Re: [Nolug] Radius & Tacacs+

From: Dustin Puryear <dustin_at_puryear-it.com>
Date: Mon, 19 Jan 2009 12:18:30 -0600
Message-ID: <4974C3F6.4000906@puryear-it.com>

Eh. I agree that Windows has issues, but if you have Windows boxes to
manage then AD is really the way to go. It can really, really help in
locking down and controlling your systems via GPOs.

If you don't have Windows boxes to manage then by all means avoid AD.
There is no reason to run AD just for the directory service.

Ron Johnson wrote:
>
> <Sigh>
>
> Adware has *nothing* to do with AD.
>
> But the man who *wrote* the adware discovered all sorts of flaws
> *inherent* to Windows. And AD runs on Windows.
>
> Spoken another way, the parable of the house built on sand:
> Matthew 7.24-27
> The wise man built his house on stone
> Then a great flood came there, and winds blew there, and fell
> down upon the house, and it did not fall: truly, it was built on
> stone
>
> Then the foolish man built his house on sand Then it rained, and
> a flood came there, and winds blew, and fell down upon the
> house, and the house fell; and its fall was great
>
> On 01/15/09 11:11, Dustin Puryear wrote:
>> I'm still confused. Are you arguing that Windows desktops are insecure?
>> If so, I generally agree. However, I don't get what adware has to do
>> with AD.
>>
>> Ron Johnson wrote:
>>> Did you read the article? The section "Can you tell me more about your
>>> strategies for persistence?" shows that no matter what MSFT does, it
>>> will always be a big security nightmare.
>>>
>>> We then made a bootstrapper, which was a tiny tiny piece of code
>>> written in Assembler which would decrypt the executable in
>>> memory, and then just run it. At the same time, we also made a
>>> virtual process executable. I’ve never heard of anybody else
>>> doing this before. Windows has this thing called Create Remote
>>> Thread. Basically, the semantics of Create Remote Thread are:
>>> You’re a process, I’m a different process. I call you and say
>>> “Hey! I have this bit of code. I’d really like it if you’d run
>>> this.” You’d say, “Sure,” because you’re a Windows process–
>>> you’re all hippie-like and free love. Windows processes, by the
>>> way, are insanely promiscuous. So! We would call a bunch of
>>> processes, hand them all a gob of code, and they would all run
>>> it. Each process would all know about two of the other ones.
>>> This allowed them to set up a ring … mutual support, right?
>>>
>>>
>>> On 01/15/09 10:24, Dustin Puryear wrote:
>>>> I'm not sure what adware has to do with AD? That's like not running
>>>> OpenLDAP because of the Morris worm.
>>>>
>>>> I would be interested in hearing Shannon's reasons why AD is bad. I'm
>>>> always interested in hearing the pros and cons of various directory
>>>> products.
>>>>
>>>> Ron Johnson wrote:
>>>>> On 01/15/09 10:04, Shannon Roddy wrote:
>>>>>> On Thu, Jan 15, 2009 at 9:45 AM, Dustin Puryear
>>>>>> <dustin@puryear-it.com>wrote:
>>>>>>
>>>>>>> Normally, if a shop is just anti-AD, then I may see something like:
>>>>>>>
>>>>>>>
>>>>>> There are more reasons not to use AD than just being anti-AD.
>>>>>>
>>>>> Being pro-security?
>>>>>
>>>>> (This, while focused on the desktop, is a pretty damning of Windows.)
>>>>>
>>>>> http://philosecurity.org/2009/01/12/interview-with-an-adware-author
>>>>>
>>>>> S: In your professional opinion, how can people avoid adware?
>>>>>
>>>>> M: Um, run UNIX.
>

-- 
Dustin Puryear
President and Sr. Consultant
Puryear Information Technology, LLC
225-706-8414 x112
http://www.puryear-it.com
Author, "Best Practices for Managing Linux and UNIX Servers"
  http://www.puryear-it.com/pubs/linux-unix-best-practices/
___________________
Nolug mailing list
nolug@nolug.org
Received on 01/19/09

This archive was generated by hypermail 2.2.0 : 02/17/09 EST