1 / 42

The 2003 Report Card The state of our OSes

Discover the good and bad news of Server 2003, insights on upgrades, implications for expertise, effects on maintenance, and security concerns, plus expert advice.

parsonsc
Download Presentation

The 2003 Report Card The state of our OSes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The 2003 Report CardThe state of our OSes Some good news, some bad news, and some challenges for the near future

  2. The Good Newsno bugs in Server 2003

  3. Server 2003’s Hereready to upgrade? • Probably not, unfortunately • It’s not that 2003’s not a really neat tool – it is – it’s probably the cost • See if this looks familiar:

  4. Logical outcome: people upgrade more slowly!

  5. Evidence • NT 4.0 is a seven year old OS • But people are still using it; in fact, many controller devices are only available in an NT 4.0 version • Imagine running NT 3.1 in 2000 • Consider version skipping; how many go • SQL 6.5-7.0-2000-2003? • Windows 98-NT 4-2000-XP? • How many still use Exchange 5.5?

  6. Is something wrong? • No, it’s a natural side effect of any technology maturing • That’s a significant point • Note that this is not advice… it’s observation • Some simply cannot afford to upgrade without a life-and-death reason … that’s important • But it also means that “being an expert” gets tougher – you must know a wider range of OSes

  7. What does this mean? • Our jobs will become – have become – different • Less planning • More maintenance • Broader responsibility • So focus on whatever makes maintenance easier!

  8. Other Effects: Older Bugs? • MS does a good job finding bugs during the beta phase • But there are a lot that will never get found until the system’s being “beaten” on • I see that in my current AD questions, appearing in the year 2003 … not 2000 • So how long will it take before we truly trust any new software?

  9. Active Directory 1.1 Forest trusts Domain renames Branch office goodies Tons more group policies Web-based admin tools Better XP integration IIS 6 Vastly, vastly improved group policy management tools Better, easier security All the XP lagniappe More command line tools E-mail server, database server built in Should I Upgrade to 2003?the good news

  10. Should I Upgrade to 2003?more good news • 2003 really doesn’t need more powerful hardware than 2000 Server in my experience, although more is still better • Upgrades seem smooth • 2003 runs fewer services out of the box by default – they’re there, you just have to explicitly turn them on rather than them being on automatically

  11. Should I Upgrade?the bad news • The usual: costs money and time • You MIGHT have to shell out for Enterpri$e, unfortunately • CALs • Product activation • No MSI packager shipped with 2003 • Answer: www.ondemandsoftware.com/freele2003

  12. Should Upgrade?more bad news • Exchange 2000 doesn’t run on 2003 DCs w/o a LOT of work (KB 325379)

  13. Bad News: NT 4 Abandoned? • KB 331953 reveals a potential denial of service hole in the RPC port mapper, which uses port 135 • Another “buffer overflow” problem • Basically it’s a bug that enables data entered into ONE program to leak out of that program and overwrite another one • Or, graphically…

  14. Buffer overflow Data input area of application Rest of application

  15. Severity • Does not allow an attacker to steal data from a system • Affects NT 4, 2000 and XP • 2000 and XP patched • NT 4 ISN’T… no patches for it

  16. “Architecturally Impossible?” • MS patched 2000 and XP, but not NT 4 • Their reason: that it’s “architecturally impossible.” • This seems odd, as RPCs didn’t really CHANGE all that much from NT 4 to 2000… but there’s a 2000 fix • So with all respect, this seems suspect and, well, awfully convenient for MSFT shareholders • Which leads to the delicate “trust” issue

  17. Why this isn’t acceptable • NT 4 has quite a bit of expected lifetime left • Unless they’re willing to buy the old copies back or offer free 2000 upgrades… • Merely saying “don’t put a system with port 135 on the Internet” is a workaround, not an answer – despite “expert” opinion, there’s nothing wrong with it, given patches, passwords and permissions • It supports what was basically NT’s main reason for existence for years… file serving • Worst of all, it sets a dangerous precedent

  18. Possible Microsoft Options • Release a patch • Explain that the patch is impossible, and release source code to prove it • Develop a more complex patch and charge for it • Adopt the Pentium approach… offer free upgrades • Never have exposed the vulnerability in the first place if they knew they couldn’t fix it

  19. When Is an OS Obsolete? • I think users determine that, not companies • Not everyone needs the latest thing, or needs it ENOUGH • Not everyone can afford the latest thing • Hardware does not obsolete OSes anymore • Seven year old software is not unusual at all in other markets

  20. Challenge: Security

  21. Challenge: Security • Not news, but it keeps getting worse • Good news: newer OSes really ARE more secure (XP, 2003), lower CERT high level advisories • But the bad guys get better… • Advice: • Beware the “boogah-boogah” effect • Try things out for yourself • Stay on top of patches (SuS, SMS) • Assume your firewall is doing very little (RFC 3093)

  22. An Easy Security Considerationa bit of homework • NTLMV2 and Kerberos are both pretty secure • But 99% of the existing systems still support LM and NTLM • There’s really not a reason for it any more • Get rid of them: • stop creating LM hashes and change passwords • stop accepting LM and perhaps NTLM

  23. Good News: GPMC • MS’s message in 2000 and later: GPs are the way to manage a network • But they don’t always work the way you expect • The trouble is the lack of management tools • Answer: Group Policy Management Console

  24. What GPMC does • Backs up and restores GPOs • Diagnoses replication errors on GPOs • Shows what a GPO does, simplified • Shows what the total effect of your GPOs is, again simplified • Tells you which GPO performed each action

  25. GPMC Opening Screen

  26. GPO Manipulation in GPMC

  27. GPO Diagnostics (1)

  28. RSOP Wizard Invocation

  29. RSOP Overview

  30. RSOP Winners/Losers

  31. Bad News • Only runs on 2003 or XP systems • Will not install on a 2000 box • Requires .NET Framework on XP or 2003 box • Can’t even run it remotely on a 2000 member server or domain controller • BUT you can back up / restore to/from a 2000 box, or view the results of policies gotten from a 2000 box by a 2003 or XP box

  32. Challenge: Death to NetBIOS • AD was supposed to put an end to the broadcasts, WINS, strange name resolution problems, etc. • But it hasn’t • Challenge to Redmond: announce a date for NetBIOS’s “deathday”

  33. Challenges: We Still Can’t…a partial list • Hide files that users can’t access • Restrict simultaneous logins • Kick a user off the whole network with one click

  34. The Biggest Problem Remaining • The fact that the IT staff shortage will NOT, for some strange reason, return • SOMETHING’s got to be done about this • My suggestion to Microsoft: a new OS

  35. Online Help: In response to customer desires for faster systems, we have trimmed all non-essential files to reduce PX’s footprint. So sorry, no Help files. Call your help desk. Driver Support: All the drivers you can write. PX ships with an assembler and full examples to write your own. Hire some programmers. Smart ones. Networking: Our SimpleTCP™ network system speeds up networking by cutting out name resolution – no WINS, no DNS. Refer to Web and other servers solely by their IP addresses for greater reliability. Static IP-only support ensures that your network offers no surprises – and no complex DHCP! User Interface… Windows PX Features

  36. PX User Interface C:\> C:\> Follow the arrow forward to Windows PX!

  37. Sample PX Commands • See a folder on the first hard drive’s directory with the edit (Examine Disk InTeractively) command: • edit #1A:*.* • Format a disk with Edit (Erase Disk InTeractively command: • Edit #1A:*.* • Note all commands are case-sensitive!

  38. What the analysts are saying • “Windows PX’s 27-test certification program will mean better-qualified professionals” --- Sylvan Prometric, VUE testing centers • “We estimate that desktop support costs will rise by 329.1433% under PX, with a 92.1182376% confidence interval. This will inevitably lead to an IT staffing shortage” --- Gartner Group

  39. Thanks! • My sincere thanks for attending • Free tech newsletter: www.minasi.com • Seminars and audio CDs there too • email: help@minasi.com • HAVE A GREAT CONFERENCE!!!

  40. Don’t forget RedHat Enterprise Linux ES Standard Edition $599-799 • http://www.redhat.com/software/rhel/es/

More Related