Windows Server

Will · Guest

I'm so disgusted by viruses and hackers that I would like a way to run
Windows 2000 from a read-only device that cannot be rewritten, in the event
that any service is compromised. Has anyone published instructions on how
to build a bootable Windows 2000 CD?

--
Will

Rene · Guest

Look at the Windows XP embedded OS. I know you can do what you want with
that OS, not sure about you regular Windows OS.

http://msdn.microsoft.com/embedded/getstart/choose/whywinemb/winxpe/default.aspx

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:uwDwlLT9EHA.3076@TK2MSFTNGP15.phx.gbl...

Andrew Mitchell · Guest

"Rene" <nospam@nospam.com> said

Roger Abell · Guest

About the closest approach to what you are after,
i.e. a full, normal W2k install but one that is always
exactly the same at each boot, with any changes that
may have been made during the last boot discarded,
is to use one of a fairly large number of products that
use either hardware based or purely software based
disk write redirection in order to have the running
system and its dynamically changing state and files
in a shadow area.
These types of products are common in academia for support
of classroom environments and public access machines.
Examples are:
Centurion
http://www.centuriontech.com/ their products include
http://www.centuriontech.com/dsplus-about.htm
Fortres
http://www.fortres.com/ their products include
http://www.fortres.com/products/cleanslate.htm
Faronics
http://www.faronics.com/ their products include
http://www.faronics.com/html/DFStd.asp

There are others.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:uwDwlLT9EHA.3076@TK2MSFTNGP15.phx.gbl...

Steven L Umbach · Guest

I have not heard of a workable solution to such. You might look at knoppix
[free] which can be booted from the cdrom. It is a linux install and runs
very slow but it would fit your bill and it comes with a couple web
browsers. It can also read and sometimes write to ntfs files which makes it
a good tool for disaster recovery.

http://www.knoppix.net/ -- knoppix

Otherwise many of us here would be happy to help you secure your Windows
2000 installation which can be done at no or little cost with operating
system configuration recommendations and the use of free tools such as
antivirus tools, spyware tools, and firewalls. It is not that hard to secure
a Windows 2000 computer in my opinion. Lack of a firewall, not keeping
current with critical updates, using no or weak passwords, not using an
antivirus program that also scans all emails, using weak IE security
settings including saving of passwords, accessing websites through an email
to enter sensitive information, giving other users too many rights, and
failing to physically secure a computer from malicious users [family members
and friends??] are the biggest reasons that a user has computer problems.
The link below is a good place to start. --- Steve

http://www.microsoft.com/athome/security/protect/default.aspx

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:uwDwlLT9EHA.3076@TK2MSFTNGP15.phx.gbl...

Herb Martin · Guest

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:uwDwlLT9EHA.3076@TK2MSFTNGP15.phx.gbl...

Will · Guest

Steven, I have been through all of this for the last 10 years with Windows
boxes. You secure the file system, but then something in the registry is
not protected. You apply a secure profile, and now suddenly applications
stop working and you have to spend sometimes days to debug exactly what
registry key the application needed. Same for debugging access through the
file system.... You apply the latest updates, and now something else
breaks. You try to stop services, but then you find that many of these are
dependent on each other in very sloppy and frustrating ways, so you end up
needing to leave many running.

Windows costs $250 to buy. The hardware costs about $1.5K. Making it
secure costs about $20K in human resources. I am completely sick of it.
I want an appliance that is physically impossible to compromise. I want to
build it once. I don't want to make the rest of my life dedicated to its
maintenance.

--
Will

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OX#6x0a9EHA.960@TK2MSFTNGP11.phx.gbl...

Dusko Savatovic · Guest

How about Virtual PC or Virtual Server?
It has option for undo all disk changes.
While your virtual machine is powered on, all disk writes go to a file.
When you power off your virtual machine, these changes can be merged or
discarded.

Dusko Savatovic

"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23pLmcfg9EHA.824@TK2MSFTNGP11.phx.gbl...

Steven L Umbach · Guest

Hi Will.

I understand your frustration and if you have do deal with applications that
are not Windows certified and allow users run as power users/local admins or
try to make the application work for a regular user it is not fun.
Unfortunately some major players such as the Quicken folks are guilt of
this. I have found that Windows XP Pro, particularly SP2, to be fairly
robust and secure and with the inclusion of Software Restriction Polices you
can even limit what applications a local administrator can install or run.
Though I don't have any experience with them, you might want to look at thin
clients terminals as an another option. --- Steve

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:qP2dnR_mMpGlU3zcRVn-tw@giganews.com...

Karl Levinson, mvp · Guest

I concur, Bart's PE is a popular choice for making a boot CD. Any boot CD
is going to run much slower, and a lot of RAM memory is recommended.

Many people in large environments with concerns like yours also consider
using software that freezes and restores the configuration at reboot, like
FreezeX / DeepFreeze, and/or a solution where the computer is re-imaged
every now and then at reboot. You can also consider PivX or PrevX to harden
the computer against unpatched vulnerabilities, or SecureEXE to prevent
unapproved executables from running.

Note that absolutely none of these prevent your computer from becoming
infected. What they will do is prevent anything from remaining after a
reboot. However, while your system is running, it can be infecting other
computers on the network. And then after your reboot, if your machine is
then immediately re-infected, your read-only boot CD will have done little
to help. This is similar to the advice in the 1990s to make your MS Word
normal.dot file read-only to prevent Word macro viruses... this
sensible-sounding idea ended up helping not at all. A network worm like
Blaster / Welchia or Sasser would keep reinfecting your computer quickly
after each reboot.

I must say I don't have the same problems you are having keeping Windows
secure, or with securing it. Assuming you're on a large network, have you
followed the hardening guides at www.microsoft.com/technet/security and
www.nsa.gov/snac, and used group policy templates, active directory, script
files and/or ghost images to automate the process of hardening machines?
Most adware is prevented by doing one or more of the following: 1) using
anti-virus like McAfee that detects spyware and adware, 2) using patch
management software to install patches regularly, 3) using some sort of
Internet content filtering like the Spybot Search & Destroy "Immunize"
button or the Restricted zone adware .REG file at www.mvps.org, always
logging in as a non-admin, non-power-user for web browsing, and/or upgrading
to XP SP2 asap. Running a non-MS browser might help somewhat, for now.

I don't think Windows is any harder to harden than other OSes [except that
some other OSes that are newer will naturally have better default settings].
Windows 2000 was released about the same time as RedHat 6.x / 7.x, and that
wasn't secure by default either. Windows XP SP2 on the other hand is pretty
secure by default. For home users, the 1, 2, 3 of antivirus, firewall and
patching is pretty effective, especially if the AV detects adware. More
hardening guidelines are here:

http://securityadmin.info/faq.asp#harden

"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23pLmcfg9EHA.824@TK2MSFTNGP11.phx.gbl...

Will · Guest

Your point regarding infecting the computer during runtime when the disk is
read-only is excellent, and well taken. I suppose all you can do is
firewall the application within the OS by limiting what privileges owned by
the user level that the application is run at. You can additionally put
tight firewall rules on the box to limit outgoing connections severely, and
maybe to notify the administrator when authorized connection attempts are
made.

Regarding your not having problems with Windows, I'll share the following:
the last three companies I went to where the admin told me they had no
security problems at all had viruses on critical servers. I'll share one
case in detail:

I found with a sniffer that every 10 minutes there was an attempted outgoing
NETBIOS connection to different random IP addresses in Japan. This was on
the company's proxy server, no less, a machine with full access to the
internal corporate network. The sniffer trace clearly showed the
connection attempts originated from within the proxy server itself, not from
the network behind the proxy. The connection attempts were coming from the
kernel itself. So that machine was permanently hosed in my view. No
amount of analysis would recover it, at least not by anyone except an elite
system administrator (the kind who would have charged more money for the
time than the cost to rebuild the machine).

At the last two public companies I visited with a notebook, within seconds
of being connected I started getting attacked by viruses. These were
companies with dozens of so-called administrators. What is even more
amazing to me than the fact of these infections is the fact that at all of
these companies these things are just accepted as okay. It's just an
annoyance that is somehow tolerated, and they try to live with it.

On consumer machines it is even worse. I read the estimates that something
like 60% of all computers have adware infections, and as many as 30 to 40%
have more malignant stealth viruses. How many of those are monitoring
keyboard input and attempting identity theft? Who knows? Who exactly
cares? Every time I visit my cousins I cringe as I start to count the
number of programs that infect their machine. They lack the skill to fix
it, the discipline to keep it clean once it has been made clean, and frankly
they lack any sense of jeopardy.

That's the reason that Microsoft has gotten away with poor security for so
long. Very few people care. They just don't get it. There seems to be a
poor understanding that allowing these viruses and stealth programs is just
like inviting anyone off the street into your most sensitive financial
documents and just letting them have free access. I give up trying to
protect the rest of the world. I just give up.

Now, regarding UNIX versus Windows, I try to have a balanced view. I see
that UNIX is a collection of non-standard techniques and applications, and
it is certainly complex. Windows attempts to do things by design and
consistent ideas, and that is good. But there are two key differences.

1) Almost any critical UNIX application has some finite number of files that
contain all of its settings and work information. A mediocre system
administrator can isolate those and secure them. With Windows, you have
this horrible - really unforgivable - intermixing of files and registry
settings across a whole spectrum of applications. A given application may
have created 1000 entries in the registry in 29 different nodes. How can I
possibly identify all of these? Even if I could, how could I possibly
begin to secure 1000 entities in a reasonable amount of time? Then you have
"shared" files and DLLs that go in common system directories like system32.
How can I tell which ones are unique to the application and which ones are
common across other applications? It's not that I like UNIX better - I
don't. It's that UNIX has a more simplistic and crude view of what an
application's components are, and that makes it possible for an average
person to do a meaningful securing of the OS and application. Since most
administrators are average and not exceptional, I think that gives me better
odds of developing something secure with UNIX. To really meaningfully
secure Windows you have to be an unusually gifted administrator. I think
there are issues there that go beyond anything in the published guidelines.

2) Almost everything in UNIX can be turned off. UNIX services tend to be
really stand-alone. With Windows you have these convoluted interdepencies
between services that make it next to impossible to secure the box. You
can follow all of the hardening guidelines, but then you need to just have
faith that all of these weird services you are required to leave on (like
"remote registry") will not have yet-another vulnerability uncovered. I
mean - come on - I have to leave running a service that allows my registry
to be changed remotely in order to startup many key administrative
applications on a local machine? Whose brainstorm was that idea? Now if
any machine on my network is compromised and some service on that machine
runs with the right authority, it can start changing registry entries on
remote machines that were secure?

In any case, UNIX is no joy to work with either. I just end up with
something that is possible to understand, and to continue perfecting. I
would prefer to use Windows if they could just put aside their egos and try
for once to use the keep it simple stupid (KISS) principle instead of trying
to make every piece of code they write involve API calls to every other
program they have written. I look forward to the KISS version of Windows,
whenever that gets done (2016?). In the meantime, I'm just barely keeping
above water.

--
Will

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:e8ak1RS#EHA.2600@TK2MSFTNGP09.phx.gbl...

	Windows Server Forum Index -> Security	All times are GMT
Page 1 of 1