The most secure modern OS, Part II

Part I was about the OS with zero known vulnerabilities and no real trend towards worse situation. Mind you, source code for that OS’s kernel is available, so it must be really hard target indeed.

My next favourite provides the best platform for security solutions
– standards support, rich set of APIs that make integration an easy
task, and an excellent sofware stack on top of that as a proof.

The OS in question is Windows. I haven’t seen better support for security yet. there are attempts. I’ve come across this one (on Slashdot, of all places), which is rather impressive:

I believe I have one of the most advanced
LDAP/Kerberos/Samba/Bind “Open Directory” setups. I have two Samba 3
Domain Controllers, both Kerberos and Bind Enabled. with OpenLDAP and
MIT Kerberos. I have no
need for NFS.

My OpenLDAP stores:

POSIX User Attributes
Samba User Attributes
Radius User Attributes
eGroupware User Attributes (Egroupware accounts.)
DNS Information for our internal DNS Server
DHCP Lease information.

I use Kerberos with ssh-agent to distribute software RPMS for Mandriva Linux to mass distibute RPMs with a single command.

I have Samba Kerberos enabled so that Samba will not repeatedly
ask for usernames and passwords, and requires zero configuration.

I have had the code to Egroupware modified so that eGroupware,
and Nagios can use Apache’s mod_auth_kerb addon to authenticate
eGroupware users with a single click instead of a whole second login

I’m currently workong on creating a Samba Authenticated gateway with NTLM-SPNEGO support so that kerberos will handle Squid too.

All I need now is for someone to make the modifications nesessary
to eGroupware’s XMLRPC so that Kontact could use Kerberos and I would
have the “Exchange Killer” I always wanted.

All of my users use Samba for network browsing under KDE’s Konqueror, with Kerberos and LDAP, it just works.

I consider this my shining accomplishment. I like to have myself
believe that I accomplished “Active Direrctory” under Linux now. I
don’t use Windows at all in this network, so keep that in mind. The
eGroupware people can attest to what a past I am. bugging them to
include Kerberos detection in session management. But it all works.

That is rather impressive. As a qualified Linux engineer, I can attest the big scale of assembly required to achieve this.

is exactly my point. On Windows, I’m used to similar kind of setup
since 2000. Plus, we have robust smart card support integrated with
Kerberos. Pluse, we use IPsec in transport mode – also with Kerberos
authentication. All within the reach of an average MCSE. Life is good.
Windows is by far the best security platform.

Leave a Reply

Your email address will not be published. Required fields are marked *