Yep the old philosophy was everything on by default and that has changed. Now the philosophy is to turn as much off as possible with the exception of firewalls and other things in place to specifically protect. Look at Windows Server 2003 and the steps necessary to spin up a web server serving ASP or CGI.
It is much safer for an admin to have to learn how to turn something on that is insecure versus trying to figure out how to turn something off that is insecure. It is much safer to force an admin to figure out how to disable security versus enable it. Etc. etc. etc. The everything enabled by default has burned MS and Windows admins everywhere enough now that the decision had to be made. The enabled by default is directly responsible for Code Red and Nimda and Blaster and anything else that took advantage of something installed on all Windows machines that most people had no clue about nor needed. The next steps after this are to reduce the attack surfaces more by further componentizing and removing currently built in chunks. Server Foundation / MinWin is a big step in that direction. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, June 30, 2005 9:39 PM To: [email protected] Subject: Re: [ActiveDir] Dns start up Yeah, but I always thought one of the differences in philosphy bet windows and linux was windows turned everything on and left it up to the admin to turn stuff off as regards security and linux had most stuff off and left it up to the admin to turn stuff on as regards etc... I always felt that's why windows got a bad rap by security *nix people who weren't that famillar with windows. I always felt it was just a diff between user friendly but the onus to shut stuff off is on you as opposed to everything is a pain for security reasons. That's why I never understood why the loopback was always on on linux but off on windows. I understand for MS its always a case of "damn if you do and damn if you don't". I never thought I'd feel bad for a billion dollar corp but I really sympathize with them. An os is just a tool but some people get really passionate about stuff like that and I never understood why. Anyway, thanks for your help. Now I can spend this weekend thrashing my test AD(yeah, I have no life). Thanks again. This list rocks!! -------------------------- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
