[Dshield] Flavors of Linux
epeters at pcthome.com
Tue Oct 5 16:03:57 GMT 2004
Let me start off by saying I have to agree with Stephane 100%.
It is very easy to turn the administrator account's permissions under
"windows" into an account with guest permissions, thus enabling NTFS
permissions useless. Unlike *nix it takes a bit to enable the root
account useless especial a hardened installation, I gave away free shell
accounts to anybody (Long Ago and Not any longer) with a hardened
installation of Slack. I had people 24x7 try to crack the box and 128
days uptime later no one was able to crack it. Try doing that on a
Microsoft OS ;) give complete strangers terminal services to that box
and see how long it would last.
An OS with applications such as Browser, File Manager, E-mail (IE,
Explorer, Outlook Express to name a few) so tied into the kernel or the
core of OS makes completely securing that box impossible in a multi user
environment, again rendering permissions of a file system useless.
Remember *nix was made with the exact purpose for groups of people to
work on the same server with security in mind, windows was not!
Microsoft is trying to do this now, and I can't see MS releasing a
somewhat secure OS, unless they start from scratch and rewrite the
entire OS from the ground up keeping a multi user secure environment in
mind and keeping applications out of the core of the OS.
Just my 2 cents
stephane nasdrovisky wrote:
> John B. Holmblad wrote:
>> I think it is fair to say that NTFS filre permissions are more fine
>> grained than those of Unix, but, unfortunately, their resulting
>> complexity makes them more of a challenge to manage properly.
> What about file acl in the unix world ? File permissions are not
> limited to the 3 rwx and setuid/setgid/don't remember the others
> permissions anymore. i.e.: http://www.computerhope.com/unix/usetfacl.htm
> The major difference between windows and unix, in my opinion, is that
> there are no super user under windows: everything is permission based,
> if you want a root-like account, you have to include it in admin
> groups or give it allow everything permissions.
> The latest permissions related paradigm in the unix world is 'role
> based access control': http://csrc.nist.gov/rbac/
> DShield and the Internet Storm Center are sponsored by the SANS
> To learn more about current SANS training, see http://www.sans.org .
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list