servers vs. workstations, was Re: just in case you missed it

der.hans plug-discuss@lists.PLUG.phoenix.az.us
Thu, 10 May 2001 00:08:41 -0700 (MST) 

Am 09. May, 2001 schwäzte J.Francois so:

> I love this thread, don't know why Hans had to go and do a summoning :)

It allows me to stay within the protective circle, thereby shielding myself
from the fallout of your appearance :).

> In a business environment make the users use XDM and/or Windows Terminal
> Services and you can keep them from doing things they shouldn't while
> centralizing virus and security policies on server only the admins can
> control.
>
> Whether it is Linux or Windows, unless you go thru a lot of trouble to use
> something like CFENGINE or SMS/USer Profiles you can't really stop a user
> from isntalling something that runs under their UID.

Don't want to stop them from installing stuff. Just want to make sure the
system itself stays secure. One of the ways to do that is to make
installation of new packages easy. Maybe even allow users to install stuff
from trusted sources, e.g. sudo apt-get install new-toy.

> I see the same problems with ALL operating system security updates that I
> am seeing with my foray into research on Intrusion Detection.
>
> Unless the designated administrator is made aware of what,where,when,and
> how to get security updates the problem will not go away and will get
> progressivly worse.  Getting downtime in some environments means waiting
> for a blue screen or power outage which delays updates.

Downtime? Y4? Downtime at the machine level is only needed for kernel
changes and hardware changes. If it's something that can't afford to be down
the hardware changes shouldn't require downtime. At the app level there are
other issues. Apps shouldn't need to be changed out so much. If there's a
sec hole in the app, then it is in the companies best interest to get it
updated. If lots of sec fixes are needed for the app, then it behooves the
company to find a decent app.

> I think some pressure should be put on Linux distro packagers to put a
> bright red card in the box that says "Go here now for Security Info" and
> an ugly flashing banner during install that warns the installer to go to
> [SECURITY URL] or bad things will happen.

Yeah my brothers and sisters. Let us give praise to the wisdom of the
security god! :)

debian has this pretty damned close. The *BSDs probably aren't far off.
RedHat actually gets in the way because they want security to be a pay for
feature :(. Mandrake seems to want to get the security fixes out except I've
stumped several Mandrake users as to where the errata are on the Mandrake
website. SuSE claimed to have easy sec updates, but it never worked for me.

BTW, that button should be there for any OS vendor.

ciao,

der.hans
-- 
# der.hans@LuftHans.com home.pages.de/~lufthans/ www.YourCompanyHere.net ;-)
#  It's up to the reader to make the book interesting.
#  An author has only the opportunity to make it uninteresting. - der.hans