Life without Microsoft

On December 8, 2004, in news, Tools, by

The other part of last night’s Tech user group meeting was a presentation on the topic of “Life without Microsoft”.  The presentation was very interesting but there was one comment that always puzzles me.


It’s free


Well, I guess I’m a dumb beancounter because to me, nothing is free.  It’s still my time and energy to set things up.  I set up my firm’s network all by myself and while the firm didn’t have to pay an outside consultant to set it up, the fact that it took me the weekend before to pre-set up the accounts, to the fact that I was in the office during Thanksgiving weekend, to the fact that I was at the office last Saturday night setting up Live Communication Server 2003, while the office may consider my labor cost “free”, I certainly don’t quite consider it in the same light.


But here are some of the tools that the organization used:


Monitoring — MRTG: The Multi Router Traffic Grapher:
http://mrtg.hdl.com/mrtg.html


Graphical console for Snort – Analysis Console for Intrusion Databases (ACID):
http://acidlab.sourceforge.net/


Intrustion detection –  Snort.org:
http://www.snort.org/


Monitoring – Nagios: Home:
http://www.nagios.org/


Traffic probe – ntop – network top:
http://www.ntop.org/head.html


Nmap – Free Security Scanner For Network Exploration & Security Audits.:
http://www.insecure.org/nmap/


ClamAV: Project News:
http://www.clamav.net/

Now there’s one concern I have with this approach… I see a lot of good tools here but a great deal of attention to the servers.  There’s no tools here to control the desktops, ensure enforcement of group policy, ensure that workstations are up to date and patched. 


I, for one am looking forward to Network Access Protection.  I’ve shut off nolmhash values, I have group policy controlling internal firewalls on my workstations, I have a patch management solution.


I know that this firm doesn’t strip off the attachments it should, I know they don’t patch workstations like they should [I know someone who works there], so while they may be doing a great, kewl job with using LInux for backend services like DNS, DHCP and Radius, I know that sometimes it’s not the servers that are the risk factors that we need to worry about, it’s the desktops as well.


There’s a recent post on the MS download site that sums up risk analysis of a network:


Risk Assessment


Before conducting any Attack and Penetration Testing, it is important to understand and prioritize the risks. Highest risk targets should be assessed first; the lowest should be assessed last.


At Microsoft, a separate Risk Assessment team is charged with identifying and prioritizing targets for the Attack and Penetration Testing team.


Risks should be assessed based on several dimensions, including:




  • How critical or valuable is the data? For example, the core intellectual property assets of the company, Human Resources data, and personably identifiable data such as credit cards and social security numbers should be assessed as critical.


  • What exposure does a target have? For example, how is it connected to the network?  What users can connect to hosts containing the data?


  • What is the potential for damage? For example, how much would it cost the company if a particular host were broken into, or brought offline?


  • For known vulnerabilities associated with a technology, are exploits available? Is it easy for an attacker to exploit a vulnerability? Could a worm or a virus be developed to exploit the vulnerability?


  • What are the legal constraints? For example, what applications contain data that are required to comply with regulations such as HIPAA, Sarbanes Oxley, or California SB 1386? [a]

The Risk Assessment team uses these criteria, and others, to determine the overall risk for a particular target, and prioritizes it for Attack and Penetration testing.


To minimize overall risk, testing only the critical targets is not enough. Sampling of all targets on the corporate network should be done at some point, even for low value targets. For example, a successful exploit of a low value host could expose a higher value application to a more damaging attack.



[a] and now AB1950 as well


I would argue that we should look at the ENTIRE network including the desktops.  If you don’t control your desktops, you aren’t managing all of your risks.  And for now, and I predict for a long time, that means you live with Microsoft and you learn better ways to control.

 

3 Responses to Life without Microsoft

  1. Ed Daniel says:

    Susan,

    I hope you don’t mind me posting this…

    You mentioned desktop tools – sadly I can’t offer something free but I represent the fastest tool on the planet for getting that job and others done.

    It’s called ScanITT – get in touch if you’d like a demo to play with on your network, perhaps I can have a word with ScanITT team to let you have an eval copy for an indefinite period 😉

    Looking forward to hearing from you and keep up the great SBS articles – I enjoy every post.

  2. I, too, am anxiously awaiting the delivery of NAP… I was a bit distraught (to say the least) when the first rev of this was reportedly removed from R2 (http://tinyurl.com/4yhl3). Due to the way I need to have my office setup, we have about 10 laptops that cannot be domain members (political decision). It’s almost a full time job to keep these clean and patched…

  3. Tony Su says:

    Hello Susan,
    If anything is going to get Microsoft’s butt in gear, I hope it’s because of a major change I’ve observed over the last year or so…

    Before, SBS consultants and SBS Users were a relatively satisfied bunch. SBS as conceived was catchy (Deliver Big Enterprise technology to the Small Business). But, it seems that MS may be losing focus with its recent change from marketing SBS as a platform to instead as a collection of features… which then seems to have given some noob sufficient reason to make his own decision what a Small Business can’t and shouldn’t have compared to a Big, Enterprise business.

    So, of course the expected result is that we’re all looking at what other solutions will work with SBS to fill in the holes if SBS won’t deliver on the same premise anymore.

    I’d like to suggest that the hurdles you suggest Linux requires isn’t going to be of any concern much longer… And one solution is the Software Appliance.

    I’ve just released a second version of a Nagios Monitoring system (the latest specifically targeted at monitoring Windows networks) which requires minimal knowledge of Linux, it’s a pre-installed “software version of a hard drive” which only needs to be run within VMware.

    That version still requires work setting up a complete monitoring system, but the version I will be launching in a few days will be specifically built to drop into an SBS network with minimal work, so it shouldn’t take much more time or work than installing and configuring a typical Server Application.

    This is just one of many such “Software Appliances” which are easy or easier to set up than usual and well within the expected skillset of a SysAdmin who knows only Windows.

    Instead of posting links, if anyone wishes more information on anything I’ve commented on here, they can email me for more info… tonysu@su-networking.com

    Susan, I think it’s cool the Tech User group you’re referring to is looking at all options, even if every person still prefers the Microsoft product line 100%!

    And, BTW… There free, non-MS alternatives that deliver on the objectives you feel are lacking. In fact, some solutions have been around longer than Microsoft as a company has existed. Some aren’t so capable, some are very capable. Some commercial, some free. Microsoft AD is cool and is one of the better tools due to it recent conception and based on LDAP, but it’s not the only game in town.

    Just for starters, I understand you took a look at SuSE recently… Take a closer look at it. Everything you describe as missing is supported in NDS.

    Tony
    (Still a big fan and supporter of SBS)