I haven't tried MS Windows 2003, but I do grant that this change in the startup configuration is a significant improvement over the preceding products. A service that is not run is a service that cannot be attacked.

I will point out that our cracker friends have not yet put Windows 2003 through its paces yet. It can be claimed that Windows 2003 is secure if Windows 2003 meets the following conditions, which include but are not limited to: (1) our cracker friends can't successfully attack through those services that are turned on; (2) Windows 2003 patches do not open or reopen new security holes, even as they may close some existing ones; (3) Microsoft has a policy of admitting to potential vulnerabilities in a swift, thorough and explicit ways - again, there are ways of eliminating or mitigating security holes until patches become available. The worst policy from every standpoint is a refusal to admit to any shortcomings for the sake of "stability" and "public order", as for example the PRC did until recently with SARS. The PRC's original refusal to be forthright and open about SARS not only turned it from a controllable outbreak into an epidemic, but into an international PR disaster abroad as well as a huge political liability at home - not to mention the economic impact at home and abroad.

The phrase "Microsoft professionals" makes me wince: I haven't done a ton of Microsoft installations, but I have done a ton of cleaning up after the "setup.exe" and "winnt32.exe" MCSE geniuses who did those installations. I do accept that there are a few genuine Microsoft security professionals out there, but in general the phrase "Microsoft security professional" is apparently the latest marketing-oriented oxymoron.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/157/19632#19632