[unisog] Slashdot's UCSB Article

Allen Chang allen at rescomp.berkeley.edu
Tue Oct 1 04:29:31 GMT 2002


On Mon, 30 Sep 2002, Jim Dillon wrote:

> While I can understand taking the target-of-the-day out of circulation, it
> is not an apparent example of great support for the end-user/customer
> community.  While universities are not well known as hotbeds of sterling
> adoption of TQM principles, (the customer is always right, even when
> clueless...), this seems to serve the network more than the customers.
> Seems like the higher priority should be to serve the customers, as a
> network without them doesn't really accomplish much.  Perhaps having a
> network isn't serving them if it is really this hard/difficult to manage?

Well, if by removing Win2k computers, you prevent them from being
compromised and thus prevent them from wasting network resources through
DOS and warez FTP/XDCCs, you serve all the users. Most of the users on edu
ResHall networks don't even know what OS they're using, much less care.
Sure, the 5-10% who do know what they're doing will bitch about it, but it
depends which you value more; security of the entire network, or ability
of users to use a specific OS. Although, I have to concede that not
allowing any exceptions is somewhat heavy-handed.


> No charge of being lazy or ignorant, no attempt to flame here, just
> curiosity.  I'm certainly more ignorant than most on this list, but couldn't
> a well designed group policy be enforced for those that do bring W2K to
> campus to ensure good configurations?

This is entirely dependent on the environment. In the ResHall environment
where you have 8 different OSs on thousands of configurations in 6
different languages, it just isn't feasible. In corporate or small edu
departments, it's manageable because of large IT departments or small
number of similar computers.

> I've never worked with AD or group policy myself, but theoretically it would
> appear that a well designed group policy could force compliance with secure
> practices.  We get patches, virus updates, timeouts/disconnects, password
> management, etc. at our desks due to group policy, no user intervention, so
> it seems that students could be given the right to compute under group
> policy control.  Are you going to have to cancel XP next year when it proves
> to be the problem this year?

Developing this solution would require a many more resources than are
currently allocated to ResHall network security. Simply because it would
require about 20 different policies for the different configurations.
Those policies simply aren't meant to work on networks with widely
differing configurations. However, if someone has managed to get policies
to work cross OS, configurations, I'm all ears.

> Seems the underlying issue is the failure from a strategic level to properly
> assess risks, prioritize accordingly, and fund/manage a secure network
> infrastructure, not just a lousy Windows OS.  95/98/ME and Out-of-the-box
> Linux aren't exactly security champions.

Well, we haven't seen the problems of Win2k scale with all the other OSs
combined *crosses fingers*

  Why provide the tool (network) if
> the institution is not willing to invest in it sufficiently to do it right?

Because the institution underestimates the resources necessary to properly
secure it. Even after 9/11, the importance of network security is still
severely underrecognized. In smaller edu, network security is a task (not
even a position) that the network administrator takes care of.

> Not an administrator/operational problem, but a strategic near-sightedness
> problem perhaps?  Couldn't a properly staffed and funded network function
> ensure all boxes ran the CIS and Top Twenty patches to achieve a "mostly"
> secure environment?  NIMDA et al would not have been a problem in that type
> of environment, or so I'm told. I've been led to believe that those two
> steps will throttle 95% of the risks/problems, am I wrong?

No, you're entirely right. However, that would require an enormous
investment of resources. In terms of labor cost, probably around $15
per computer just to install basic patches and antivirus because of the
differing configurations.

> Maybe I'm way
> over estimating the number who would actually have W2K to begin with!?!

The number of people who are complaining probably number in the tens to
twenties at UCSB. Most people simply don't care because computers have
reached a point where most people don't and can't understand them.

> Again, no attempt to attack the administrative position, but the strategic
> and planning position is flawed if it ignores the market leader at the
> detriment of its primary customer, and such a policy will eventually fail in
> the face of market pressures.  Business policy 101 if I believe my higher ed
> training/product.

When the market leader(debatable) has flaws that will bring down your
network, and you don't have resources to secure it, how do you resolve
that? The good of the people or the good of the few individuals?


@llen

*Ideas represented are my own, not of my institution =) Flame away



More information about the unisog mailing list