adminfoo.net

Matthew Vea at OmniNerd has put together a fascinating report detailing the vulnerabilities of about a dozen operating system variants. I’m in awe of the simple yet effective method he used to cut through the fog:

1. Install the OS as default-ly as possible. Scan it with nmap and Nessus during the installation.
2. At completion of installation, scan again.
3. Install relatively common listening services and scan again.
4. Install the latest ‘major patch’, and scan again.
5. Finally install all ‘minor patches’ published prior to Jan 1 2007, and scan again.

I very much encourage you to read the full report, but one thing I sorely missed was a summary chart so I could get a better sense of what all that verbiage really means. So I created one – you see it below.

Some important points about this summary chart:

• I left out the ‘mid-install’ scan info. I’m assuming y’all have the sense not to build your critical machines whilst connected to attack-prone networks.
• The study mentions local vulnerabilities in one or two places, but is primarily concerned with remote vulns. In the ‘vulns’ column I list only those remote-exploitable vulns found by Nessus.
• I’m not 100% sure I have the numbers exactly right. In some places the report was confusingly worded. I think I have preserved the author’s intent and I really hope he’ll let me know if I fumbled the ball.
• I list port names for a reason. It seemed to me that in at least some cases, the choice of services to install in the ‘services installed’ config was a bit arbitrary. I note that some server OS have a web server enabled, some do not. So I thought this was important to include!
• ICMP is not counted as one of the open ports.
• As best I can tell, no firewall is enabled in any of the tests. In some cases, default firewalls were explicitly shut off.

There’s a lot to be learned here. For now, I’m drawing no conclusions. But I welcome yours, in the comments!

I'm sorry the above image is so small - click it to see at readable size. I tried to use an actual html table, so you'd be able to cut/paste from it, but I'm learning that Blogger likes to mangle html in its own special ways, so for now we'll have to make do with this image.

It has recently come to my attention that most of us in the trade have basically the wrong idea about MTBF. You know the term, right? Mean Time Between Failures - which is a figure we often look at; especially when we choose disks for our arrays. The problem? In the words of the great Inigo Montoya:

You keep using that word. I do not think it means what you think it means.

A little reading over at Wikipedia will soon dispell you of the idea that when a disk's spec-sheet says the MTBF is 50 years, that disk will actually last 50 years. Oh, hmm, you say you took a look at that Wikipedia page, and the math scared you? Yeah - me too. So let's ask Richard Elling (Sun.com) to cut through the fog with a real-world example:

MTBF is a summary metric, which hides many important details. For example, data collected for the years 1996-1998 in the US showed that the annual death rate for children aged 5-14 was 20.8 per 100,000 resident population. This shows an average failure rate of 0.0208% per year. Thus, the MTBF for children aged 5-14 in the US is approximately 4,807 years. Clearly, no human child could be expected to live 5,000 years. Similarly, if a vendor says that the disk MTBF is 1 Million hours (114 years), you cannot expect a disk to last that long.

Oh. Well, dang. I guess that disk ain't very likely to last 50 years!

My rule of thumb? Check the warrantee coverage. The manufacturer with the longest warrantee at the lowest price is the one most confident in the durability of their drives.

For those of you wanting to get started implementing or learning about security, I highly recommend SANS' First Things First paper. Starting with the venerable OSI model and moving quickly through a few network device and protocol primers, various network security methodologies, antivirus, and finally various host-hardening guides, this is the nuts and bolts of security exposed in a purposeful way. I particularly applaud this guide for directing people right to the RFC's for various network protocols, rather than more 'explanations of explanations' type documentation which is becoming all too common these days.

Excellent reading for anyone who wants to become a better admin, whether focused on security or not.

-Thanks to the folks writing the ISC Handlers Diary, which has become part of my daily morning read.

When I saw this picture, I knew it was time to bring some mass storage links to the front page. So here we bring you some basic RAID information.

• 
  
• ArsTechica's The Skinny On RAID
• 
  
  
• Wikipedia's RAID entry
• 
  
  
• AC&NC presents their RAID tutorial
• 
  
  
• StorageReview has this well-rounded discussion of RAID (note the bit about caching, often forgotten in RAID performance discussions!)

These are the basics, and will at least clear up the confusion on which RAID level is which. The problem, however, is that deeper knowledge is hard to find. You'll see many pronouncements similar to 'RAID1 is faster than RAID5 because of increased mechanical overhead', but you'll find little actual test data proving these assumptions. It is important to note that mechanical performance is not the only determining factor in this day of cheap RAM caches. This dearth of empirical data seems to stem from the fact that all RAID controllers are different, and no one seems to be doing comprehensive tests in this area. We all have our little RAID prejudices, but few of us have good data to back up our claims.

If you know where to find good and recent performance data on a variety of RAID layouts and configurations, clue us in by adding a comment below!

Today we bring you a link to The Egoless Admin, a short but worthwhile read on dealing with difficult users. We really like point #5, but we think they are all good. Yesterday was sysadmin day, but every day is user day!

Since that was such a short blurb, we also recommend packetattack.com as an excellent education and resource site for the network administrators among us. Packetattack has several excellent tutorials, a comprehensive list of links to the best of Cisco's site, and a valuable security section, among other things. We're pretty sure Ann Coulter* wouldn't visit Packetattack!

--
*Actually we have no idea - this is just more gratuitous name-dropping from Google's of popular searches. Is the hit counter going crazy yet?

Those seeking to secure their Wintel systems have often referred to various third-party lockdown guides such as the NSA Security Recommendation Guides. At long last, Microsoft has released a more-comprehensive reference to the various security settings in Win2003/XP (though much of this should also be valuable reference material for Win2000 systems as well). The well-organized paper lists all of the settings you'll find in the local and group policy objects, along with vulnerability assessments, countermeasure recommendations, and potential impacts. It includes definitive item-by-item lists and descriptions are provided for domain level policies, audit policies, system services, security options, registry settings, and more.

This is administrative gold for all Wintel admins, but especially valuable to anyone building corporate images or deeply involved in security. Get it here.

It's Friday. You want a laugh and some practical networking knowledge? We're here for you!

• Gillian Anderson says 'the truth is out there' on LAN switching: part 1 / part 2.
• Robert Downey Jr. gives us the lowdown on ethernet.
• Juliette Lewis (who?) teaches how to troubleshoot frame relay.
• Gunny Sgt. Hartman drills us on the OSI 7-layer model.
• Charles Manson sez floating static routes aren't just conspiracy theory.
• Seven of Nine (Jeri Ryan) assimilates OSPF: part 1 / part 2.
• Gary Coleman briefs us on Priority Qeueuing.
• Trinity hacks the IP helper-address.

... and more at routergod.com.

SecurityFocus presents an excellent article on what makes IIS 6 more secure than previous versions.

This is a worthwhile read, and excellent supporting material if you're trying to make the case for an upgrade. Also included are some tweaking tips, yet the article is a quick read.
For those already running Win2003/IIS6, I recommend these lockdown papers from SANS: Security Elements of IIS6 and Securing IIS: From the OS, Up.

UPDATE 2005/11/05: the links and text below are a bit out of date. Professor Basham's guides are now here. You can buy them in print - or download for free.

Florida professor Matt Basham has written a Cisco training manual, and he's giving it away (the link is a big Word file. If PDF is better for you, try this instead). I've quickly scanned the text, and it seems to start off with REALLY basic stuff, like how to open a command prompt (!!). But there are >450 pages here, and they do appear to cover many of the basic and intermediate subjects a network admin needs to know, with many lab scenarios included. This first draft (he promises another) has no table of contents or index.

Reading through the comments on the Slashdot article, I also found this link. The guy claims to give away a lot of free knowledge at his site and sell a couple of low-priced Cisco study guides. However I was unable to confirm, as I'm still waiting for the membership mail. Slashdotted? {Edit 10/28/2004: looks like the site's been abandoned - and defaced by J. Random Cracker.}
These will come in handy at a later date, if my plans to put a Cisco lab online are realized. I hope to make it accessible for free, or at very low cost.

source: Slashdot