lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jan.muenther at nruns.com (jan.muenther@...ns.com)
Subject: Re: January 15 is Personal Firewall Day,help the cause

Hallo Tobias,

at the risk of sounding like a Win32 advocate...

> I agree. But Windows isn't delivered in such a minimum state by default.
> Instead all doors are open. When MS ships Windows shouldn't it deliver
> it with all doors closed instead of all doors open? I'd rather have an
> "opt-in" for security risks than an "opt-out". 

I agree. MS are slowly grokking this. An example would be IIS6, which they
got fully source code audited and which comes fairly reduced by default. I
still don't agree to some design decisions (like running part of it in ring
0), but hey, it sure is a step forward. They've been lambasted badly and
earned it, but they're making progress for sure.

> available tools at affordable prices. Maybe you can correct me here. I'd
> love to see something as Claymore, Tripwire or AIDE freely available on
> Windows.

Hm, I doubt that it doesn't exist. As a dirty workaround, one could create
md5 hashes oneself and store them in an offline database. 

> Again, this is not what I am criticising. I am criticising that Windows
> ships with some sort of packet filtering (though I doubt it can compete
> with iptables) but it is not enabled by default.

Neither is it in a lot of Unixes. 
And yeah, first of all it's crudely positioned (ipsec policies? c'mon...),
and second it's a stateless packet filter which can be circumvented fairly
trivially...
Still, it's possible to take a simple workstation out of the line of fire
pretty much. The "Internet Connection Firewall" that XP has is at least a
lot better than having nothing, and it's trivial to enable even for Joe or
Jane User. 

> ZoneAlarm and all these other products actually may have their positive
> sides but you can't cure an unpatched Windows XP Home or older unpatched
> Windows 98 boxes by just installing such a Personal Firewall.

Dude... neither is a firewall a cure for an unpatched Unix box! I see it so
often that people rely on their perimeter defense. Once you're through that
it's mayhem. 

> new program is really annoying. If you think this can be avoided by
> telling the end user not to use these programs then you are utterly
> mistaken. End users are addicted to those ad driven trash like Kazaa,
> various download managers and other stuff. They'd rather cut off their
> left hand then not to use such programs.

Do you think that would be any different if Linux replaced Windows as the
most frequent end user platform? I strongly doubt it.
> 
> The advantage in Open Source software is that it doesn't run ad driven
> and doesn't spy on the end user while offering the same functionality
> and most of the times even more.

While I generally agree, the way most people handle OSS these days, it's
trivial to sneak in spyware functionality as well. I can't remember what it
was, but I've seen attempts to mail my /etc/passwd to some hushmail account
from a Makefile (very sneaky, haha). 
> 
> This is where I have to disagree with might. File permissions with user,
> group and world levels, processes locked in chroot environments, the
> possibility of starting single tasks with root access via sudo from
> within a normal user session are all examples of things lacking in
> Windows.

Hm, no. NTFS actually supports ACLs straight out of the box. With runas, you
can switch the security context of the current user to run a process with
different credentials. As of chroot'ed environments, I can't think of
anything practical at the moment, indeed. 
> 
> Every user logging in to Windows XP Home is working with full system
> rights. This is the state the system is delivered by Microsoft. How
> should a Windows XP end user know that this is dangerous and how should
> he know to change this?!

XP Home Ed. is a big scam - they basically deprived it of any useful
functionality of their "professional" operating systems. 
> 
> Rigid rights management in Windows is a modern myth. This simply can't
> be compared to Unix/Linux.
I really beg to differ. You *can* do a very fine grained rights management
with NT+ systems, only very few people actually do. Ever read the NSA paper
on NT hardening?
> 
> What user does the IIS webserver run as when you install the IIS the
> default way? The same goes for other services on Windows servers.

It actually runs as the IUSR_MACHINENAME anonymous account, not as Local
Authority / SYSTEM - the IIS5, I mean, IIS4 did run as system. Then again,
come on, a lot of Unix services run as root as well, at least on classical
Unix systems. 
> 
> How to implement a chroot environment in Windows?

I actually don't know off the top of my head, but I'm sure MS came up with
something to match the DoD's compartmentalization requirements. And yes, I
have my doubts too whether it's any good. 
> 
> Does it safe user passwords one way encrypted like the shadow password
> file in Linux? :-)

Hm? Yes, sure it does. It's not even so easy to get to the hashes, you have
to have LA/SYSTEM for it. Of course, one of Wintendo's biggest flaws is the
fall-back to LanMan, so the LM hashes stored in the SAM are a problem.
However, you can switch that off if you know how. 
> 
> In Linux passwords get encrypted and sent to the shadow password file
> like that. When a user logs in his input gets encrypted again and the
> encrypted input is compared against the encrypted password.

actually, in Windows it's not even as trivial as that. That's taking a bit
too far, if you're interested, we can discuss in private. 
> 
> > Not really missing from Windows, just a bit more cumbersome to do.  I agree
> > that just adding a firewall is not the sole answer, neither is just adding
> > A/V software.
> 
> We agree. Maybe "missing" was not the right way to describe it. "Missing
> by default" or "available but not enabled by default" would have been
> better. The result though is the same.

Uh huh. The problem in my opinion is two-fold: Windows users (and/or
administrators, mind you) know far too little about the system, if they did,
they'd be able to make it fairly secure, which it isn't by default. 

Linux/Unix users however often make the mistake of assuming safety simply
due to the fact they're running something else than Windows. And that is as
a matter of fact a *very* false sense of security. 
There's no reason to be smug just because you're running Debian, OpenBSD or
whatever. You still need to keep up to date and educate yourself. 

And again, I'd argue that neither Unix nor Windows were designed to be
secure operating systems. Plan 9 e.g. is. 

Regards, J.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ