>> And in Windows 2000 it had a huge gaping hole. It was enabled by default. On all versions.
Following "it was done this way for a reason, even though it might not make sense", what was the rationale behind some of the defaults/decisions Microsoft made in their NT4/2000 days?
The complete opposite of something like OpenBSD where most everything is disabled by default.
Microsoft UK reps commented at a Win2k3 presentation that I went to that customers had complained NT4 didn't do enough out of the box. All sorts of features it was capable of required specific configuration and enabling. They made the point about security etc to their customers, but lots of customers still requested features to be turned on by default. The internet was still fairly nascent at the time, there hadn't been a major vulnerability through such mechanism etc. etc.
They listened to their customers. Which is often the right thing to do, but rarely when it comes to things with security implications, but it's fair to say that in general the tech industry was still fairly naive back then.
Win2k came with IIS enabled by default, etc. etc. etc. It was a security disaster. Microsoft decided from the next version on that convenience didn't trump security and went back to requiring you to consciously turn on services.
Enabling functionality by default makes it available to people on initial installation. From a convenience perspective, it seemed a plausible choice.
It took some effort to get people at Microsoft to start seeing things from a security perspective. The work Michael Howard (who wrote the "10 years since the BillG memo" article 'twoodfin linked to below), Jeannette Wing, and I did on measuring attack surfaces was part of this -- trying to quantify, even roughly, how big the attack surface was so that there could be explicit goals to reduce it. You're certainly right, though, OpenBSD was way ahead of their time here.
Back then, "enabled by default" was the rule. I recall Linux distributions of that era also enabling a lot of network-facing stuff by default.
For Microsoft in particular, there's also some path dependence: they began with non-networked (or with local-only networking) desktop operating systems, where the drawbacks of default-enabling many useful services were not as severe.
Yes. Having your newly installed linux box connected to the internet after a base install without first enabling a firewall (or configuring the existing one to block a bunch of default allowed items) wasn't as bad as the same thing with a windows box, but it was still bad. Circa 2000/2001 I believe you would likely be infected or hacked by some SSH or Apache worm within a few hours.
Windows around the same time, maybe a few years later, was much worse though. They actually had to patch a bug where the system would boot after install and the firewall might not come on until a second or two after the network, and there were so many exploits and worms that systems were getting exploited in this very short time-frame.
There's a tradeoff here between making a new feature secure by default (i.e., disabled) and making it easy for your customers to take advantage of it ("No configuration needed: It just works.")
How risky it is to have a feature enabled by default is a function of
a) The complexity of the feature.
b) The reliability of your development and testing process re: security.
and
c) The ultimate severity of any vulnerability.
At the time Windows 2000 was being developed (late '90s), Microsoft tended to systematically underestimate a) and c), while overestimating b). Then came an internal push for better security practices and billg's "Trustworthy Computing" memo. There's a good discussion of it and the consequent sea change here:
Warezing Win2K server as a router was where I cut my networking teeth. It was so easy to configure - it autopopulated 192.168.0.1 in the network sharing menus. It suggested other necessary settings.
After Blaster, and 4 roomates wiping our gaming PCs, I stole a copy of RHEL and used that instead. It was a lot harder to configure; you had to know what you were doing. I managed to squeak by with settings remembered from Win2K, but others may not have fared so well.
On a consumer OS if a feature is not enabled by default it might as well not exist at all. The vast majority of people won't discover it.
This is fine for OpenBSD, you are assumed to know what you are doing when you install it. But Windows gets installed for all sorts of people, many of whom will tell you to your face that they are "not computer people", and will be very annoyed when the OS doesn't magically do what they want.
You must be thinking of the split between the consumer-oriented Windows 95/98/ME and the business-oriented Windows NT/2000.
The parent comment used "consumer" in another sense: an "I am not a computer person" end user. Windows 2000 was certainly intended to be fully usable by these kinds of consumers, at home or at work.
And the comment was more general than Windows 2000 - it is really a message to people who are designing OS features today.
> The parent comment used "consumer" in another sense: an "I am not a computer person" end user. Windows 2000 was certainly intended to be fully usable by these kinds of consumers, at home or at work.
I think many people attempting to sell into business don't quite realize that there are novice users there too. Ease of use, ease of deployment, and maintenance without a highly technical internal supporter are critical issues that products with massive business adoption have to get right.
Military (or something in the whole war apparatus) was running networked Windows 2000 in some mission critical role and was worried about being compromised by a cyber counter-attack once they started offensive action.
I'd like to hear the story of how the military deployed these fixes across the board in only a few days to ensure they had complete protection. Back in 2003, even auto-updates tended not to get installed/applied on large systems where there were complex admin rules about how updates should happen.
I doubt it required an across-the-board deployment. Rather, specific systems like the one alluded to in the post (the reason that the Suits appeared in Redmond) would need to be hardened in advance of the start of offensive military activities when the secrets housed in the system needed to stay secret.
Nah, the implication is just that once the shooting starts, there's no reason not to exploit whatever security holes you've found at the cost of being "provocative".
Of course, doing patches for pre-SP4 Win2000 was a pain, and the issues with this patch were a good example (see actual bulletin at https://technet.microsoft.com/en-us/library/security/ms03-00...). This is because Win2000 had no service pack branching.
Following "it was done this way for a reason, even though it might not make sense", what was the rationale behind some of the defaults/decisions Microsoft made in their NT4/2000 days?
The complete opposite of something like OpenBSD where most everything is disabled by default.