Why is it so difficult to network Vista and XP PCs?

Discussion in 'Windows Vista Networking' started by Pierre KOHLER, Jul 13, 2007.

  1. Pierre KOHLER

    Chuck [MVP] Guest

    Classic Blogger is no more, nor is Beta. It is all New Blogger.
    <http://bloggerstatusforreal.blogspot.com/2006/12/new-blogger.html>
    http://bloggerstatusforreal.blogspot.com/2006/12/new-blogger.html

    You're using Technorati tags, and Labels. Labels are (MHO) the best feature of
    New Blogger.
    <http://bloggerstatusforreal.blogspot.com/search/label/Labels?max-results=100>
    http://bloggerstatusforreal.blogspot.com/search/label/Labels?max-results=100

    The formal name for "Blogger" is (I saw this somewhere) "Blogger One Button
    Publishing". I use the formal name when I am describing how easy it is to use
    Blogger to create a website. Which is when I'm not ranting how much support by
    Blogger sucks. Meh.

    Pierre and his rants have nothing over some Bloggers. I personally write about
    how coincidental the term "Blogger Support" is to its detractors. Calling it
    "BS" is so obvious. We can't cut "MS" anywhere like Bloggers cut "BS".

    And I'm aware of the "physical security" concept. And I do my best to teach the
    dangers of that. And yes, proper procedures are expensive. But far cheaper
    than having your network botted, or maybe confidential customer data stolen and
    sold to other hackers.

    So I try to teach proper security and system management concepts to Bloggers.
    People who manage huge websites, yet know only how to turn the computer on.
    Talk about physical security. Meh.

    --
    Cheers,
    Chuck, MS-MVP 2005-2007 [Windows - Networking]
    http://nitecruzr.blogspot.com/
    Paranoia is not a problem, when it's a normal response from experience.
    My email is AT DOT
    actual address pchuck mvps org.
     
    Chuck [MVP], Jul 22, 2007
    #21
    1. Advertisements

  2. Cool!

    Yep, labels excite me too (I excite easily, from some rest states)
    The old Blogger support were pretty cool - you could contact them, and
    they would enter into an email dialog with you. I don't think it's
    like that anymore; I can't see a point of entry, even after the usual
    barriers of FAQs, forums etc. (which I always check first).
    Which is more dangerous:
    - a world before nuclear weapons were invented
    - a world where nuclear weapons are "secured"

    Which is more dangerous:
    - a LAN with no connection to the outside world
    - a LAN offering "secured" administration from the Internet

    I don't want to spend money on "proper procedures" to "secure" remote
    administration from the Internet, when there is not one entity that I
    would want to extend that functionality. Why should I? It's far
    better and safer to render this as impossible as it should be, given
    my installation's requirements.

    You're asking ppl with no interest in per-user authentication, to
    become amateur corporate sysadmins. How well do you expect that to
    work? Would a corporation trust these folks to manage their network,
    or would they insist on an MCSE?

    If non-MCSE skills are not good enough for corporates, why do you
    think they are good enough for us, when simply ripping out all the
    remote garbage would work better anyway?
    Ah, bloggers; different target audience, that.
    Sure, fair enough. But how do I bring any of this stuff to bear on
    securing the process of blogging, or how well by blog is secured on
    someone else's server that someone else adminsiters? Just getting a
    full site backup out of such folks is difficult as it is...


    To one who has never seen a hammer,
    nothing looks like a nail
     
    cquirke (MVP Windows shell/user), Jul 22, 2007
    #22
    1. Advertisements

  3. Pierre KOHLER

    Chuck [MVP] Guest

    OK, that sounds like a physicist joke. Quantum physics, it used to be called.
    That's the Blogger Silence issue.
    My personal opinion? There is nothing so vulnerable than an invulnerable
    computer.

    Invulnerability:
    1) Is a perceived state. The owner thinks he is invulnerable, and will relax
    and do stupid things like surfing to web sites where he doesn't belong.
    2) Is a temporary state. Tomorrow's security exploits are unknown today.

    Your nuclear warfare analogy is good, as an analogy. It doesn't go far enough
    though.

    Back in the 80s, Chris, I was a youth counselor at a church. In one of our
    sharing moments, I discussed the nuclear warfare issue, and how much I was
    relieved to see it all coming to an end. One of the kids put THAT into
    perspective right fast.
    "BFD Chuck", "I'm trying to go to school, go in the can to take a piss, and keep
    from getting knifed while I am doing that".

    Whether it's nuclear ware, or a random gunshot from another car on the freeway,
    you gotta be aware. And you gotta worry.
    The customer (any given customer) has 4 choices:
    1) Pay you to fix the problems now, then hire you permanently to keep the
    problems away.
    2) Pay you to fix the problems now, and train them now, so they can try to keep
    the problems away.
    3) Pay you to fix the problems now, then pay you (or somebody else) next year to
    come back and fix more problems.
    4) Tell you to take a hike, then get their neighbours high school kid to fix the
    problems. Then pay you later to fix the problems properly.

    Choice of 1 - 4 is up to the customer, based upon business need. Your job is to
    negotiate 1 - 3 now, and accept #4 if necessary.
    Wanna join my "Blogger Support and other issues" forum? It's quiet right now,
    but if you ask those questions in there, I'll bet that we see some reactions.

    Google has network problems, they don't acknowledge them (see "Blogger
    Silence"), but the Bloggers have to deal with them. And as most Bloggers, as I
    said, barely know how to turn the computer on, they have no idea what they are
    seeing.

    It's taken 2 years to get to the point where "a" "Blogger Employee" will listen
    and provide feedback, on a one to many basis, about ongoing problems. Maybe one
    on one email is a part of their past, but it sure isn't part of their present.

    --
    Cheers,
    Chuck, MS-MVP 2005-2007 [Windows - Networking]
    http://nitecruzr.blogspot.com/
    Paranoia is not a problem, when it's a normal response from experience.
    My email is AT DOT
    actual address pchuck mvps org.
     
    Chuck [MVP], Jul 22, 2007
    #23
  4. Pierre KOHLER

    Kerry Brown Guest

    This has been interesting reading. I'll interject with an anecdote about
    physical security. I have a customer who has three pc's in their shop. Two
    run a LOB app. The third is used for online ordering and email. It is used
    by several employees who all need Internet access occasionally. I spent
    quite a bit of time going over the requirements of the business and the
    network with the owner. It was decided (against my objections) to isolate
    the two LOB computers on a separate network that was not physically
    connected to the Internet. The only disks that were ever used in these two
    computers were CD's with updates for the LOB app and CD's with Windows
    Updates on them. No AV was installed (again against my objections),
    passwords weren't used, the only security was the Windows XP firewall. This
    was working well for a couple of years. The computer connected to the
    Internet occasionally picked up a bit of spyware but it was relatively well
    protected and didn't have any more problems than any computer that is used
    by several different users. One day I got a call from the owner. One of the
    LOB computers wouldn't boot and the other one wouldn't start the LOB app.
    Long story short the owner had connected the switch the LOB computers were
    on to the router. This was so he could plug his laptop into the switch and
    check his email. Someone had accessed the Internet on one of the LOB
    computers and installed a trojan. Things had quickly gone downhill from
    there.

    On a domain (e.g. SBS) this could have easily been avoided with group
    policies restricting the sensitive computers from accessing the Internet and
    having proper security for the whole network. I manage several SBS servers
    for small business'. With most I can do this by remote and rarely visit the
    site. Their monthly charges are usually around one to two hours. I read the
    daily reports that SBS emails me. I manage the server and workstation
    updates by remote. SBS 2003 R2 has WSUS which makes managing updates even
    easier. Domains need not be complicated or expensive to manage. They take a
    bit of knowledge to set up at the start but once up and running require less
    management than a p2p network if more than three or four computers are
    involved. It's only when you start getting into multiple servers that domain
    administration starts to get complicated.
     
    Kerry Brown, Jul 22, 2007
    #24
  5. Agreed on both counts. Enigma was assumed to be invulnerable...

    However, the flaw is not in steps taken to protect the system, but
    rather the assumption of invulnerability. That goes as much for "I
    can't have a virus, I use NORTON" to saying the same about being on a
    domain. The beneficial effect may lie in realizing domain
    administration is so complex that the chances of you screwing up
    somewhere are so high that you aren't certain to be safe :)
    Yup. I really hope the folks staffing those ex-Soviet facilities get
    their paychecks on time, don't you?
    I'd worry less if my OS didn't wave opportunities to the Internet as
    if it is was "just a big network". The Internet is not a network, in
    the same way that a forest is not a tree.
    Fair enough. But I have enough work without needing
    artificially-stimulated demand. It's like including dangerous
    features that require regulatory compliance when you don't need
    either. "Just for the fun of it, we stick a barrel of nuclear waste
    in the trunk of every car we make. Please ensure your safety officer
    monitors this to remain compliant with AEC regulations."
    Hmm... OK. Time's a crushin', and there are more forums than eyeballs
    (and more blogs too, of course). If I had time, I'd:
    - figure out how to set up a free wiki
    - open this to those interested in Bart and WinPE
    - write a how-to page so end users can use Bart + (say) Multi-AV
    - develop a Bart and/or WinPE based mOS for download
    - how-to documents and tutorials to mOS-building in Bart
    - learn how to build a mOS on WinPE 2.0
    - how-to documents and tutorials to mOS-building in WinPE 2.0

    But alas, etc. :-/
    I figured that. Live Spaces seem "hungrier", at least for fedback;
    they know they're trying to break through, whereas I think
    Google/Blogger see themselves as comfortable incumbents.

    One-on-one email support is rare, though. I'm always delighted to
    find it, but rarely to I expect it.


    Dreams are stack dumps of the soul
     
    cquirke (MVP Windows shell/user), Jul 23, 2007
    #25
  6. On Sun, 22 Jul 2007 10:15:35 -0700, "Kerry Brown"
    So far, so good...
    ....that's not so good, though without Internet access, they would not
    have av updates (or code patches, for that matter).
    That could paradoxically be safer that weak passwords, if they were
    using XP Pro instead of XP Home. A weak password waves admin shares
    wherever F&PS is exposed, on XP Pro; XP Home is safer there.
    The point of failure here is not thier policy, which was sound as long
    as those with physical access can be trusted not to bring in USB
    sticks, modems, WiFi connectors etc.

    They failed because they didn't follow their policy, and thier
    approach was not deep enough to provide fallback defences for when
    thier policy failed to protect them for whatever reason.
    I prefer not to open sites up to amy sort of remote admin, myself
    included. I like the sound of SBS, but don't have hands-on with it;
    even SBS is too costly for my client base. At best, they will
    begrudgingly use XP Pro on a couple of PCs that expect > 5 incoming
    LAN connections, and that's it.
    They do have to be set up properly, and kept that way, if they are not
    to become risks in their own right. I don't know how well that
    installation would have done, over so many years, if it had a domain
    setup left in place without an ongoing presence to manage it, as you
    were doing via remote access.

    If remote access is properly secured, it may be as safe as a VPN
    between their LAN and the admin, who manages other LANs. That makes
    the admin a potential node, if any of the LANs gets infected with
    malware that can propagate via such connections.

    So perhaps it depends on the quality of the sysadmin. I know enough
    to know that I don't know enough to expose my own clients to that sort
    of risk, i.e. I don't know enough to promise safety.

    Policy - promises such as privacy policy, SLAs, etc.
    Security - ensuring you are the only actor
    Safety - ensuring that only what the actor intends, happens
    Sanity - ensuring the code only does what it was coded to do

    At Policy, you are standing at the top of a very tall ladder.
    I can believe that, especially if the p2p is doing a lot of networking
    and/or there are lots of users milling about.

    But pushing desktop policies onto PCs from a server only makes sense
    not if you are the only actor "owning" the server, but also if the
    policies you push, don't suck for safety. Pushing MS duuuuhfaults
    like "don't show extensions", "hide files", "open on content, not
    extension", "write-share everything with hidden but automatable names"
    etc. can just enforce poor safety, undermining the rest of the ladder.
    Heh heh... we all have our threshold of pain, yours is just a bit
    higher than mine ;-)

    Here's an example of depth.

    I have no need to faciliatte write access to any part of C:, and (on
    some PCs) anything at all. Doesn't matter what credentials you wave,
    there is no entity in the universe in the "allowed users" set.

    So I do all of:
    - avoid XP Pro, preferring XP Home
    - kill hidden admin shares via .REG
    - use 1 admin account only
    - have nul password on that account
    - block F&PS at firewall unless needed
    - unbind F&PS from networking unless needed

    Why "all of"? Any one of those steps woudl eb enough to contain the
    risk, but I do all as the assumption is each measure may fail - and
    even then, I still wish I had an OS that wasn't so stupid to have
    invented admin shares in the first place. If I want the root of a
    volume shared, I'll explicitly share it, thanks; if I don't, then I
    should know some dome-ass duhfault is not doing behind my back.

    So those "not on the Internet" PCs would have firewalls enabled
    (though it can be a pain getting LOB apps to play through them), no
    admin shares, no WSH, resident av that would update if and when
    opportunity arises, \Autoplay.inf processing disabled, boot order C:
    before anything else, no auto-rebooting on errors or RPC failures, XP
    SP2 applied, safer UI settings, any email apps set to less sucky
    duhfaults (there's still a lot of "Internet Zone" Outbreak 2000 out
    there) and so on. Would it have helped? Maybe not, or maybe with a
    safer UI, maybe that trojan would not have got traction.

    IKWYM about "invulerability", though. I think a hard rain's gonna
    fall on Apple and Linux if they ever get big enough to be targets.

    "Why do I keep open buckets of petrol next to all the
    ashtrays in the lounge, when I don't even have a car?"
     
    cquirke (MVP Windows shell/user), Jul 23, 2007
    #26
  7. Pierre KOHLER

    Kerry Brown Guest

    That was my point. Sooner or later physical security will be broken, either
    by accident or on purpose. You need a layered approach. It's much easier to
    layer security with a central management system like active directory.

    With SBS you only need two ports exposed to the Internet. Everything can be
    done through Remote Web Workplace with SSL on ports 443 and 4125. Port 4125
    is not opened until after the user authenticates via SSL on port 443. All
    communications are encrypted with SSL. The security is as strong as your
    weakest password. With active driectory strong passwords, changed regularly,
    can be enforced. By default SBS opens a couple of other ports but they
    aren't really needed and can be closed. I like to use a hardware firewall (a
    real one, not a NAT router) as well. If you use Exchange you also need port
    25 but for a small network of 3 or 4 computers they probably wouldn't want
    the added complexity of Exchange. All the ports, Internet access, and
    Exchange settings are setup in one wizard that takes a couple of minutes to
    run.
    I agree that for small business' the expense seems hard to justify. I can
    put a decent server in for around $2,500 CDN if they are already using XP
    Pro (or Vista Business) on the existing workstations. Realistically most
    installations are in the $3,000 to $6,000 range. Compared to just sharing
    files on an existing computer it seems like an expensive option. It also
    introduces a single point of failure into the business so it has to be as
    well built with as much redundancy as possible. You really need to use
    server class hardware that is designed for 24/7 use. The advantages are
    better management, thus better security. One place where data is stored so
    the data is easily backed up. The backup wizard in SBS actually makes
    ntbackup easy to use. Most small business owners love the remote access part
    of it. The can remote into their desktop from anywhere and work just as if
    they are sitting at the computer. Even on dialup response is adequate. The
    most common complaint of small business owners is they have to spend too
    much time at the business. Remote desktop gives them more time at home even
    if they are working while they're there. This is a big, big feature for most
    small business owners.
    In a very basic configuration (no Exchange, ISA, or SQL) SBS is very stable.
    It is managed by wizards that are very easy to use. This actually trips up
    many IT pros who are too macho to use the wizards and end up messing up the
    security by trying to do things their way. Once SBS is up and running anyone
    who has reasonable networking skills can easily manage it. It does take
    someone experienced with it's quirks to set it up right.
    With SBS if you restrict remote access to RWW only, the remote computer
    can't infect the LAN. All local access is done by RDP over SSL to one of the
    local computers. The remote computer only sees screen updates and sends back
    key strokes and mouse clicks. It is possible to enable cut and paste from
    remote computers but it is easily disabled as well.
    The SBS defaults are well thought out. I usually tweak things a bit but in
    it's default state it's very secure.
    Pretty much all of that can be done with group policy. Once it's set up any
    computer joined to the domain will get the policy. Any computer not joined
    to the domain can be severely restricted as to what it can do on the
    network. You can even deny them Internet access if you want. The only open
    shares are on the server and without authenticating you have zero access to
    them. You do need the administrative shares on the workstations for remote
    management but these are secured with strong, regularly changed passwords.
    The local administrator account can be disabled so that only a domain
    administrator can access the hidden shares. If you want to get really secure
    you can use IPSEC but that can be an ongoing management burden.

    It's been a good discussion. We're getting way off topic but it has been
    fun. I love talking about security :) I always learn something. In the end
    there are several ways to the same goal of a secure small business network.
     
    Kerry Brown, Jul 23, 2007
    #27
  8. Agreed, but the same is perhaps more likely when your entire edge is
    complex, fuzzy, and only as good as adherence to policy (which was
    what failed in this case)
    Security is no substitute for safety. In fact, it applies only when
    some risks need to be taken in certain contexts and/or by certain ppl;
    then you "secure" access to those risks.

    But if no-one needs access to those risks, rather rip 'em out.
    That may serve as a solid pipe between the remote PC and the LAN, but
    also exposes the LAN to whatever does on on the remote PC..
    That's pretty weak, then, because trrying to impliment strong
    passwords is a lot harder than "don't plug in the cable, moron".
    See...

    http://cquirke.mvps.org/pwdssuck.htm

    Strong, changed regularly, non-tokenised. Pick two.

    Humans just are not going to remember a new truly strong (random
    character, full character set, long) password every month without
    tokenizing it somewhere (e.g. writing it down), so your security
    becomes as weak as your passwords and/or informal token system.
    I haven't really got into that as yet. In there's a firewall built
    into the router, as there usually is, I leave it enabled with default
    settings; I dunno how useful that is.

    You trust what you known, as far as you know you can trust it.

    As one who knows networking better than I, I accept you'd trust it
    further than I would, and get better results than I would.
    Yup, the per-cost per desktop blows out as well due to the need for
    Pro or Business, and if you need more than the 5 seats that consumer
    desktop OSs can peer, then you need extra CALs too.

    That's before you add the cost of hiring the expertise to make it
    work, and the value depends on the client following the plan.

    So in effect, the client becomes dependent on the hired expert and the
    network. If all data is on the server and the network blinks, no-one
    can do any work... and if the sysadmin goes rogue (or gets "owned"),
    there's very little you can do to get the genie back in the bottle.
    I think it's an appropriate solution when that point of failure
    already exists naturally, e.g. where you have a room full of data
    serfs who need access to the same database in order to do anything at
    all. You're already forced into some kind of cerntralised system,
    whether it be a PICK box and dumb terminals in the 1980s, or a server
    and dependent desktop clients in the 2000s.

    OTOH, consider a group of architects who work on their own projects
    and rarely share data, but who need Internet access, printer sharing,
    and hey can't we backup over the LAN as well?

    What I do for those cases is XP Home (or Vista Basic) unless "too
    many" PCs, then one or two XP Pro (or Vista Business) for the main
    points of gathering (printer, basically).

    On these, I kill admin shares and create an empty dir that is
    read-shared. Nothing else is shared other than printers.

    Then I have a batch file archive a small and clean data set (getting
    crap like downloads, "My Received Files", massive wads of
    pics/music/videos out of there) to the read-shared directory. That's
    the 2sm Task; at 4 am, one or more of the PCs will then pull these
    backups from the other PCs via the read-only share.

    So you can end up with "holographic storage", where as long as as
    single PC survives, everyone's work falls back only 1 day.
    The name of the game with backup is redundancy, hence the above
    peer-based cross-backup system (with "last mile" of all gathered
    backups to CDR, DVDR or USB)
    I'd be concerned about the risks there. One crappy user-defined
    pasword between my data and the Internet? I don't think so...
    I'd rather do that via USB stick sneakernet, which has the advantage
    of some built-in data redundancy, at the risk of "syncing" the wrong
    way. BTW, my "real" self-backup keeps the last 5 backups for a week's
    depth, and does not rely on dates to purge the oldest.
    Sometimes it's just easier. For example, it's easier to find
    "Firewall" than "keep my computer safe" or some overly-dumbed-down
    langauge that forces you to guess how someone may have over-abstracted
    what you are looking for. Even Regedit is sometimes easier than
    wading through some app's Tools, Options (or is it Edit, Preferences)
    especially for settings the vendor hopes you won't notice.

    So yes, I can see how that can happen ;-)
    O..K.. I can see how that can help, especially if you believe in
    sanity of the code - which I find hard to do these days.
    Can you assert exactly the settings you want?

    If installing apps on these PCs, do you have as much control over
    installation paths, etc. and can you clean up settings, Start Menu
    shortcuts, etc.? Because if you're forced to dumb down to defaults,
    you're swapping one bunch of risks foir another.
    And that's as good as your password, right?

    I dunno... I see the same suspension of disbelief here.

    On the physical model those dudes used successfully for a few years
    before they broke their own rules, it was "we don't need to harden PCs
    because they aren't exposed to the Internet"

    Using pro-grade network admin, it's "oh those risks are OK because
    they are secured (by passwords), so we don't mind waving the entire PC
    at the Internet". It's a more complex surface with more things to go
    wrong, and some failures may leave no footprints.

    One could argue that the "physical model" was not properly
    implimented. If those PCs were not to be connected to the Internet,
    why weren't they set to a fixed and unreachable gateway? If you
    cannot trust your staff (as these folks clearly could not) then you'd
    have to go to locked cases, disabled USB ports etc. to preclude Wifi
    bobbins etc. You may even have to do the "limited user rights" thing
    to prevent users fiddling with the network settings, which ideally
    wouldn't be TCP/IP based anyway.

    Mind you, in this case it was user failure, pure and simple, and would
    be a firing offence if the "don't plug in the cable" policy was
    properly propagated. The only way to (try to) prevent that is to set
    yourself up as the users' overlord, so it's not their network
    anymore... and from then on, they'd have to be very, very nice to you.
    Yep, and I quite dig the buzz that SBS seems to attract - most big
    networking folks don't mention it, but those who know and use it seem
    fiercely loyal to it (I'm sure some names spring to mind <g> )


    Who is General Failure and
    why is he reading my disk?
     
    cquirke (MVP Windows shell/user), Jul 23, 2007
    #28
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.