420 likes | 525 Views
The 2003 Report Card The state of our OSes. Some good news, some bad news, and some challenges for the near future. The Good News no bugs in Server 2003. Server 2003’s Here ready to upgrade?. Probably not, unfortunately
E N D
The 2003 Report CardThe state of our OSes Some good news, some bad news, and some challenges for the near future
Server 2003’s Hereready to upgrade? • Probably not, unfortunately • It’s not that 2003’s not a really neat tool – it is – it’s probably the cost • See if this looks familiar:
Evidence • NT 4.0 is a seven year old OS • But people are still using it; in fact, many controller devices are only available in an NT 4.0 version • Imagine running NT 3.1 in 2000 • Consider version skipping; how many go • SQL 6.5-7.0-2000-2003? • Windows 98-NT 4-2000-XP? • How many still use Exchange 5.5?
Is something wrong? • No, it’s a natural side effect of any technology maturing • That’s a significant point • Note that this is not advice… it’s observation • Some simply cannot afford to upgrade without a life-and-death reason … that’s important • But it also means that “being an expert” gets tougher – you must know a wider range of OSes
What does this mean? • Our jobs will become – have become – different • Less planning • More maintenance • Broader responsibility • So focus on whatever makes maintenance easier!
Other Effects: Older Bugs? • MS does a good job finding bugs during the beta phase • But there are a lot that will never get found until the system’s being “beaten” on • I see that in my current AD questions, appearing in the year 2003 … not 2000 • So how long will it take before we truly trust any new software?
Active Directory 1.1 Forest trusts Domain renames Branch office goodies Tons more group policies Web-based admin tools Better XP integration IIS 6 Vastly, vastly improved group policy management tools Better, easier security All the XP lagniappe More command line tools E-mail server, database server built in Should I Upgrade to 2003?the good news
Should I Upgrade to 2003?more good news • 2003 really doesn’t need more powerful hardware than 2000 Server in my experience, although more is still better • Upgrades seem smooth • 2003 runs fewer services out of the box by default – they’re there, you just have to explicitly turn them on rather than them being on automatically
Should I Upgrade?the bad news • The usual: costs money and time • You MIGHT have to shell out for Enterpri$e, unfortunately • CALs • Product activation • No MSI packager shipped with 2003 • Answer: www.ondemandsoftware.com/freele2003
Should Upgrade?more bad news • Exchange 2000 doesn’t run on 2003 DCs w/o a LOT of work (KB 325379)
Bad News: NT 4 Abandoned? • KB 331953 reveals a potential denial of service hole in the RPC port mapper, which uses port 135 • Another “buffer overflow” problem • Basically it’s a bug that enables data entered into ONE program to leak out of that program and overwrite another one • Or, graphically…
Buffer overflow Data input area of application Rest of application
Severity • Does not allow an attacker to steal data from a system • Affects NT 4, 2000 and XP • 2000 and XP patched • NT 4 ISN’T… no patches for it
“Architecturally Impossible?” • MS patched 2000 and XP, but not NT 4 • Their reason: that it’s “architecturally impossible.” • This seems odd, as RPCs didn’t really CHANGE all that much from NT 4 to 2000… but there’s a 2000 fix • So with all respect, this seems suspect and, well, awfully convenient for MSFT shareholders • Which leads to the delicate “trust” issue
Why this isn’t acceptable • NT 4 has quite a bit of expected lifetime left • Unless they’re willing to buy the old copies back or offer free 2000 upgrades… • Merely saying “don’t put a system with port 135 on the Internet” is a workaround, not an answer – despite “expert” opinion, there’s nothing wrong with it, given patches, passwords and permissions • It supports what was basically NT’s main reason for existence for years… file serving • Worst of all, it sets a dangerous precedent
Possible Microsoft Options • Release a patch • Explain that the patch is impossible, and release source code to prove it • Develop a more complex patch and charge for it • Adopt the Pentium approach… offer free upgrades • Never have exposed the vulnerability in the first place if they knew they couldn’t fix it
When Is an OS Obsolete? • I think users determine that, not companies • Not everyone needs the latest thing, or needs it ENOUGH • Not everyone can afford the latest thing • Hardware does not obsolete OSes anymore • Seven year old software is not unusual at all in other markets
Challenge: Security • Not news, but it keeps getting worse • Good news: newer OSes really ARE more secure (XP, 2003), lower CERT high level advisories • But the bad guys get better… • Advice: • Beware the “boogah-boogah” effect • Try things out for yourself • Stay on top of patches (SuS, SMS) • Assume your firewall is doing very little (RFC 3093)
An Easy Security Considerationa bit of homework • NTLMV2 and Kerberos are both pretty secure • But 99% of the existing systems still support LM and NTLM • There’s really not a reason for it any more • Get rid of them: • stop creating LM hashes and change passwords • stop accepting LM and perhaps NTLM
Good News: GPMC • MS’s message in 2000 and later: GPs are the way to manage a network • But they don’t always work the way you expect • The trouble is the lack of management tools • Answer: Group Policy Management Console
What GPMC does • Backs up and restores GPOs • Diagnoses replication errors on GPOs • Shows what a GPO does, simplified • Shows what the total effect of your GPOs is, again simplified • Tells you which GPO performed each action
Bad News • Only runs on 2003 or XP systems • Will not install on a 2000 box • Requires .NET Framework on XP or 2003 box • Can’t even run it remotely on a 2000 member server or domain controller • BUT you can back up / restore to/from a 2000 box, or view the results of policies gotten from a 2000 box by a 2003 or XP box
Challenge: Death to NetBIOS • AD was supposed to put an end to the broadcasts, WINS, strange name resolution problems, etc. • But it hasn’t • Challenge to Redmond: announce a date for NetBIOS’s “deathday”
Challenges: We Still Can’t…a partial list • Hide files that users can’t access • Restrict simultaneous logins • Kick a user off the whole network with one click
The Biggest Problem Remaining • The fact that the IT staff shortage will NOT, for some strange reason, return • SOMETHING’s got to be done about this • My suggestion to Microsoft: a new OS
Online Help: In response to customer desires for faster systems, we have trimmed all non-essential files to reduce PX’s footprint. So sorry, no Help files. Call your help desk. Driver Support: All the drivers you can write. PX ships with an assembler and full examples to write your own. Hire some programmers. Smart ones. Networking: Our SimpleTCP™ network system speeds up networking by cutting out name resolution – no WINS, no DNS. Refer to Web and other servers solely by their IP addresses for greater reliability. Static IP-only support ensures that your network offers no surprises – and no complex DHCP! User Interface… Windows PX Features
PX User Interface C:\> C:\> Follow the arrow forward to Windows PX!
Sample PX Commands • See a folder on the first hard drive’s directory with the edit (Examine Disk InTeractively) command: • edit #1A:*.* • Format a disk with Edit (Erase Disk InTeractively command: • Edit #1A:*.* • Note all commands are case-sensitive!
What the analysts are saying • “Windows PX’s 27-test certification program will mean better-qualified professionals” --- Sylvan Prometric, VUE testing centers • “We estimate that desktop support costs will rise by 329.1433% under PX, with a 92.1182376% confidence interval. This will inevitably lead to an IT staffing shortage” --- Gartner Group
Thanks! • My sincere thanks for attending • Free tech newsletter: www.minasi.com • Seminars and audio CDs there too • email: help@minasi.com • HAVE A GREAT CONFERENCE!!!
Don’t forget RedHat Enterprise Linux ES Standard Edition $599-799 • http://www.redhat.com/software/rhel/es/