Certified Mail: August 2002

"Windowsville" residents chime in on the "which OS is more secure" argument; readers debate Microsoft's longevity.

Other "Windowsville" Residents Weigh In

Regarding Dian Schaffhauser’s June column, “Here in Windowsville,” much of the blame can be taken by admins, as well as Microsoft. Our burgeoning need for a “user-friendly” OS in the mid-to-late ’90s was met by Microsoft with NT 4.0. Granted, it was full of security holes; but, at that time, it was hardly a consideration, as viruses were only even known about in admin circles—and Melissa was just a girl’s name. The main issue was usability and getting up quickly for a new domain with all new users in the new remote office. Speed was just about everything. Unix guys, bless them, are usually better known for their ability to give a good argument than deploy a new network with speed.

On the other side of the coin, many a network came up with the office secretary running it because she knew Windows 95 and Office. Teaching the office secretary Unix wasn’t even remotely close to the list of options for most small businesses. So, now we have a fairly user-friendly NT 4.0, which is hard to defend on an open network, and we have Windows 2000, which is much easier to defend, but not near so user-friendly as NT (Active Directory, anyone?). As Pogo so famously said, “We have met the enemy, and they are us.”
—John Ingle, MCSE
Round Rock, Texas

SANS does tend to be a bit biased. What can you expect from a bunch of Unix geeks? I work in a multiplatform organization. The group I’m in provides systems and network administration, so there are plenty of opportunities to propagate the “OS holy wars.” I came up through 3COM LAN, VMS, SCO, DOS, Windows, Novell, NT 3.51, NT 4.0, and Win2K with a touch of Ultix, Sun OS, MVS and AIX. Most of what I do now is NT 4.0 and Win2K. The people I work with support Mac OS7.x-OS9.x, OSX, Sun OS, Solaris, IRIX, Linux (three or four flavors), HP-UX and AIX. We don’t agree on much, except that a poorly configured and managed system is a security threat, regardless of the OS.

As bad as “Code Red” was, it didn’t affect near the percentage of systems that the “Morris Worm” did. Second to poorly configured and managed systems, the “keyboard input device” is the biggest security threat. The single biggest security advantage the Unix world has over the Wintel world is that most users don’t normally use a privileged account.

Can a Wintel box match a Unix box for security? You bet. Can a Unix geek secure a Win2K system the same way he would a Unix box? Nope. Is the average Unix geek willing to learn to use the “Windows World” tools to secure a W2K system? No. The end result is that most Win2K boxes secured by Unix geeks aren’t very secure.
—Randy Cardon
Los Alamos, New Mexico

I think you’re a little misguided in thinking Windowsville folks are the skinny guys eating sand. I think the sand is being kicked at a company many people like to call Micro$haft.

Let’s shed the victim mentality for a minute and think of something controversial, like the “dumbing down” of America. If you think in those terms, what OS is the most dumbed down in terms of ease of installation and ease of use?

Would it be OpenVMS, OS/400, Tru64, Solaris, Red Hat? While Solaris, OSX (I’ve never personally worked with OSX) and Red Hat are fairly easy to install and configure, I think Windowsville is one of the simpler OSs. The hallmarks of Microsoft’s software are the intuitive design, integration of components, and ease of use. Microsoft has made great advancements in configuring a system at install time. Despite the fact that, generally, Windowsville software is easy to get up and running, it’s an intricate and complex beast that takes a lot of time and experience to master.

Let’s assume we can eliminate the fringe element that simply has nothing but hatred for Microsoft. Then consider the various controversies such as the antitrust case, some of Microsoft’s business practices, admissions in court about poorly written sections of code and all the security vulnerabilities.

This is a company that many people want to kick sand at. And, I guess if you’re standing behind it, well then—yes— you, too, are going to get covered in sand.
—Randy Baker, MCP
Ontario, Canada

Skinny guy who had to eat sand, huh? If I remember correctly (it has been a loooooong time, after all), the sand-kicker was the chump by the end of that story.
—Anne M. Ford, MCSE
Plano, Texas

I also find a pervasive anti-Microsoft and pro-Unix bias existing in the security community. While I’m confident Bill Gates’ mandate to stop project development until the security issues are fixed will, in the long run, change this perception, the problem is that once a bad rap is propagated, it’s difficult to alter.

My current job in a large state government agency has me tasked with the responsibility of migrating from Novell to Win2K. As part of the migration, I’m going from region to region teaching a class on administering AD and Exchange. The first couple of hours are, on occasion, a general bitch session where every bit of FUD (Fear, Uncertainty and Dread) ever heard by students is raised and quoted as gospel. What I find both interesting and rewarding is that, by the end of the class after the students have had time to see how efficient security is in AD, their preconceptions improve remarkably.

Still, I spend too much of my time spitting sand from my mouth and wiping it out of my eyes.
—Wm. John Bean, MCSE+I, MCT
Lacey, Washington

No, I don’t think you’re wrong in feeling like the skinny guy at the beach. However, we’ve brought some of this on ourselves by taking for granted the security provided by a Unix-powered router, mail server or firewall. As we’ve seen, these also aren’t perfect; thus the many seminars and training sessions for Linux and Unix gurus.

My Unix friends have had to swallow some statements about invulnerability over the last 10 months or so. Remember when they could brag that no Unix box could be virus-infected? That’s changed. Because Unix uses the TCP/IP protocol suite, it’s also vulnerable to selective port attacks. Thanks for some good insights.
—Darwin Steele, MCP, MCSE, MSCE+I
Lafayette, Colorado

Correction to June Remote Administration Article
Several readers have pointed out an error in the June cover story, “Remote Control Freak.” The function call I used, AdvancedSettings2.RDPPort, comes from the TS Web ActiveX control, msrdp.ocx. The version of msrdp.ocx in the Windows 2000 TS Web client doesn’t export this function—only the version in Windows .NET and Windows XP. Here’s a workaround.

  1. Install IIS at an XP desktop. When you install it, select the Remote Desktop Web Connection option in the Details window of the World Wide Web service. This creates a folder called TSWeb under %systemroot%\Web.
  2. At a Win2K IIS server, create a folder called TSWeb1 under Inetpub\wwwroot. Copy the contents of the TSWeb folder from the XP desktop to the TSWeb1 folder.
  3. In the IIS Manager console, create a new virtual folder called TSWeb1 and point it at the new TSWeb1 folder.
  4. In the TSWeb1 folder, make the change to the Connect.asp file outlined in the article. Essentially, this consists of looking for a series of entries starting with MsTsc.AdvancedSettings2 and adding this line: MsTsc.AdvancedSettings2.RDP Port = .
  5. Now connect to the XP Web server using an IE 5.0 browser and point the browser at http://web server/tsweb1. You’ll be prompted to download the new ActiveX control. If you already have the old control loaded, you’ll need to restart the client.

Make sure you configure your Terminal Server to use the same port you entered in the Connect. asp page. Do this with the following Registry entry:

Key: HKLM | System | CurrentControlSet | Control | Terminal Server         WinStations | RDP-Tcp
Value: PortNumber
Data: Default is d3d (hex for 3389), change to unused port number

—Bill Boswell

Am I an MCSA?
I’m an MCSE on NT 4.0 and Win2K. I also hold CompTIA certifications, including Network+ and A+. Can Microsoft grant me an MCSA title?
—Fanny Kanku, MCSE

According to Microsoft, “In this case, only if the individual has taken exam 70-218, Managing a Microsoft Windows 2000 Network Environment, as one of their Windows 2000 MCSE elective requirements will they will earn the MCSA for Windows 2000 as well as MCSE. Exam 70-218 focuses on the most critical job tasks for Systems Administrators of Windows 2000 environments. Therefore, while it is not a ‘core’ requirement for MCSE on Windows 2000, it is a core requirement for MCSA on Windows 2000.”

Answering Auntie
Auntie, regarding your May column, “It’s a Long Way Down from the Top,” as much as many people would love to see otherwise, Microsoft is here to stay. Short of some major technical catastrophe, the new generation (.NET) of development tools is going to do nothing but get stronger; at least that’s what I’m seeing.

I’m sticking with the Microsoft exams, and I think the future for developers like myself is to cross-train and become stronger in other areas, especially on the database side of development. What the market is really looking for is a jack-of-all-trades. It wants a Web developer/DBA who can properly administer and tune SQL Server as well as sling code and manage IIS. In the eyes of many corporations, especially small ones, it’s key to have an MCSD/MCAD—and, if not an MCDBA, at least one MCP who deals with database administration.

In my experience, more companies are switching to SQL Server and Microsoft platforms. It would be a terrible waste for them to “retool” even if a new whiz-bang technology comes around in the next 10 years or so. I’m banking on Microsoft being here for the long haul.
—Tod Love, MCP
Richmond, Virginia

The question of Microsoft dominance is, “How long?” Obviously, nothing lasts forever, as you pointed out with Novell, which I, too, cut my networking teeth on. It’s hard to see Microsoft losing its dominance on the desktop in the next decade, but in the server world, companies can no longer ignore the low-cost, reliable and effective Linux platform. The biggest problem I see with Linux right now is simply that companies are wedded to Microsoft with huge investments, and it’s hard to break that contract and start a new direction.

I have been an MCSE since 1998, Novell before that. But I have so many frustrations with Microsoft that I often wish I were a Linux admin. I have Linux experience, as we run our e-mail and a DNS server on it. With Linux slowly creeping into the corporate environment, I’m definitely considering Linux certification in the next couple of years.
—Barry Hohstadt, MCSE
Kirkland, Washington

I enjoyed your little rant about Novell and CNEs. Spoken like a true Microsoft acolyte. Funny, the term “paper MCSE” never came up in your column—maybe because it was the flood of them that sank the value of a Microsoft certification.

By the way, my CNE has proven much more valuable than my MCSE. Every MCT I have ever taken a Windows NT or Win2K class from has said that NetWare was/is a better OS; Microsoft just markets better.
—Kerry Ringstad, MCSE, CNE

I haven’t even finished my MCSE yet (I’m close!), but I think that in certifications, as in most everything else, diversification is a good idea. For instance, even though you have every confidence that the company you own stock in will continue to perform , having your entire portfolio comprised of Enron stock isn’t a good idea, right?

A well-balanced certification portfolio—some Microsoft, a little Linux, a bit of Cisco, a smattering of security, and maybe even some general stuff for good measure—is also good common sense. This displays to your current employer or clients that you have the depth and breadth of knowledge to provide solutions that fit the business need, not just your certification track.

To continue your dry-cleaning point—I like light starch in my shirts, but have no intention of being the one putting it there!
—Brian Rosenow, MCP, A+, Network+, Server+
Birmingham, Alabama

Featured