Hosted by

The 2003 Report CardThe state of our OSes

Some good news, some bad news, and some challenges for the near future

Hosted by

The Good Newsno bugs in Server 2003

Hosted by

Server 2003’s Hereready to upgrade?

Probably not, unfortunately

It’s not that 2003’s not a really neat tool

– it is – it’s probably the cost

See if this looks familiar:

Hosted byTo Upgrade Or Not?

Version number

co

sts

/be

ne

fits

Marginal value ofupgrade

Cost of upgrade

Logical outcome: people upgrade more slowly!

Hosted by

EvidenceNT 4.0 is a seven year old OS

But people are still using it; in fact, many

controller devices are only available in an NT

4.0 version

Imagine running NT 3.1 in 2000

Consider version skipping; how many go• SQL 6.5-7.0-2000-2003?

• Windows 98-NT 4-2000-XP?

• How many still use Exchange 5.5?

Hosted by

Is something wrong?

No, it’s a natural side effect of any technology maturing

That’s a significant point

Note that this is not advice… it’s observation

Some simply cannot afford to upgrade without a life-and-death reason … that’s important

But it also means that “being an expert” gets tougher – you must know a wider range of OSes

Hosted by

What does this mean?

Our jobs will become – have become – different

Less planning

More maintenance

Broader responsibility

So focus on whatever makes maintenance easier!

Hosted by

Other Effects: Older Bugs?

MS does a good job finding bugs during the beta

phase

But there are a lot that will never get found until

the system’s being “beaten” on

I see that in my current AD questions, appearing

in the year 2003 … not 2000

So how long will it take before we truly trust any

new software?

Hosted by

Should I Upgrade to 2003?the good news Active Directory 1.1

Forest trusts

Domain renames

Branch office goodies

Tons more group policies

Web-based admin tools

Better XP integration

IIS 6

Vastly, vastly improved

group policy

management tools

Better, easier security

All the XP lagniappe

More command line tools

E-mail server, database

server built in

Hosted by

Should I Upgrade to 2003?more good news

2003 really doesn’t need more powerful

hardware than 2000 Server in my experience,

although more is still better

Upgrades seem smooth

2003 runs fewer services out of the box by

default – they’re there, you just have to explicitly

turn them on rather than them being on

automatically

Hosted by

Should I Upgrade?the bad news

The usual: costs money and time

You MIGHT have to shell out for Enterpri$e, unfortunately

CALs

Product activation

No MSI packager shipped with 2003

Answer: www.ondemandsoftware.com/freele2003

Hosted by

Should Upgrade?more bad news

Exchange 2000 doesn’t run on 2003 DCs

w/o a LOT of work (KB 325379)

Hosted by

Bad News: NT 4 Abandoned?

KB 331953 reveals a potential denial of service

hole in the RPC port mapper, which uses port 135

Another “buffer overflow” problem

Basically it’s a bug that enables data entered

into ONE program to leak out of that program

and overwrite another one

Or, graphically…

Hosted by

Data input area of application

Rest of application

Buffer overflow

Hosted by

Severity

Does not allow an attacker to steal data

from a system

Affects NT 4, 2000 and XP

2000 and XP patched

NT 4 ISN’T… no patches for it

Hosted by

“Architecturally Impossible?”

MS patched 2000 and XP, but not NT 4

Their reason: that it’s “architecturally impossible.”

This seems odd, as RPCs didn’t really CHANGE all that much from NT 4 to 2000… but there’s a 2000 fix

So with all respect, this seems suspect and, well, awfully convenient for MSFT shareholders

Which leads to the delicate “trust” issue

Hosted by

Hosted by

Why this isn’t acceptable

NT 4 has quite a bit of expected lifetime left

Unless they’re willing to buy the old copies back or offer free 2000 upgrades…

Merely saying “don’t put a system with port 135 on the Internet” is a workaround, not an answer – despite “expert” opinion, there’s nothing wrong with it, given patches, passwords and permissions

It supports what was basically NT’s main reason for existence for years… file serving

Worst of all, it sets a dangerous precedent

Hosted by

Possible Microsoft Options

Release a patch

Explain that the patch is impossible, and release source code to prove it

Develop a more complex patch and charge for it

Adopt the Pentium approach… offer free upgrades

Never have exposed the vulnerability in the first place if they knew they couldn’t fix it

Hosted by

When Is an OS Obsolete?

I think users determine that, not companies

Not everyone needs the latest thing, or needs it

ENOUGH

Not everyone can afford the latest thing

Hardware does not obsolete OSes anymore

Seven year old software is not unusual at all in

other markets

Hosted by

Challenge: SecurityCERT Incidents

0

10000

20000

30000

40000

50000

60000

70000

80000

90000

1997 1998 1999 2000 2001 2002

Hosted by

Challenge: Security

Not news, but it keeps getting worse

Good news: newer OSes really ARE more secure (XP, 2003), lower CERT high level advisories

But the bad guys get better…

Advice:• Beware the “boogah-boogah” effect

• Try things out for yourself

• Stay on top of patches (SuS, SMS)

• Assume your firewall is doing very little (RFC 3093)

Hosted by

An Easy Security Considerationa bit of homework

NTLMV2 and Kerberos are both pretty secure

But 99% of the existing systems still support LM

and NTLM

There’s really not a reason for it any more

Get rid of them:

• stop creating LM hashes and change passwords

• stop accepting LM and perhaps NTLM

Hosted by

Good News: GPMC

MS’s message in 2000 and later: GPs are the way

to manage a network

But they don’t always work the way you expect

The trouble is the lack of management tools

Answer: Group Policy Management Console

Hosted by

What GPMC does

Backs up and restores GPOs

Diagnoses replication errors on GPOs

Shows what a GPO does, simplified

Shows what the total effect of your GPOs is,

again simplified

Tells you which GPO performed each action

Hosted by

GPMC Opening Screen

Hosted by

GPO Manipulation in GPMC

Hosted by

GPO Diagnostics (1)

Hosted by

RSOP Wizard Invocation

Hosted by

RSOP Overview

Hosted by

RSOP Winners/Losers

Hosted by

Bad News

Only runs on 2003 or XP systems

Will not install on a 2000 box

Requires .NET Framework on XP or 2003 box

Can’t even run it remotely on a 2000 member server or domain controller

BUT you can back up / restore to/from a 2000 box, or view the results of policies gotten from a 2000 box by a 2003 or XP box

Hosted by

Challenge: Death to NetBIOS

AD was supposed to put an end to the

broadcasts, WINS, strange name

resolution problems, etc.

But it hasn’t

Challenge to Redmond: announce a date

for NetBIOS’s “deathday”

Hosted by

Challenges: We Still Can’t…a partial list

Hide files that users can’t access

Restrict simultaneous logins

Kick a user off the whole network with

one click

Hosted by

The Biggest Problem Remaining

The fact that the IT staff shortage will

NOT, for some strange reason, return

SOMETHING’s got to be done about this

My suggestion to Microsoft: a new OS

Hosted by

Hosted by

Windows PX Features

Online Help:• In response to customer

desires for faster systems, we have trimmed all non-essential files to reduce PX’s footprint. So sorry, no Help files. Call your help desk.

Driver Support:• All the drivers you can write.

PX ships with an assembler and full examples to write your own. Hire some programmers. Smart ones.

Networking:

• Our SimpleTCP™ network

system speeds up networking

by cutting out name

resolution – no WINS, no

DNS. Refer to Web and other

servers solely by their IP

addresses for greater

reliability. Static IP-only

support ensures that your

network offers no surprises –

and no complex DHCP!

User Interface…

Hosted by

PX User Interface

C:\>C:\>Follow the arrow forward to Windows PX!

Hosted by

Sample PX Commands

See a folder on the first hard drive’s directory with the edit (Examine Disk InTeractively) command:

edit #1A:*.*

Format a disk with Edit (Erase Disk InTeractively command:

Edit #1A:*.*

Note all commands are case-sensitive!

Hosted by

What the analysts are saying

“Windows PX’s 27-test certification program will

mean better-qualified professionals” ---

Sylvan Prometric, VUE testing centers

“We estimate that desktop support costs will rise

by 329.1433% under PX, with a 92.1182376%

confidence interval. This will inevitably lead to

an IT staffing shortage” --- Gartner

Group

Hosted by

Thanks!

My sincere thanks for attending

Free tech newsletter: www.minasi.com

Seminars and audio CDs there too

email: help@minasi.com

HAVE A GREAT CONFERENCE!!!

Hosted by

Don’t forget RedHat Enterprise Linux ES

Standard Edition $599-799

http://www.redhat.com/software/rhel/es/