I run 5 Windows OSes and have anti-virus on only one of them. I generally find that anti-virus and exploit code do not function happily together even when you tell the anti-virus to ignore directories.

I have never gotten a virus, trojan or worm that i did not place on my system to determine effects and how to counteract/detect it. There are a very limited number of ways for people to receive any of the 3, most coming from email, the rest commonly from lack of administrator password and open file sharing combination. Just because you're not sharing a directory doesn't mean you don't have open file sharing with XP/2000. And most people don't realize that and the remote power that comes with lack of security in that respect.

I do network audits and have seen many forms of environments. The most secure environment I have seen (were it implemented properly) would be a Novell shop with windows XP computers. As long as novell/windows passwords are set securely along with the possibility to lock out any remote access to the desktops you're gonna have to do some work to break into the novell server.

Major reasoning for the above that makes Windows XP so secure is the lock down of "simple file sharing" (which is a default configuration for windows XP) that restricts all remote access on the system to the guest account. Just because 9/10 network environments are Windows Domains and therefore unlocks the simple file sharing doesn't mean that XP isn't fairly well secured out of the box. Guess access then is controlled by another policy that says that guest account is disabled. Which even if that policy doesn't exist, there is still a backup policy that says that accounts without passwords (the guest account) are limited to console access only.

So tell me how you're going to spread a virus from one machine to another when you can't remotely access the file system or registry? You can't. There's nothing you can do to that computer unless you're sitting at it.

Just because people who are using the OS make it less secure doesn't mean the OS is less secure. There are lots of things you can do to lock down Windows such as stopping the Server service which disables all incoming filesharing (also confuses automated scanning tools such that they get a wrong report of what OS you're running). Local security policy settings are there for a reason as well. Take a stroll through them sometime.

I know a person who has written exploit code for Mac OS X and has informed Mac and they still haven't fixed it, so there are 0day issues in the OS. Along with that, K-Otik has released code for Mac OS X exploits. There's your "wild" requirement.

Just because you have your "rules" of what you count and don't count, doesn't mean you're right.

BTW, let's not forget that like unix any local privilege escalations on OS X (which can be server as well as desktop) includes users who have ssh access to the machine, whereas local privilege escalations on windows 2000/3 means you have to be at the machine or have a remote of VNC/PCAnywhere/RDesktop as ssh/telnet are rarely used for them anymore.

In your true comparision situation a "virus" should only count if it can infect the machine if it were sitting there on the network with no user interaction. Default XP install plus DCOM/LSASS/NetDDE patches is just as inpenetrable at that point as any other system.

Just because users haven't figured out that pictures.zip is actually pictures.zip*stringofcharacters*.exe which installs very bad things to your computer doesn't mean that XP is to blame.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/319/31620#31620