News from PANUG - October 3, 2001 http://panug.org PANUG'S NAME Yes, Microsoft continues to use the PANUG name in their email broadcasts. The other user group no longer uses the name and is trying to get Microsoft to stop but Microsoft doesn't seem to be paying attention. We'll keep trying to get them to stop. FEEDBACK Regarding the "Friends don't put friends in Outlook address books" line that Ed Sawicki used in his IIS AND DISASTER PLANNING article, Karen Bowen writes "That was the best part of the email message. I'm still laughing." Regarding Ed Sawicki's article "IIS and Disaster Planning", John Mckean writes "Very timely information regarding IIS. I am currently in the process of doing an evaluation that compares the virtues of both Apache and IIS. Any information that you have comparing these two platforms would be quite helpful as I compile the document." Ed responds: I think it would be useful to create a web page that compares IIS and Apache point-by-point using Microsoft's points. I'll create a web page based on the points Microsoft makes on their web page: http://www.microsoft.com/windows2000/server/evaluation/features/web.asp unless you think another of Microsoft's pages is better. I'll let everyone know when the page is created and where to find it. Contact me if you'd like to help out. About the request for comments on "Gigabit to the Desktop", Charles Quesenberry writes: I think it would be interesting, but only from a "another way to throw away your money" perspective. On a good day, my hard disk can only maintain 20 MB/s throughput. I bench tested a computer with a ATA/100 hard disk running Windows 98 with every setting in the BIOS and the OS configured for maximum performance. That computer only achieved a sustained 32 MB/s throughput/transfer. If a Gigabit network is capable of pumping me data at 125 MB/s, what on earth am I going to do with it? I could possibly use it to play LAN games, but other than that, I don't see the practical application. Charles also commented on Paul Heinlein's assertion that Linux-based servers can run headless (no keyboard and monitor) in the "IIS and Disaster Planning" article: I don't use servers with consoles. Aside from the money wasted, it is an incredible waste of space. I don't even build/sell Windows servers with monitors. I tell my clients they don't need it. I use TightVNC tunnelled through SSH (combined with a very finicky firewall) to remotely manage Windows servers. I use SSH to remotely manage Linux servers. It's a no brainer. He added: Linux will win the server war eventually. It is just a matter of time. Tell everyone to relax and use the time productively, honing their Linux skills. FBI's TOP TWENTY LIST by Ed Sawicki The FBI and SANS have released a list of the top 20 security vulnerabilities in popular computer systems. While there are far more than 20, the idea is that network and system administrators are overwhelmed with the sheer volume of security issues. As a result, many do little or nothing and we all pay the price. Asking them to focus on only the top 20 might inspire them to do something. You can find the top 20 list here: http://www.sans.org/top20.htm That web page is lengthy, which may also put the administrators off, so here's a quick summary. In the general category: 1. Default installs of operating systems and applications 2. User accounts with No Passwords or Weak Passwords 3. Non-existent or Incomplete Backups 4. TCP and UDP ports that are needlessly open and vulnerable 5. Not filtering packets with spoofed or incorrect addresses 6. Non-existent or incomplete logging 7. Vulnerable CGI Programs In the Windows category: 8. Unicode Vulnerability (Web Server folder traversal) 9. ISAPI extension buffer overflows 10.IIS RDS exploit (Microsoft Remote Data Services) 11.NETBIOS - unprotected Windows networking shares 12.Information leakage via null session connections 13.Weak hashing in SAM (LAN Manager hash) In the Unix/Linux category: 14.Buffer overflows in RPC services 15.Sendmail vulnerabilities 16.Bind weaknesses 17.Remote commands 18.LPD (remote print protocol daemon) 19.sadmind and mountd 20.Default SNMP strings It's interesting that there are only 6 in the Windows category and 7 in the Unix/Linux category. This, of course, does not mean that Windows is more secure than Unix/Linux. Some of those in the Unix/Linux category (14, 17, and 18) are very well known issues and only novice Unix/Linux admins would allow these to be a problem. Number 15 is a diminishing problem as clueful administrators convert from sendmail to Postfix and Exim. Number 20 should not be in the Unix/Linux category. It should be in the general category because this is a problem regardless of operating system. You'll notice that several of these relate to firewalls (4 and 5 directly and others indirectly). Remember that PANUG is hosting the Mastering Firewals course on October 17. Visit the PANUG web site for details: http://panug.org