Just got done proofing the galley for an article I've done for the .NET Developer's Journal. It amazes me to this day just how good a graphic designer can make even my drivel look. A big shout out of thanks in advance to Michael Rys and the SQL XML team for enlightening me ... and for making some awesome stuff.
I've accumulated a few links I wanted to encourage my faithful readers to
take a look at.
Forgive me, for I am about to rant. I read something like this today on a mailing list I subscribe to:
"We use a not-Windows-NOS and we can't take remote control of workstations if the ICF is turned on, so we're looking for ways to turn it off with scripts, GPOs and the sacrificing of large piles of money on the alters of the consultants if needed."
There's an immediate pile-on of suggestions about GPOs, scripts and every other work around you can imagine.
Out you Demons of Stupidity!
Why make your first option to turn off the firewall (ICF)? Why not work on making it work, or getting rid of the stuff that doesn't work with it? Turning off the firewall because it interfers with a remote control program is like saying: "well, there's no value in fire prevention since we all have fire extinguishers already." Isn't the purpose not to get burned in the first place?
Putting it another way: would you turn off virus checking/protection for the same reason or would you look for a different virus scanner? The reason that things like Sasser, MyDoom and so worked is because there was no defense-in-depth. Rather, the number of vulenerable machines provided an exponetial growth medium for them. ICF isn't a total solution, but its better than nothing. But if you disable it, nothing is exactly what you have.
Yes, I understand the need to be able to remote control machines. We are talking XP here, though. It has a remote control feature. Unless I've missed something [and that's happened before] there is already two remote control features in XP (remote desktop, user assistance) that the firewall already knows how to open the ports for though, right?
I can appreciate that the out-of-box features can only go so far. But the better strategy would seem to be figure how to make it work with the firewall turned on, wouldn't? And yes, I know, vendors frequently sell products they really don't understand. But when a vendor says "we don't know how" isn't time to say "you'd better figure that out?" Or even better "too bad that company X already does..." We shouldn't lose out on the opportunity to apply market pressure towards more secure systems. Help Microsoft help us make "our world" a better place, please!
It only works if we make it work folks. Yes, I know its a painful change. So is dieting, quitting smoking and using a Condom. Just say no to insecurity -- just say yes to ICF.
Its not Microsoft hasn't been banging on the developers to get serious of these changes, either. I'm pretty sure that Bill and Steve would love to go shop to shop to shop handing out Beta CDs and the "Writing Secure Code" book it if they could. If you're developer and you've not started looking into XP SP2, you're behind the curve. If you're an administrator and you've not started figuring out how to take advantage of his, you're failing to learn from history. If you are a manager and your saying "its more pain than its worth" you'd better have a large supply of asprin ready.
Maybe Bill and Steve need to dress in bear suits for TV ads. "Only you can prevent virus fires." Jeesh!
Don't even get me started with "oh, we'll just keep applying hotfixes instead" crowd.
After rant mint:
One of the highlights of the 1971 movie "The Andromeda Strain" was an exchange between Drs. Stone and Leavitt. Mankind was facing a certain and terrible annihilation unless a team of four researchers could find a way to beat a space-born virus.
Stone: Let's stick to established procedures.
Leavitt: Establishment gonna fall down and go boom.
If you've never seen the movie you'd better go find it right now. I mean it -- you've been uder a rock long enough.