hosted by the 2003 report card the state of our oses some good news, some bad news, and some...
TRANSCRIPT
Hosted by
The 2003 Report CardThe state of our OSes
Some good news, some bad news, and some challenges for the near future
Hosted by
The Good Newsno bugs in Server 2003
Hosted by
Server 2003’s Hereready to upgrade?
Probably not, unfortunately
It’s not that 2003’s not a really neat tool
– it is – it’s probably the cost
See if this looks familiar:
Hosted byTo Upgrade Or Not?
Version number
co
sts
/be
ne
fits
Marginal value ofupgrade
Cost of upgrade
Logical outcome: people upgrade more slowly!
Hosted by
EvidenceNT 4.0 is a seven year old OS
But people are still using it; in fact, many
controller devices are only available in an NT
4.0 version
Imagine running NT 3.1 in 2000
Consider version skipping; how many go• SQL 6.5-7.0-2000-2003?
• Windows 98-NT 4-2000-XP?
• How many still use Exchange 5.5?
Hosted by
Is something wrong?
No, it’s a natural side effect of any technology maturing
That’s a significant point
Note that this is not advice… it’s observation
Some simply cannot afford to upgrade without a life-and-death reason … that’s important
But it also means that “being an expert” gets tougher – you must know a wider range of OSes
Hosted by
What does this mean?
Our jobs will become – have become – different
Less planning
More maintenance
Broader responsibility
So focus on whatever makes maintenance easier!
Hosted by
Other Effects: Older Bugs?
MS does a good job finding bugs during the beta
phase
But there are a lot that will never get found until
the system’s being “beaten” on
I see that in my current AD questions, appearing
in the year 2003 … not 2000
So how long will it take before we truly trust any
new software?
Hosted by
Should I Upgrade to 2003?the good news Active Directory 1.1
Forest trusts
Domain renames
Branch office goodies
Tons more group policies
Web-based admin tools
Better XP integration
IIS 6
Vastly, vastly improved
group policy
management tools
Better, easier security
All the XP lagniappe
More command line tools
E-mail server, database
server built in
Hosted by
Should I Upgrade to 2003?more good news
2003 really doesn’t need more powerful
hardware than 2000 Server in my experience,
although more is still better
Upgrades seem smooth
2003 runs fewer services out of the box by
default – they’re there, you just have to explicitly
turn them on rather than them being on
automatically
Hosted by
Should I Upgrade?the bad news
The usual: costs money and time
You MIGHT have to shell out for Enterpri$e, unfortunately
CALs
Product activation
No MSI packager shipped with 2003
Answer: www.ondemandsoftware.com/freele2003
Hosted by
Should Upgrade?more bad news
Exchange 2000 doesn’t run on 2003 DCs
w/o a LOT of work (KB 325379)
Hosted by
Bad News: NT 4 Abandoned?
KB 331953 reveals a potential denial of service
hole in the RPC port mapper, which uses port 135
Another “buffer overflow” problem
Basically it’s a bug that enables data entered
into ONE program to leak out of that program
and overwrite another one
Or, graphically…
Hosted by
Data input area of application
Rest of application
Buffer overflow
Hosted by
Severity
Does not allow an attacker to steal data
from a system
Affects NT 4, 2000 and XP
2000 and XP patched
NT 4 ISN’T… no patches for it
Hosted by
“Architecturally Impossible?”
MS patched 2000 and XP, but not NT 4
Their reason: that it’s “architecturally impossible.”
This seems odd, as RPCs didn’t really CHANGE all that much from NT 4 to 2000… but there’s a 2000 fix
So with all respect, this seems suspect and, well, awfully convenient for MSFT shareholders
Which leads to the delicate “trust” issue
Hosted by
Hosted by
Why this isn’t acceptable
NT 4 has quite a bit of expected lifetime left
Unless they’re willing to buy the old copies back or offer free 2000 upgrades…
Merely saying “don’t put a system with port 135 on the Internet” is a workaround, not an answer – despite “expert” opinion, there’s nothing wrong with it, given patches, passwords and permissions
It supports what was basically NT’s main reason for existence for years… file serving
Worst of all, it sets a dangerous precedent
Hosted by
Possible Microsoft Options
Release a patch
Explain that the patch is impossible, and release source code to prove it
Develop a more complex patch and charge for it
Adopt the Pentium approach… offer free upgrades
Never have exposed the vulnerability in the first place if they knew they couldn’t fix it
Hosted by
When Is an OS Obsolete?
I think users determine that, not companies
Not everyone needs the latest thing, or needs it
ENOUGH
Not everyone can afford the latest thing
Hardware does not obsolete OSes anymore
Seven year old software is not unusual at all in
other markets
Hosted by
Challenge: SecurityCERT Incidents
0
10000
20000
30000
40000
50000
60000
70000
80000
90000
1997 1998 1999 2000 2001 2002
Hosted by
Challenge: Security
Not news, but it keeps getting worse
Good news: newer OSes really ARE more secure (XP, 2003), lower CERT high level advisories
But the bad guys get better…
Advice:• Beware the “boogah-boogah” effect
• Try things out for yourself
• Stay on top of patches (SuS, SMS)
• Assume your firewall is doing very little (RFC 3093)
Hosted by
An Easy Security Considerationa bit of homework
NTLMV2 and Kerberos are both pretty secure
But 99% of the existing systems still support LM
and NTLM
There’s really not a reason for it any more
Get rid of them:
• stop creating LM hashes and change passwords
• stop accepting LM and perhaps NTLM
Hosted by
Good News: GPMC
MS’s message in 2000 and later: GPs are the way
to manage a network
But they don’t always work the way you expect
The trouble is the lack of management tools
Answer: Group Policy Management Console
Hosted by
What GPMC does
Backs up and restores GPOs
Diagnoses replication errors on GPOs
Shows what a GPO does, simplified
Shows what the total effect of your GPOs is,
again simplified
Tells you which GPO performed each action
Hosted by
GPMC Opening Screen
Hosted by
GPO Manipulation in GPMC
Hosted by
GPO Diagnostics (1)
Hosted by
RSOP Wizard Invocation
Hosted by
RSOP Overview
Hosted by
RSOP Winners/Losers
Hosted by
Bad News
Only runs on 2003 or XP systems
Will not install on a 2000 box
Requires .NET Framework on XP or 2003 box
Can’t even run it remotely on a 2000 member server or domain controller
BUT you can back up / restore to/from a 2000 box, or view the results of policies gotten from a 2000 box by a 2003 or XP box
Hosted by
Challenge: Death to NetBIOS
AD was supposed to put an end to the
broadcasts, WINS, strange name
resolution problems, etc.
But it hasn’t
Challenge to Redmond: announce a date
for NetBIOS’s “deathday”
Hosted by
Challenges: We Still Can’t…a partial list
Hide files that users can’t access
Restrict simultaneous logins
Kick a user off the whole network with
one click
Hosted by
The Biggest Problem Remaining
The fact that the IT staff shortage will
NOT, for some strange reason, return
SOMETHING’s got to be done about this
My suggestion to Microsoft: a new OS
Hosted by
Hosted by
Windows PX Features
Online Help:• In response to customer
desires for faster systems, we have trimmed all non-essential files to reduce PX’s footprint. So sorry, no Help files. Call your help desk.
Driver Support:• All the drivers you can write.
PX ships with an assembler and full examples to write your own. Hire some programmers. Smart ones.
Networking:
• Our SimpleTCP™ network
system speeds up networking
by cutting out name
resolution – no WINS, no
DNS. Refer to Web and other
servers solely by their IP
addresses for greater
reliability. Static IP-only
support ensures that your
network offers no surprises –
and no complex DHCP!
User Interface…
Hosted by
PX User Interface
C:\>C:\>Follow the arrow forward to Windows PX!
Hosted by
Sample PX Commands
See a folder on the first hard drive’s directory with the edit (Examine Disk InTeractively) command:
edit #1A:*.*
Format a disk with Edit (Erase Disk InTeractively command:
Edit #1A:*.*
Note all commands are case-sensitive!
Hosted by
What the analysts are saying
“Windows PX’s 27-test certification program will
mean better-qualified professionals” ---
Sylvan Prometric, VUE testing centers
“We estimate that desktop support costs will rise
by 329.1433% under PX, with a 92.1182376%
confidence interval. This will inevitably lead to
an IT staffing shortage” --- Gartner
Group
Hosted by
Thanks!
My sincere thanks for attending
Free tech newsletter: www.minasi.com
Seminars and audio CDs there too
email: [email protected]
HAVE A GREAT CONFERENCE!!!
Hosted by
Don’t forget RedHat Enterprise Linux ES
Standard Edition $599-799
http://www.redhat.com/software/rhel/es/