![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
flexibeastRecently i've had the 'pleasure' of setting up a WinXP-based PC for some friends of ![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
sacred_harlot. Apart from actually installing WinXP itself, which went smoothly except for WinXP's refusal to set up the soundcard (wait - isn't it Linux which has hardware recognition issues? :-P ), i installed a Real Firewall (WIPFW, based on FreeBSD's ipfw) with a minimal-privileges configuration; Firefox, natch, in place of the dreaded Internet Explorer, along with useful extensions such as CookieSafe and AdBlock; GAIM as the all-in-one chat client which can avoid at least some of the security issues that plague the IM clients of Yahoo! and MSN; and the wonderfully bloat-free (at least in comparision to OpenOffice!) AbiWord as the word processor.
The original intent was that i would be the administrator of the system; i would manage it remotely. Since i'm fairly familiar with SSH (at least, OpenSSH, provided by the OpenBSD project), and i'm not familiar with Windows' own remote-management tools, i decided to install CygWin and run an OpenSSH server on top of that. The CygWin documentation is pretty good, although i couldn't/can't seem to find any documentation about how to install CygWin packages from the command line (i ended up installing apt-cyg, a shell script that does the job).
So then the challenge became - is there some way that i can remotely install / configure / uninstall Windows programs from the command line, as i'm used to being able to do on Linux? If there is, i couldn't discover it. So i thought "Okay, i'm going to have to start up Windows Terminal Services and run rdesktop via ssh's port-forwarding facility, so that i can do graphically-based installs. This meant i had to learn how to re-enable and start Terminal Services from the command line; it turns out that the sc command did the trick. However, even though sc told me that Terminal Services was running, netstat told me that nothing was listening on port 3389 (which Terminal Services was supposed to have been). Several Web searches later, i discovered that a setting in the dreaded Windows registry needed to be changed (fDenyTSConnections). i then had fun trying to understand what i was doing wrong when using the reg command to alter the setting in question; it turns out i was being mislead by my experiences editing GNOME's gconf system (which seems rather registry-like to me). Finally, i worked it out, and Terminal Services began listening on TCP port 3389.
Except port-forwarding didn't work. On the remote end, rdesktop would try to use the forwarded port, but would eventually time out with some sort of connection error. On the Windows end, i was getting "no route to host" errors. i wanted to examine the inbound and outbound packet streams on the Windows machine, but i had no packet sniffers installed - and the main ones that i know of, WireShark (formerly Ethereal) and WinDump, both seemed to require graphical installation (well, WinDump itself doesn't, but the library which it uses, WinPCaP, does) - the very problem i was trying to resolve. :-/
In amongst all this, it turned out that one of the users of the Windows system was unhappy with the fact that i had granted administrative privileges to myself only, which meant that the individual in question was not able to install software himself, and thus felt that the computer was not actually under his control. The reality is, however, that it's not good practice for an ordinary user to have administrative privileges, because it increases the chances of the entire system being hosed / owned either accidentally or deliberately. This is even more important on Windows systems, where there are massive amounts of malware waiting to be installed by unsuspecting users, who enthusiastically install things without thinking of the consequences.
Now, the individual in question is not computer-phobic, but is pretty clearly unaware of the security issues facing users of Windows systems. Which is not so bad in itself; the problem is that he apparently doesn't know that he doesn't know. Giving administrative access to such a user is, as history and experience shows, Not A Good Idea. This is the sort of person who thinks that he could never be fooled into taking the bait in a phishing attack, who thinks that he would 'know' when something is more likely than not to be scareware, who doesn't care about the massive security problems with Internet Explorer as long as he can use some toolbar. This is the sort of person who is part of the reason that it's recently been estimated that 1 in 4 PCs are part of a botnet.
i'm going to give the individual in question the password to the Administrator account. But i've also indicated that, whereas previously, i was happy to take the time to fix any problems that happened on my watch for free, i will no longer be willing to do so (at least for security-related issues) - i will expect to be paid to fix any security-related problems. i'm also a bit frustrated, because whereas it wouldn't worry me if any problems they caused affected only themselves, i'm also very aware that it's increasingly the case that security-ignorant Windows users are effectively allowing malfeasants use their computers in ways that negatively affect the rest of us: to send spam (which comsumes massive amounts of bandwidth and thus drives up the costs of providing that bandwidth, not to mention the sheer annoyance it causes), to send viruses and worms (which also consume bandwidth), to host phishing sites, to take part in denial-of-service (DoS) attacks, and so on. Especially given that our society is increasingly using the Internet as critical infrastructure.
i seriously think it's time for people to have to get licenses to use a computer, to have to demonstrate that they have basic knowledge of the security risks they face when using a computer connected to the Internet. Too many people think of PCs - well, Windows-based PCs - as just another home appliance; yet they're more like Swiss Army knives which can be both very useful and very dangerous. And while most computer users think that they know 'enough' about security, and imagine that security problems "couldn't happen to them", the Internet's security and infrastructure problems are only going to get worse.
sacred_harlot. Apart from actually installing WinXP itself, which went smoothly except for WinXP's refusal to set up the soundcard (wait - isn't it Linux which has hardware recognition issues? :-P ), i installed a Real Firewall (WIPFW, based on FreeBSD's ipfw) with a minimal-privileges configuration; Firefox, natch, in place of the dreaded Internet Explorer, along with useful extensions such as CookieSafe and AdBlock; GAIM as the all-in-one chat client which can avoid at least some of the security issues that plague the IM clients of Yahoo! and MSN; and the wonderfully bloat-free (at least in comparision to OpenOffice!) AbiWord as the word processor.The original intent was that i would be the administrator of the system; i would manage it remotely. Since i'm fairly familiar with SSH (at least, OpenSSH, provided by the OpenBSD project), and i'm not familiar with Windows' own remote-management tools, i decided to install CygWin and run an OpenSSH server on top of that. The CygWin documentation is pretty good, although i couldn't/can't seem to find any documentation about how to install CygWin packages from the command line (i ended up installing apt-cyg, a shell script that does the job).
So then the challenge became - is there some way that i can remotely install / configure / uninstall Windows programs from the command line, as i'm used to being able to do on Linux? If there is, i couldn't discover it. So i thought "Okay, i'm going to have to start up Windows Terminal Services and run rdesktop via ssh's port-forwarding facility, so that i can do graphically-based installs. This meant i had to learn how to re-enable and start Terminal Services from the command line; it turns out that the sc command did the trick. However, even though sc told me that Terminal Services was running, netstat told me that nothing was listening on port 3389 (which Terminal Services was supposed to have been). Several Web searches later, i discovered that a setting in the dreaded Windows registry needed to be changed (fDenyTSConnections). i then had fun trying to understand what i was doing wrong when using the reg command to alter the setting in question; it turns out i was being mislead by my experiences editing GNOME's gconf system (which seems rather registry-like to me). Finally, i worked it out, and Terminal Services began listening on TCP port 3389.
Except port-forwarding didn't work. On the remote end, rdesktop would try to use the forwarded port, but would eventually time out with some sort of connection error. On the Windows end, i was getting "no route to host" errors. i wanted to examine the inbound and outbound packet streams on the Windows machine, but i had no packet sniffers installed - and the main ones that i know of, WireShark (formerly Ethereal) and WinDump, both seemed to require graphical installation (well, WinDump itself doesn't, but the library which it uses, WinPCaP, does) - the very problem i was trying to resolve. :-/
In amongst all this, it turned out that one of the users of the Windows system was unhappy with the fact that i had granted administrative privileges to myself only, which meant that the individual in question was not able to install software himself, and thus felt that the computer was not actually under his control. The reality is, however, that it's not good practice for an ordinary user to have administrative privileges, because it increases the chances of the entire system being hosed / owned either accidentally or deliberately. This is even more important on Windows systems, where there are massive amounts of malware waiting to be installed by unsuspecting users, who enthusiastically install things without thinking of the consequences.
Now, the individual in question is not computer-phobic, but is pretty clearly unaware of the security issues facing users of Windows systems. Which is not so bad in itself; the problem is that he apparently doesn't know that he doesn't know. Giving administrative access to such a user is, as history and experience shows, Not A Good Idea. This is the sort of person who thinks that he could never be fooled into taking the bait in a phishing attack, who thinks that he would 'know' when something is more likely than not to be scareware, who doesn't care about the massive security problems with Internet Explorer as long as he can use some toolbar. This is the sort of person who is part of the reason that it's recently been estimated that 1 in 4 PCs are part of a botnet.
i'm going to give the individual in question the password to the Administrator account. But i've also indicated that, whereas previously, i was happy to take the time to fix any problems that happened on my watch for free, i will no longer be willing to do so (at least for security-related issues) - i will expect to be paid to fix any security-related problems. i'm also a bit frustrated, because whereas it wouldn't worry me if any problems they caused affected only themselves, i'm also very aware that it's increasingly the case that security-ignorant Windows users are effectively allowing malfeasants use their computers in ways that negatively affect the rest of us: to send spam (which comsumes massive amounts of bandwidth and thus drives up the costs of providing that bandwidth, not to mention the sheer annoyance it causes), to send viruses and worms (which also consume bandwidth), to host phishing sites, to take part in denial-of-service (DoS) attacks, and so on. Especially given that our society is increasingly using the Internet as critical infrastructure.
i seriously think it's time for people to have to get licenses to use a computer, to have to demonstrate that they have basic knowledge of the security risks they face when using a computer connected to the Internet. Too many people think of PCs - well, Windows-based PCs - as just another home appliance; yet they're more like Swiss Army knives which can be both very useful and very dangerous. And while most computer users think that they know 'enough' about security, and imagine that security problems "couldn't happen to them", the Internet's security and infrastructure problems are only going to get worse.
no subject
Date: 2007-01-30 09:16 (UTC)I won't install or repair windows for friends anymore: they want me to be an admin they get Linux. No arguments permitted. Not only do they invariably fuck windows up themselves but it fucks itself up too. Simply not worth the time and aggravation even with money involved.
Imho you've bitten yourself on the backside by agreeing to install it at all, I doubt you'll enjoy the consequences.
I suggest if you haven't done so already you image the windows partition right away so when it all goes boom it takes a few minutes to fix. Also make sure all the "My Documents" and other such crap live on another partition/drive.
Also if you've got terminal services, VNC or any other remote admin stuff set up a firewall rule that only allows incoming connection from your IP address or ISPs address range... An open port on a windoze box is like blood in shark infested waters.
no subject
Date: 2007-01-30 11:44 (UTC)Yes, well, i know that now . . . . i stupidly thought that maybe more recent versions of Windows (an OS i've avoided for years now) would be more flexible in terms of administration options than they apparently are. :-/
Well, these people had their hearts set on installing XP, even though they know full well my opinions of Windows; but i suspect that they think i'm simply irrationally obsessed with Linux, rather than having a plethora of excellent reasons for not using a MS OS. So i thought, "Well, if you're going to do this, let me try to minimise your threat profile."
That's a great thought, which sadly i haven't implemented. And it's unlikely that i will, because for various reasons it's awkward for me to be physically present at the machine in question.
Yeah, i thought of that - it's how i always set up my Linux boxen - but ended up deciding not to bother, for a reason or reasons i now can't remember (maybe because their use patterns involve pretty low data storage rates?), and which were probably not particularly sound. :-/ Ah well.
Indeed. Port 22 is currently open, and there's a RELATED/ESTABLISHED-type rule for other incoming traffic. Outgoing traffic is also restricted to destination ports 25, 53, 80, 110, 465, 995 (for possible POP-based GMail access) and 5050 (for Yahoo! IM).
no subject
Date: 2007-01-30 10:48 (UTC)no subject
Date: 2007-01-30 11:44 (UTC)