doeing, at that. IANA even specified the TCP “type-of-service” bits to be set to give ftp-data better throughput then other protocols (RFC-1700). Only beef i have with it is: password(s) are being send over the network (plain ASCII, none the less).
Now one could use Kerberos to avoid that, and that may indeed be a good idee on a LAN. However, some might dislike the KDC having to be accessable, when used over the internet. (You can ofcoure still have the FTPS server autenticate users to an internal KDC. That way an an atacker would first have to hack into the FTPS server before being able to have a slap at Krb.)
Since SSLv3/TLSv1 is *the* standard today (for mutual autentication of client and server, and encripted connections over the internet) why not use it? Passwords are still send over the network in that case, sure. However the client now knows who their talking to (by way of certificate verification), and their not transmited in clear-text anymore …
> People using commandline FTP clients out of the box on Windows are a minority at best.
Maybe. It /is/ (often) used in backup batches though.
> People who want to use commandline FTP clients with an SSL-tunnelled FTP command channel out of the box probably wouldn’t even make a statistically measurable proportion of the userbase.
Idunno ’bout that, they might not know (or care) that they realy _should_ use it, instead.
> And even that’s ignoring the simple fact that FTP is broken for anything that requires the sort of security you’re talking about – it simply shouldn’t be used for it.
Why not?
> Windows has a sufficiently-usable PASV-supporting FTP client in Internet Explorer and that’s all it should have.
For anonnymous access, yes. But then it’s being used for uploading web-pages and stuff as well (which is bad, as most people probably use the same password in many places.)
> People who want/need something more comprehensive should be searching it out from a third party.
Ok, and there is a lot of client software to choose from:
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
But as long as “standard” tools do not support it, it’s hard for ISPs (or hosting providers) to enforce as policy …