[SLUG] RE: OT: M$ deals the final blow - effects of sp2?

From: Bryan J. Smith (b.j.smith@ieee.org)
Date: Sun Sep 12 2004 - 09:43:13 EDT


Patrick Grantham wrote:
> In short, will xp Sp2 foul up an xp machine talking to red hat samba server?
> If so what are the work arounds?

So far all SP2 seems to do for me is dork up any pre-Samba 2.2.11
releases. Microsoft skips a step in their own spooler procedure to
cause the smb service to crash. That's an interesting one.

Yes, it means someone on the Samba team didn't trap an error correctly.
But it also means either Microsoft introduced a bug, or purposely
modified the code to take advantage of crashing the smb service in these
older Samba releases.

On Sat, 2004-09-11 at 12:57, Chad Perrin wrote:
> Unfortunately, Microsoft isn't talking much about specifically what new
> "security features" they've included, but most of them seem to be very
> heavy-handed.

As with the design of the NTFS, I call it "false security."

As someone who has the MCSA/MCSE:Security specialty, they only hit on
about 2 of the 7 domains of the CBoK used in the ISC2 SSCP, and come
_nothing_ close to the full realm of the CISSP.

Microsoft doesn't "get" security, because they don't offer products that
address it. They won't publicly partner with a company that does
security. The attitude at Microsoft is "we only use what we make."

What they do _not_ tell you is they outsource any such
infrastructure/systems to other companies that provide it. E.g.,
sometimes these are even Linux systems (e.g., Aikami) providing
"Internet front-end" services.

> .. I know from personal experience, involving recovering a hosed-up
> system at a client's office, that SP2 is also quite draconian in its
> enforcement of driver certification.

SP2 should be installed _clean_. Slipstream your install directory,
build a new system image and clone from that.

> ... Upon installation of SP2 by the client (against the advice
> of my employer), Windows XP identified the driver for the SATA
> controller as being uncertified, and uninstalled it. When the computer
> was next rebooted, it no longer worked because in the beginnings of the
> boot process it decided it couldn't read the hard drive and, thus, there
> must not be a hard drive.

And the great thing is that you can't recover form this!

Time to get out the Linux password CD, it has a registry editor as of
January 2003. I had to do that once when I was on the road and my
mainboard blew. The chipset changed, so the ATA controller changed.
Even though I did have the driver, the registry was set to the old one.

> There are other problems with SP2 that might arise, including
> intentional breakage of some older versions of Samba connectivity, but I
> have yet to see SP2 break Samba connectivity in any clients' offices
> where a Linux server resides on the network. I suspect you're okay in
> that regard.

If you are Samba 3, no issues. I've only had printing with pre-2.2.11.
Although I did see some "interesting" logs until I upgraded from 3.0.3
to 3.0.5+ on a few systems.

Microsoft can't enable some SMB "security" features, like SMB signing,
because they are _heavily_broken_. I was at an out-of-state Fortune 20
company last fall and I worked first-hand with IBM and Microsoft
people. They couldn't get SMB signing to work.

We had other, similar issues with Windows implementations. Not good for
the application we were running. ;-ppp

> I'd still recommend avoiding it like the plague, though.
> Breaking down the network could easily be the LEAST of your problems.
> As I think I've mentioned, I'm ensuring that I use no MS OSes from here
> on out that are newer than Win2k SP2.

Yep.

-- 
Bryan J. Smith                                  b.j.smith@ieee.org 
------------------------------------------------------------------ 
"Communities don't have rights. Only individuals in the community
 have rights. ... That idea of community rights is firmly rooted
 in the 'Communist Manifesto.'" -- Michael Badnarik

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:28:01 EDT