[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F16F132.9010007@telusplanet.net>
From: mckellar at telusplanet.net (Neil McKellar)
Subject: Odd Behavior - Windows Messenger Service
Schmehl, Paul L wrote:
> But, back to your original complaint, which was that remote services
> should not be available until you login to the console.....I'm willing
> to bet that *many* people who use *nix as a workstation, *even at home*,
> allow *at least* ssh sessions remotely. And there are KaZaA lovers
> worldwide who are offering remote access to files, on numerous Oses,
> even when they're not at home and logged in.
I was wondering about this as well. Even if you don't run a local FTP,
HTTP, NFS, SMB, SSH, or other service on your local Linux workstation,
you're guaranteed to be bringing up parts of the system to talk to the
network during the boot process. Chances are you're broadcasting for
DHCP. If you're a thin-client, you may be asking for tftp or bootp even
before that. If you're running a virus scanner, it may be starting in
the background, downloading updates automatically from a central server
and scanning files. If you've got NIS, ADS, or Kerberos or something
running, you may be hooking into local authentication systems. These
things are all true for Windows workstations and Mac workstations, too.
All these things require network connectivity, imply levels of trust
with services inside the local network, and may be vulnerable to
spoofing locally. Even the order in which these things become available
may result in greater or lesser exposure.
You don't want your workstations talking to the network or running local
services with network connectivity before the user logs in? Well, when
is it renewing the DHCP lease? How are you remotely pushing software
updates or virus updates to those 1,000+ users? How are you remotely
administering the workstation at all? How are you running backups over
the network, if you need to do such things?
If you need complete lockdown on all these things, then this is no
normal workstation and shouldn't be treated as such. Don't be surprised
if the default install isn't fulfilling your needs.
--
Neil (mckellar@...usplanet.net)
Powered by blists - more mailing lists