The MS platform is pretty robust these days, but it only takes one bad Apple
Watching the last decade play out in the IT world, I think the biggest surprise for me is just how much I like MS products. Yes, Redmond have made huge leaps in security technology, and in many ways the Windows OS is superior to some, but I’ll tell you where TRUE security comes from, and it’s not down to writing code that checks for buffer overflows.
Rewind to the start of the millennium, and if you so much as mentioned Bill Gates to me, the room would be filled with the palpable taste of tin as my rage and vitriol spewed forth. I hated the company for stifling the software ecology, killing the shareware culture, and stamping out the competition with unfair practices, forcing me to use their inferior products.
I think the first twinkle of change began with Win2k. At least when it crashed, I could restart the explorer process. Woo hoo! Then XP came along, and I was actually very impressed with it’s multiple display capabilities. I became a sysadmin shortly after that. It was then that my eyes began to open. You’ll never really fully understand the power and flexibility of the MS platform until you’ve played with Group Policy Management in a domain environment. It’s only then that the tip of the iceberg reveals itself to you, and you begin to understand the point of the registry, and what all these “useless” services running in the background are for that you keep disabling.
I was running a medium sized school network at the time when the Sasser worm struck, which triggered Bill Gates’ famous “security security security” email that changed the companys focus. When the Sasser worm struck our network, it was unable to cause any damage. The details are a little hazy (it was a long time ago), but it was due to my disabling of certain services and file permissions via group policy, that prevented it from being able to install.
Even back then, it began to dawn on me that as long as you worked professionally, the MS stack was the least of your worries. The first warning shot was Firefox. Yes, when you compared them on a technical level at that time, Firefox was faster, more secure, and had more features. What it didn’t have was central management. You couldn’t even define the home page centrally, let alone restrict what plugins it could use, and this factor proved more important than any other, especially when you had over a thousand school kids hammering away at your security, visiting dodgy sites.
IE7 may have been riddled with ActiveX vulnerabilities, but you could create a white list of sites that were allowed to call them, and even restrict plugins like Flash to only running on specific sites. You could also spot at a glance in WSUS if any of your computers hadn’t installed any security updates that were being actively exploited. Firefox on the other hand, was a black hole on your network. I was once called by a teacher who said certain website weren’t displaying correctly. Turns out, he refused to update from Firefox 1.0, because he liked the look. Naturally, his laptop was infested.
Fast forward to today, and this situation is even further polarised. MS have been so focused on security in the last decade, their products are the least of my concern. It’s the unholy trinity of Java, Acrobat and Flash I have to worry about. Ironically, I keep them patched using a combination of Ninite, and SCCM to deploy the patches. And now, we have the Internet Of Things to worry about.
Historically, Unix may have been a superior network platform, and hence the various ‘nix flavours had a technical advantage, but this means diddly squat in the real world. Where is Samsung’s version of WSUS, to alert me that the smart TV hanging in the foyer is unpatched, and could pwn my network at any minute? Or the HP printers? Or the Canon Scanners? Or the Linksys access point the sales team bought with their own budget?
Even when they do have some management/patching tools, with weary inevitability, I find myself thinking something me of ten years ago would be horrified to hear. “I wish this was as good as Microsoft.”
Every single OS and software product has vulnerabilities waiting to be exploited. The real only security is in central monitoring, and control.