September 23, 2004

What you're telling me by running Windows

Author: Jem Matzan

There's a community center in my town where you can do things like take classes for a variety of interesting things, play basketball, run on an indoor track, or exercise in the workout facility. Until recently I bought monthly membership passes to use the exercise rooms -- until, that is, someone in management decided to start collecting more information about the members and storing everything on a small, unmonitored, Internet-connected, Windows XP-based network. What were these clowns thinking?

It does not instill confidence in me to see a business I frequent using Windows for production systems; even less so when they are obviously underadministrated. That little four- or five-node network is a time bomb; it is a disaster waiting to happen. I know what a debacle a Windows network is when you depend on it because I've experienced it firsthand.

I set up and administered production Windows networks myself, many years ago, before I'd given any serious consideration to the budding GNU/Linux operating system. I worked for an electronics repair business as a technician; specifically I worked on home office equipment, but since I was "the computer guy" I was required to also build and maintain the company network and all of its computers. I also built and installed similar networks for customers of that very repair shop.

I'll never forget the Microsoft Word virus that infected every computer on our network, how the boss wanted me to illegally install my personal copy of Norton Antivirus to get rid of it, how I had to come in early and stay late to troubleshoot problems with Windows NT4 and, later, 2000 on our server. The word "nightmare" doesn't quite describe it. I felt like I was piloting a ship that by all rights should not have been afloat, and land was nowhere in sight. Before I left that company, the boss was looking into putting Red Hat on the server -- but no one at the company knew anything about GNU/Linux, so it was a big mystery. I'd wager that my personal copy of Windows 2000 Professional is still running -- or rather, staggering -- the database server there. It doesn't matter, I guess; I'm not using it.

And then I went to the gym

I quit that job and figured that my days in the Windows trenches were over. As a small business sysadmin, they were, but as a regular consumer my problems had just begun -- and now I have even less control over the networks that I have to indirectly deal with.

Last week I went to the aforementioned community center to work out, and found that they had installed a small network with about a half dozen Windows-based machines and a single Web cam. The idea is, instead of handwritten workout passes, people would be issued computer-generated membership passes, complete with their photo and signature. At the time I was in, this facet of the system was not yet operational, and I'm glad -- I would have caused a scene if they wanted to create a "file" for me with my photo, home address, phone number, method of payment (credit card number?), and workout habits. The mere existence of such a file owned by someone who is not me or the government is something I have a problem with, but privacy concerns aside, I was appalled at the lack of security precautions taken.

The two systems at the new check-in desk were obviously running Windows XP, and from what I could see on the screen they had been given a default installation. The hardware appeared to be from HP, and I couldn't tell what software was being used to keep track of the new membership database, but it certainly was colorful. The Webcam sat on the counter facing the waiting line. There was no server in sight, and having been through the offices a couple of times, I know that there is no place for a secured server room. Both staff members at the desk were new hires, and one of them had taken the time to customize her desktop with a picture of her friends at some kind of sports event. At the old check-in desk, which still functioned as a place to sign up for classes and such, two employees were using Outlook Express to read their personal email, and Internet Explorer was running in the background. Based solely on these observations, I drew the following conclusions:

  • The workstations are not secured against employee tampering
  • No reasonable precautions have been taken to prevent local intrusion into the network
  • The membership database was wide open locally and remotely for anyone to steal, delete, or modify
  • The risk of outside attack through a virus, trojan horse, or phishing scam is extremely high
  • My personal data is not safe at this facility

I struggled to understand how any (sober) professional sysadmin could have designed and implemented this system. That's when I remembered my days at the repair shop, with the cheapskate boss who wouldn't pay for the proper software tools to limit local and remote damage to the production environment. The community center will not cease to operate if the system dies, but far worse things could happen: member credit card numbers and other personal data are at risk.

My next thought was, "What moron used Windows for this network? Why didn't they use GNU/Linux?" They could have saved money (my tax dollars and membership fees) and gained an enormous amount of security while still allowing the employees to get their email and such. Again I remembered back to my days as a conscript sysadmin, having been forced to use Windows because we didn't know any other operating systems -- and four years ago GNU/Linux wasn't the OS it is today. But this is 2004 -- there is no excuse for not knowing about GNU/Linux if you're a sysadmin or any other IT manager or decision maker. Furthermore, there is no excuse for not using a GNU/Linux or BSD-based solution for this type of environment, especially when there is no pre-existing data to migrate.

What Windows tells your customers

I've seen a few production environments in small businesses that were designed by the owner's or manager's brother or teenage son, complete with ridiculously high-performance yet surprisingly low-quality consumer-grade hardware and unlicensed proprietary software. It's conceivable that the designer is merely a regular employee who "knows about computers" -- much like I was at the repair shop -- but doesn't know anything about security policy, server logs, strong passwords, firewalls, proxy servers, audits, backup scripts and all of the other hardware, software, and administrative tools and tricks that an experienced sysadmin has in his or her arsenal. It's frightening how often these two types of people design small business networks.

A third possibility is that some PHB working for the town has decided that everyone should use Windows because that's what is on his desktop at home. He may have called in HP to install the hardware and set up the software, or he may have put the job up for bid to local computer shops, who would do the same thing with less regard for quality. In any of the above scenarios, the network is left without a security policy or a competent administrator.

Of course it's also possible that there is some hidden back room in the dark recesses of the community center where a wizened old sysadmin is carefully monitoring the network for signs of trouble. He's installed firewall and antivirus software on every node, has a spare machine for testing new software updates and a heavily restricted proxy server to keep out unwanted Web traffic. Every night when the employees leave he applies any necessary, pre-tested security updates, backs up the database to removable media, and ensures that his users haven't circumvented their restrictions. Then before he goes home he disables the Internet connection to avoid surprises in the morning.

Yeah, maybe -- and maybe I'll be Angelina Jolie's next husband. Of course if our mythical small business sysadmin were really that savvy, he'd be using GNU/Linux or BSD and he'd have spent a small fraction of the money and do half the work to get the same results as the Windows environment.

The bottom line is, when I see Windows XP in your business running your production machines, I know that you can't be trusted with my data. I know that it's likely that your network is about as secure as a liquor store during a street riot. I know that one disgruntled employee can destroy everything. I know that local users are just as likely to unwittingly screw your whole network as an outside attacker is purposefully. But most of all, I know that you didn't take the time to do things right, to safeguard the data that your customers have trusted you with. Windows has no place in outward-facing production environments; this is 2004 -- you should be using GNU/Linux for scenarios like the ones mentioned here.

And me? I'll work out someplace else.

Category:

  • Security
Click Here!