That is a tall order. Especially when your target audience is admin's with no formal training, of which there are more and more every day.
It all comes down to education which, in any form (formal or self learning) is time consuming. I think most of us will pursue our goal, say opening an FTP site on a home PC, only as far as it takes to get it working. There are plenty of tutorial sites on the internet that will show you an incomplete solution. They may have a warning or two but they may not. That, coupled with the "it can't happen to me" frame of mind, makes for a situation where the warnings may be ignored anyway. I'm really not sure if there is an answer to your question that could be implemented. Of course if you could rewrite the internet... :) ----- Original Message ----- From: chris yarger To: [email protected] Sent: Tuesday, January 20, 2009 9:28 PM Subject: Re: Yet another reason to stay away from Windows how can we be of help to the average ignorant windows admin? to keep them from opening such vulnerabilities unknowingly? On Tue, Jan 20, 2009 at 9:20 PM, Gary Brown <[email protected]> wrote: I can attest to the anonymous FTP blunder first hand. About 4 years ago a Win XP box became a SPAM generator for about 9 hours. I learned my lesson though. I lock down everything now. Speaking from experience, Linux makes it harder for average users to expose the system because you have to learn how to make the services available (by reading a lot material) and in the process you become aware of the dangers whereas Windows makes it easier to stumble through making services available without learning anything in the process. ----- Original Message ----- From: "Kevin Thorley" <[email protected]> To: <[email protected]> Sent: Tuesday, January 20, 2009 1:16 PM Subject: Re: Yet another reason to stay away from Windows On Tue, Jan 20, 2009 at 1:04 PM, chris yarger <[email protected]> wrote: With things like this happening in windows why not keep to linux? http://www.theregister.co.uk/2009/01/20/sheffield_conficker/ and http://www.theregister.co.uk/2009/01/20/mod_malware_still_going_strong/ Or, why not at least hire a competent IT staff. In both of these cases, it seems to be a problem with either IT security policy or implementation. I have had two Linux servers compromised in the past 10 years. One was due to foolishly allowing (or failing to not allow) anonymous ftp. That resulted in a rootkit and a fresh install of the OS as a fix. The other compromise was due to a user whose password was the same as their username. The onsite admin (really customer service rep who knows how to log in to the server to do simple tasks) had set the password from the root account. The result was that the server then became an IRC server for connections from Romania, among other things. Poor IT is poor IT, regardless of the OS
