‘The most secure Windows ever’ may be very secure from hackers and malware – but what do you do when Longhorn Server let’s you install the OS, set up Active Directory, and initialize the domain without once asking you to even create an administrator password? “What happened to Windows Server? Where did all of the stringent security checks and ultra-protection of Windows Server 2003 go? Windows Server 2000 was quite insecure, and Windows Server 2003 turned over a new leaf… But it seems Microsoft is more than willing to flip that page back – even Windows Server 2000 required an Administrator password at the very least.”
With Microsoft, security has always been an afterthought. They’ll add all that administrator stuff during the final RC3 phase.
With Microsoft, security has always been an afterthought. They’ll add all that administrator stuff during the final RC3 phase.
If they have time, what with eternity looming since XP was released…
Sorry for the stupid comment, but:
Ha ha ha.
I’m not really a Microsoft hater, but following the “saga of Longhorn” has been pretty fun.
The second link leads to the OSN-comments of this story? Woot O_o
i don’t see why setting an admin password is important for installations that will last for a week, installations that will never be used in a production enviromnent.
come on, longhorn server is still in development, the programmers have better things to do than to remember passwords. enabling passwords and complexity rules is trivial as soon as longhorn server leaves the alpha stage and becomes beta.
ok, so ‘in development’ means that you can skip the security ? Interesting thought. If programmers already have trouble in remembering passwords and enabling them, how would the rest of the product be ?
I even know alpha quality code that works better and is more safe than production code of MS.
Security is something that should be written from ground up, not as an aftermarket item that may be purchased separately.
The sad thing is, Microsoft claimed they ‘learned’ from their mistake with XP.
In XP, security was an afterthought (not just with MS – in 2001 no one gave a damn about security really).
They <em>did</em> do right with Vista… But I mean, you would expect the server OS to be even <em>more</em> secure, wouldn’t you?
Yet, it isn’t… Sad.
From Wikipedia:
“The term release candidate refers to a final product, ready to release unless fatal bugs emerge. In this stage, the product features all designed functionalities and no known showstopper class bugs.”
So no, not still in development.
There is still a deployment process and part of that deployment process could be switching a flag to enables asking for an admin password during install.
IF it’s that simple, then why didn’t they bloody well turn it on then already?????
Or better yet, during installation, refuse to continue the installation programme until a password has been entered that is of a decent quality – 7 characters long, and not a real, dictionary based word, whch should stop dictionary based cracking attacks.
That’s how Windows Server 2003 is… It’s REALLY secure – so far since ’02 only 6 major vulnerabilities… actually better than linux/BSD… but Windows’ has a legacy and a curse, and with LH, it’s back.
True, but the issue is more to do with the Microsoft culture rather than NT itself; NT has the potential to be the most secure operating system out there, had they stuck to the original NT design, but they chose to compromise for the sake of convienence, ease of use and compatibility – its all coming back to bite them in the ass.
Personally, if they did do the above, it would be the *perfect* opportunity to offer customers *deep* discounts on upgrades and competitive upgrades for Microsofts middleware.
There is still a deployment process and part of that deployment process could be switching a flag to enables asking for an admin password during install.
There is simply no reason whatsoever to do that. You don’t just turn these things on. They need to enabled right throughout the development process so people can actually see that it works.
Longhorn isn’t in the release candidate stage. Do not confuse Vista and Longhorn server — they’re two seperate products.
Longhorn Server is not at the Release Candidate stage, only Windows Vista is.
What if you are testing the installation for security and where it is at with it??? I would think that security would play a role in any evaluation of a server product…
If its not there now I would feel little off knowing that it can be added at a whim… To me that says that it can be removed as easily.
In a domain model there are no local administrator accounts on a domain controller therefore why ask for a password for an account that doesn’t exist?
Edited 2006-10-12 16:59
I believe you are right.
Who said anything about local?
That’s what makes it so disasterous: the DOMAIN admin account, the one that has complete control over everywhere and all over the domain – over every single PC joined to the domain, over the AD, over the DNS, over the DHCP and the ISA server and Exchange.
That one password controls everything that’s why it’s THIS serious and that big of a deal..
Thank god for organizations like NST that point these things out – I think if no one said anything LH would ship with “admin” as the default password and no way to change it.
You cannot connect remotely to an account on a Windows system (XP and above) that does not have a password set.
Yet you can log onto any PC AS a user with no password and from there you can do whatever the hell you want.
It is a catastrophe.
“Yet you can log onto any PC AS a user with no password and from there you can do whatever the hell you want.
It is a catastrophe.”
Not in a domain model you can’t, and only in very special circumstances should local accounts be used.
Only if you are doing it locally. If you have local access, you can do whatever you want anyway. No one can login remotely to the account whether it is on a domain or not.
MS doesn’t care about security of their OS, they do care about of amount of money, they want to release “OS” as fast as they can.. Shame on MS. Anyway, I don’t care about Windows at all. Not using it at all.. Only as gaming console with all services, funky colors turned off
That’s bullshit.
MS does care, obviously that is how they get their money… But they have something wrong in their heads that just how hard they try they can’t get the very simple stuff right.
Anyway, I don’t care about Windows at all. Not using it at all.. Only as gaming console with all services, funky colors turned off
I always find it amusing when I see posters claim they don’t care about Microsoft, yet they open threads about Microsoft products, and post comments.
From Wikipedia:
“The term release candidate refers to a final product, ready to release unless fatal bugs emerge. In this stage, the product features all designed functionalities and no known showstopper class bugs.”
The thing is that Vista Release Candidates are a fraud, they are really beta’s, just a microsoft way of silencing the voices that demand the new OS to come out on microsofts own scedual. It’s a good media trick, and we all fall for it, cos everybody loves anticipation.
So Vista sticking evrywhere on the news (yes OSAlert too) year before a release, and people waiting for the new OS, the cutting edge and not trying anything else. And yes, we all have their attention. Remember new win being better then OS/2, 32bit and all, not around but just around the corner so we better wait for it. I wish people would grow a brain with a bit more memory, not just diggin propaganda time and again.
If you really think Vista RC1 is a “Release Candidate” a “Candidate” for a RELEASE, a realworld RELEASE, not some PR Virtual Reality word abuse, then the possibilities of your malipulation are really endless.
ps:sry for eventually bad english, not me native language
I think LH server is meant to be configured into a particular role, which sets all of its security policy and installed software. Perhaps the role hasn’t been configured yet in the dev build, so password reqs are off. Trust me, MSFT hires a lot of penetration testers and this would be caught right away if it were a problem.
“Security is something that should be written from ground up, not as an aftermarket item that may be purchased separately.”
As an unfortunate Windows administrator, I have to live this failure every day. Their notion of security is basically a slap in the face to the “worker” side of computer systems. Absolutely pathetic.
Windows 2003 was an improvement, but that doesn’t matter, since there are literally millions of improperly-set-up Windows 2000 servers out there, running in production where changes are very dangerous to various companys’ businesses.
You’re also right that there’s absolutely *no good reason* to let developers off the hook in this regard. Most of what runs on Microsoft platforms is applications, and my experience is that application developers couldn’t care less about security unless they’re forced to.
That is what Microsoft should have done in the first place, right from the start – forced application developers to operate in a secure environment.
Why, for example, did it take them until 2004 to develop an OS that formats hard drives with proper (or reasonably proper) permissions by default?
….when the ration of spam to non-spam hitting my mail server is down to 1:1 at least. Not 10:1.
What the HELL does that have to do with Security????
Go talk to spamhaus and Brightmail…. and stop ranting about garbage.
Here’s a clue:
Windows Vista RC1
Windows Longhorn Pre-Beta 3
Get the idea? I agree with someone on the first comment page that passwords on a beta version are a hassle. And for that matter, hitting C-A-D and setting it is so much goddamn work, ain’t it?
AFAI recall Netware up to 5.1 — after that we switched to GNU/Linux — never asked for an Admin password during setup. Depending on the role of the machine we would set a password later on or not. Then, under Netware you could do zilch locally, how’s it with MS Longhorn?