[conspire] Re: OT (somewhat) Linux perspective on "Zotob's" target

Eric De Mund ead-conspire at ixian.com
Thu Aug 18 13:56:18 PDT 2005


Don,

] Stripping "essential" services looks like a neat trick, but even if
] you configure all those Windows boxes not to have any services running
] by default, all it takes is one software install to add a vulnerable
] service. Remember Slammer and MSDE 2000?

Agreed. I stand correctly called on this. I mentally conflated two is-
sues, stripping services for increased stability and stripping services
for security, and in so doing implied that a service-stripped Windows
instance would be usefully safer.

It wouldn't be. My deployment practice has been and ever will be to not
place a Windows system directly on the Net unless a client orders it; my
Windows systems are always behind some hardware firewall, and are addi-
tionally always running some kind of software firewall.

Stripping services may be a way to achieve better performance from and
increased lifespans of Windows systems, and I plan to explore that the
next time I descend. What has always bugged me about the Windows world
is that I can install and tweak the OS superbly, and get a solid two
years out of a system, but at some point after that there will invar-
iably be a day when the system won't boot due to some obscure five- or
six-sigma-event bug. Windows 2000's SYSTEMced bug was what got me the
last time. (If anyone needs an arrow for their quiver, my lesson from
that experience was that Windows 2000 Professional systems really should
be installed with a hidden partition on the disk containing an addition-
al, minimal Windows 2000 Professional instance. Sometimes even a boot-
able CD containing Winternals' Administrator's Pak isn't enough to solve
a Windows problem.)

Regards,
Eric
--
"If you can keep your head about you when all about you are losing
theirs, its just possible you haven't grasped the situation." --Rose
Kennedy

Eric De Mund
email: <ead at ixian.com>




More information about the conspire mailing list