Let's have a look at some really prejudiced, unfounded NT bashing...
> From: spiff [mailto:[EMAIL PROTECTED]]
> >
> http://www.microsoft.com/security/downloads/ITSEC_NT4.0_Installation.EXE
>
> from said document:
>
> "What the user does not see are internal workings, such as the
> system-level encryption of their password so that it is never
> passed over
> the wire in clear text."
>
> What they would see is the LanMan hash, the entire Keyspace
> of which can
> be brute forced on an UltraSparc in a few hours with l0pht Crack. (see
> http://www.l0pht.com )
FUD. NT can easily be configured to never send the LanMan hash. In fact,
in the configuration we are talking about, you disable the "Server" and
"Workstation" services anyway so no one can get an SMB connection or any
hash at all from the machine.
> "The evaluated configuration for Windows NT 4.0 includes any
> number of the
> Windows NT Server and/or the Windows NT Workstation products,
> acting in
> any one of the following roles, either stand-alone or connected via a
> physically protected network:"
>
> hmm is the Internet a "physically protected network" ?
No. Physically protecting the network is required because TCP/IP is
vulnerable to man-in-the-middle attacks and other denial of service attacks.
> "Install the Microsoft Windows NT 4.0 Workstation and Server Service
> Pack 3."
>
> sp3... hmmm ok. Here's an example of an install of sp3 quoted from
> http://129.105.116.5/fravia/project9.htm :
>
> "What slays me about Microsoft is how badly their software can coexist
> with other products, *including their own*. A classic example is
> their aforementioned Proxy Server. When you set up NT with the Option
> Pack and Service Pack 3, it installs Internet Information Server 4.0
> by default. Which is fine, except for one small detail: it *breaks*
> Proxy Server. We had to back IIS 4.0 out of the system and install
> IIS 3.0, which has no trouble working with Proxy Server. AFAIK, there
> is still no fix to get Proxy Server working properly with IIS 4.0."
Except this comment is just plain wrong. We have had Proxy server working
with IIS4 just fine for over a year now.
Did you bother to check your facts before you went public, or just posted
rhetoric that you heard about for your own unfounded prejudices?
> back to the M$ doc:
>
> "Set to configure the system to shutdown when the security
> log gets full"
>
> ???? what?!?!?!? go figure, thats an interesting interpretation of
> mission critical.
That is a requirement of ITSEC - if logs are full then the system must shut
down. All systems must do this to pass the test. Again, did you check your
facts before you posted?
> "Protect access to the boot partition... This is needed for
> architectures
> that require a non NTFS boot partition. Setting this key
> ensures that only
> Administrators may change data on this partition. Adding this
> value for
> other architectures has no side effects. Note that none of the
> architectures in the current evaluated configuration [ST]
> require the use
> of this key and therefore its effectiveness has not been
> assessed as part
> of the evaluation"
>
> Yet earlier in the .doc it is stated " All hard-disk
> partitions must be
> formatted with NTFS" as a precondition of ITSEC FC2-E3
> certification. That
> said, I can empathize with them, it is SO frustrating to
> install NTFS as
> the boot sector on those pesky scsi drives, after all it
> starts out its
> life as FAT and is automagically transformed in one of the
> many reboots of
> the install process to NTFS. Though more times than not ntldr just
> dies after this operation and one has to start all over again.
Wrong. NTFS as a boot partition works just fine. I've never had a problem
with ntldr crashing on any of the hundreds of machines I've run up this way.
Perhaps your "pesky SCSI drives" are the problem? We've got rock solid SCSI
ones here.
> "(Optional) Install applications (such as Microsoft Office 97) as
> required."
>
> Yes don't forget to install the GUID stuff, as well as other sys level
> stuff that will, most probably, un-do many of the carefully
> implimented
> registry settings you have just made. Back to start, do not pass go...
Why would you want that on a Firewall? Get a clue!!
> "Warning:
> The installation of any program or application which is in addition to
> Microsoft Windows NT 4.0 is not covered by the ITSEC evaluation
> configuration as stated in the security target for Microsoft
> Windows NT
> 4.0. The installation of any applications is entirely
> optional and at your
> own risk."
>
> Ok, so you have a secure NT sysyem that has no apps. Now go
> back to the
> computers that actually run your buisness, with the apps that
> you use to
> run your buisness and rest assured no one will break into
> your NT server,
> there's nothing there!
Yeah. Just like those Unix systems that passed with no apps. Get a
freaking clue!!
NT *is* secure if you want to make it secure. Its bigots like you that
don't have a clue about the whole thing and just post rhetoric about a
system they don't understand because they don't want to understand it that
really make me glad I use NT.
Regards,
John Wiltshire
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
