Mostly: Classical

[Sexton O Blake]

ZDNet: Why SP2 deserved every shred of the scrutiny

I don't often post these kinds of articles but this one caught my eye. A darn good (and long) article on SP2 for XP.

Fun for the whole family - talks about Linux and Mac - revolving around Windows SP2 for XP.

Some excerpts:
Desktop Linux is a different story . Though Linux is clearly in the game, especially on the server side, it has a way to go before it's a Mac-like workstation alternative for neophytes like Jamison. Nor might it yet be for those who consider themselves proficient at exercises in networking, printer sharing, and systems administration by virtue of their exposure to the way Windows does these things. I run a pair of Red Hat 9 systems and, although they've proven to be ideal at hosting Web and database servers, using either of these boxes to share a printer or hard drive for my Windows and Mac boxes has not been so simple. After spending countless hours with how-to's and in Linux forums studying the usage of technologies, commands, and options such as SAMBA, CHMOD, CUPS, Linux's built-in firewall, and Hewlett-Packard's open source printer driver for the HP DeskJet 5550 (that I selected on the basis of its perfect compatibility with Linux), my "Windows users" (wife, kids) still can't press the print button with predictable results. In the name of predictability and fewer "help desk calls," I've gone to Plan B and have connected the printer to a Windows machine.

Try explaining any of this to Jamison the neophyte who just wants things to work. Or try explaining it to Mac users for whom things routinely "just work." Half of them will laugh because they've never heard of anything so arcane; the other half will laugh because they know what the first half don't: the Mac is doing the arcane stuff, only in an incredibly user friendly fashion. If you're logged into a Mac without administrative privileges and attempt to do something that requires administrative privileges, the Mac in many cases simply asks you for the administrative user ID and password. In fact, just to be sure, even if you're already logged in with administrative rights, OS X still asks for the administrative credentials for some tasks. How easy is that?. Notwithstanding the way the OS X does it, perhaps BJ Brock hits the nail on the head: "Why should anyone have to limit their rights just to protect their PC? 'Run As' alternatives are just another time-consuming work around for an inadequate OS."

One horse that I've beaten nearly to death in my columns and blogs, (and promise to put out of its misery here) is the new Windows Firewall in SP2. With no outbound blocking and some back doors that a hacker could drive a Mack truck through, this "improvement" fails the value statements of the TCI on virtually every level. In fact, I now regret calling it better than no firewall at all. To the extent that the firewall and the Security Center (a central dashboard that's supposed to give us an accurate reflection of our systems' defenses) can be so easily tampered with and users can so easily be misled into a false sense of security, Windows Firewall is worse than nothing.

Microsoft's response went on to say that "In order for an attacker to spoof the Windows Security Center, he or she would have to have local administrator rights on the computer." Hackers inherit such rights when the users of the machines they're attacking are logged in with administrative rights. On this point, we've already established two types of users: First, there's a class of Windows users that log in with administrative rights because they don't know any better; second, there's a class of Windows users whose applications break unless they're logged in with administrative rights. According to my sources, Microsoft's own tests revealed that limited user accounts (LUAs) were incompatible with more than 50 percent of the applications tested.

Read the article here

Blake (SANS SP2)