[DonkeyChan]

MS Support consistently and repeatedly told me that enterprise allowed me to disable this stuff. If I can't control the egress then I can't verify PCI compliance. I've already had to revert a client to Win 7 because they failed a PCI compliance audit using Win 10 Enterprise. Which, by the way, is very expensive for small businesses. Win 10 Enterprise isn't viable for business. I have a bunch of small business clients and I've had to use a whitelist firewall to pass PCI compliance, someone said here that a whitelist firewall is borderline unusable. I've sunk so much time into that solution and I can attest, it's not viable.

[PeterisP]

It's kind of interesting, is it common for you to have Win10 systems in scope for PCI compliance?

It seems unusual to me if any desktop systems are anywhere close to card data, IMHO usually you'd have in scope only a bunch of servers (so, Linux or Windows Server for normal businesses who don't have a reason to wrestle mainframes) in an isolated network, but most of company computers including all the user desktops shouldn't have a way to touch in-scope data or systems in any way whatsoever, so if they're properly isolated (as they should be anyway) they would be out of scope for most of PCI DSS requirements.

[labcomputer]

Wouldn't call centers for online retailers need compliant desktops? How do they deal with customers who prefer to call an agent and read their card number over the phone?

[hobarrera]

I wouldn't assume these sort of desktops would even run windows at all.

A large BestBuy-like place here in Argentina has their sales terminals boot over PXE into some form of *nix straight to the sales systems with no real internet.

A bank nearby boots the account executive's systems right into KDE, on some pretty locked machines.

Windows 10 in any of those scenarios would be a laugh, I can't even being to think why someone would pick it for anything that requires security audits.

[posguy]

Its depressingly popular in the US for small & mid-size retailers and businesses. NCR, Loc, IT Retail, et all are built for Windows, and in the pharmacy arena you've got major companies like CVS using stuff from companies like Integra (not the telecom company, the pharmacy one) that thinks moving to SQL Server 2008 and C# with a full rewrite is the route to go for their major PCI compliant products.

It confounds me that locking yourself into a shrinking platform is what these players choose to do. Walmart doesn't use Windows in PCI related situations, nor do the big boys, all are on SLES running a POS atop that.

If your gonna do a rewrite, why lock yourself into one OS and into one database? Database connectors are a thing, and they aren't hard to use...

[hvidgaard]

In all fairness, writing in C# and targeting SQL Server is not locking you into Windows unless you use WPF or other Windows specific parts of the framework.

[posguy]

O_o

Sure, you can technically run C# on a Linux box (eg: Debian), but the last few times I had to (to interface with some point of sale hardware) I literally ended up just rewriting the driver in python. No desire to maintain something so foreign to the rest of the codebase when python can handle serial devices just fine.

Wrt not using a database connector, just why? Your literally locking yourself to the SQL Server licensing model, which blows up when you allow BYOD on every android phone, and they're all connecting back to your SQL server. Postgres and MariaDB meanwhile have no issues. Let alone if you hit the 10GB DB size cap, or need more than 1 cpu core or 1GB of ram to cache your database.

[slowmotiony]

Not sure why you're getting downvoted. We use .net core together with SQL Server on Linux boxes in production, no issues whatsoever and we can finally use a programming language which is actually pleasurable to code in.

[PeterisP]

Retailer customer service people generally do not need compliant desktops, because the systems they can access should not be storing protected data - maybe it would contain masked PAN i.e. the last four digits, but definitely nothing more.

For phone authorizations (if they are used - it may be a regional thing as most smaller online retailers here won't do it at all, banks really frown on merchants who do so because of risks and make it really expensive), generally the agent would use a similar interface as an online customer (encrypted channel, yadda yadda), and the card information would not be stored anywhere on that machine. Whether all kinds of PCI DSS security requirements would apply to these workstations is debatable, your mileage may vary, I've seen them considered out of scope - but in that case it wasn't really a call center for taking transactions but a support call center that might also handle a phone authorization in rare cases.

In any case, for a call center the biggest PCI compliance problem IMHO is handling the sensitive data in call recordings.

[snomad]

I lot of these places still use old fashioned terminals. The hardware is cheap, lasts years, and no PC headaches.

[fl0wenol]

Use LTSB. Microsoft tries to scare you into not using it because it doesn't support the Windows store or Edge or have telemetry or any of that fun stuff.

But they keep coming out with respins of it to otherwise keep feature parity with CB Enterprise. A 2017 LTSB based on 1703 should be out soon.

[scott_karana]

They already lied with Enterprise. What indication is there that LTSB editions won't suffer the same fate, if they haven't already?

[flukus]

> Microsoft tries to scare you into not using it because it doesn't support the Windows store or Edge or have telemetry or any of that fun stuff.

Scare me? It sounds like those awesome stripped down versions of XP that pirates removed all the cruft from back in the day.

[jmkni]

You were able to do it yourself with nLite.

Memories!

[dingdingdang]

So, how/where do you gain access to buying this as a private customer? (willing to do this the long twisted way if there is a way)

[sathackr]

I went through the same thing last year. I spent two months trying to plug all the holes in the enterprise version, for a medium sized healthcare client, and eventually gave up.

The LTSB edition looks promising but I haven't put it under the microscope yet.

[terminado]

LTSB (aka: long-term servicing branch)

I'm not sure if it's comedic or tragic that the version so very many users would want most, is not only the version with the worst name, but also the version Microsoft discourages people from adopting.

Critical patch support, infrequent updates, and excludes crufty bloatware. What's not to like?

[userbinator]

but also the version Microsoft discourages people from adopting.

Not surprising, because MS wants to push all the features (and ads, telemetry, etc.) to users regardless of whether they actually want them.

Indeed I wish MS would just keep supporting XP as the "Windows LTSB" with nothing but critical security patches, and keep doing it until the OS becomes nearly invulnerable to remote attacks.

[weeks]

Playing whack-a-mole with memory corruption vulnerabilities isn't how you create a secure operating systems.

[yjftsjthsd-h]

The OpenBSD folks seem to be doing alright.

[sathackr]

> Indeed I wish MS would just keep supporting XP as the "Windows LTSB" with nothing but critical security patches, and keep doing it until the OS becomes nearly invulnerable to remote attacks.

I lol'd. You'd probably be pretty safe with Windows 3.11, Trumpet Winsock, and Netscape Navigator.

edit: so long as nobody got your public IP and used Winnuke on you.

[mysterydip]

I think this is what the ReactOS project will eventually become (which to me would be a great thing). They just released v0.45, if you haven't seen it yet.

[LoSboccacc]

say, if I wanted to use it at home, would steam run on it?

[toni]

Yes. Every software which runs on Windows 10 Home or Pro, will also run on Windows 10 LTSB, as long as they don't depend on Windows Store, Cortana, or Edge browser.

Microsoft offers 90-days evaluation ISOs of Windows 10 Enterprise and LTSB [1]. Just be sure to select "Windows 10 Enterprise LTSB" instead of "Windows 10 Enterprise" when downloading [2].

[1] https://www.microsoft.com/en-us/evalcenter/evaluate-windows-...

[2] http://i.imgur.com/DyEfZbq.png

[sqldba]

From what I've heard from people running LTSB it's absolutely awful. Driver support is abysmal and lots of desired Windows features don't exist on it.

There's apparently some new LTSB on its way but this aside it is not the panacea this thread makes it out to be.

[jsjsjsjsjsjs]

I am person who runs LTSB used for coding/rce/gaming. Everything runs without a glitch after initial setup. At start we indeed have to do some stupid things as restoring windows photo viewer because images open with paint, but its way better than what "full" version offers.

[DKnoll]

I would consider that a bonus and install IrfanView.

[oridecon]

https://github.com/d2phap/ImageGlass

[cm2187]

Why would the drivers be different?

[wanderyng1]

I feel your pain, it's a nightmare for HIPAA compliance as well.

[viraptor]

I'm curious what was the biggest issue with whitelisting. Was it about making sure services work, or about standard users' daily work? Did you try to comply on everything, or just have a PCI compliant zone?

Also, do you remember what was the specific reason for failing the audit? This all sounds interesting since you've gone though that experience.

[proactivesvcs]

Some of this stuff goes via CDNs. Once you start blocking those, a lot of collateral damage will turn up at unexpected times as providers switch CDNs.

[viraptor]

All of the first-party connections seem to have proper DNS names, even on CDN (microsoft.com, microsoft.com.akadns.net). The ad networks are obvious third party that could be dropped. I mean, there could be more stuff I didn't see, but from the screenshots, dns blackholing seems viable.

[sathackr]

DNS blackholing is playing whack-a-mole. I can blackhole scontent.xx.fbcdn.net today, and I have no assurance or confidence that they won't use scontent.xx.fbcdn2.net tomorrow.

DNS/FW whitelist is the only way to have even a little confidence that egress is controlled at this point.

[viraptor]

I meant blackholing as a technique. It can be either a blacklist or a whitelist, and yeah... whitelist seems more secure here

[omginternets]

>MS Support consistently and repeatedly told me that enterprise allowed me to disable this stuff. If I can't control the egress then I can't verify PCI compliance.

Not that this is necessarily the best solution, but these sound like damages to me.

Perhaps a class-action suit may come of this?

[Findeton]

Or you could simply use Linux.

[josefx]

Use Linux and blacklist any package that calls home. Ubuntus Amazon search integration wont be the only black sheep out there.

[Piskvorrr]

Or better, if you're worried about PCI compliance - start with a minimal system and whitelist specific packages that do not call home. Does that computer actually need all that software that comes with a default install? (Most likely not)

[yuhong]

Did they complain to MS? I imagine that MS would care a lot about losing enterprise sales.

[JustSomeNobody]

I don't think they do it on purpose. I think Windows is just a patchwork of cruft at this point.

I'm sure the Enterprise version shares all the code with the non Enterprise versions which have all the spying ... analytics... enabled, so bugs are bound to happen that let this escape into the Enterprise version.

[DonkeyChan]

Whether it's incompetence or malice, it's wholly unprofessional.

My confidence was already shaken with MS through their entire Win 10 Campaign and it's now completely gone. Their paid support services are hit and miss and if I'm going to end up supporting things that my client is paying MS to support then they're out and my client gets a smaller TCO overall. I'll have to work with some of them so their business remain viable during the transition but I'm willing to do that. Their growth is our growth. Payment plans, trade, whatever we can come up with to make this happen. For every one thing MS has done, loudly, in the attempt to instill trust they've done 5 things, quietly, that harm it. There are too many viable platforms available and if money is the only obstacle then I'll mitigate that for our clients benefit.

[sathackr]

Agreed. Their forced Windows 10 upgrade "mistake" and my experience last year trying to plug all the holes in enterprise just to watch them re-install Candy Crush Saga with the next update vaporized any confidence or trust I had.

I've always been an MS person but am running Ubuntu on all of my devices now. I feel it hurts my productivity as lots of things I did in Windows just don't work in Ubuntu, but it's better than the alternative. I have a Windows 10 VM that I use every once in a while for those things that are completely impossible on Ubuntu.

And I'm not even sure I can trust Canonical.

[benjaminjackman]

I switched about 10 years ago. Before that I was windows 100% on desktop. I had similar issues at first but gradually became pretty comfortable with Ubuntu and Linux in general. Some things are more of a pain and may always be in Linux but overall the experience for me has been that things have been getting easier with time. I think that for better or worse as more applications move to the web the change will be easier and easier. What are some examples of things that are hurting your productivity?

Canonical did some stuff that upset a lot of people with sending search results through Amazon but that could be opted out of much easier than all this windows 10 stuff. I have also read that they don't contribute to the kernel as much as some think they ought to. And they have a tendency to fiddle with their UIs endlessly (I use xubuntu which is based on XFCE and avoids a lot that bikeshed renovation). Are there other reasons not to trust canonical?

I don't mean to pry with either question just generally curious.

[sathackr]

I don't mind the questions at all. I hope you didn't want the TL;DR version.

Some of my pain points. Many probably have solutions, but I'm stuck between spending time dealing with it the way it is, and spending time finding a solution. These are not in any particular order:

1. Serial communication(terminal, for interfacing with console ports). I tried a few programs that didn't really work right away, and settled on Putty as that's what I used in windows. Except Putty under Ubuntu has no menu bar -- just an X to close it, and I can't copy or paste anything in or out of it. I also have to run it as root to access /dev/ttyUSB0 (I know I think there is a setting for this, just hasn't been important enough to spend the time looking). The copy/paste is the most annoying part.

2. Office(Outlook in particular) -- I tried a few options, even found a plugin for Thunderbird that would let me connect to an exchange server, but it just never quite worked right. I've adapted and am using OWA now, but I feel like it slows me down. I haven't yet been able to get Office >2007 running under Wine (not saying that I can't, just time vs benefit)

3. Google Earth Pro - I used this almost daily. I finally got it running under wine, but it's an older version, and many features don't work, such as searching by address. And any time it's running it leaves a shadow on the bottom of my screen, on top of all other applications.

4. Right-click shell interaction with 7-zip. Ubuntu's archive manager just doesn't seem to work right sometimes. I really miss right click > extract to ... or Extract all to (asterisk)\

5. PUTTING AN ISO ON A USB DRIVE. This is one of the more shocking ones and is something I can't even use the Windows 10 VM for because I'm not able to get USB passthrough working. Something as simple as firing up Unetbootin or Rufus and plopping an ISO on to a USB drive is nearly impossible on Ubuntu. I have Unetbootin, but have yet to get it to work. Haven't found Rufus yet for Linux/Ubuntu.

6. Network manager. It's always crashing and it never does what I want. Sometimes I just want to set a f*cking IP address on an interface and don't want to jump through 15 hoops. I might need to set addresses in 20 different networks in a single day. If I do it with ifconfig, the network manager "fixes" it for me. I have seriously resulted to using "sudo watch -n .2 ifconfig eno1 192.168.1.5 netmask 255.255.255.0" to set and keep an address on an interface.

Sometimes when it crashes and refuses to scan wifi networks(or 4g networks) I can just sudo service network manager restart, other times it takes a complete reboot.

7. I get random errors that pop up all the time "A system error has been detected, would you like to send a report to Ubuntu? With the default set to yes" -- never bothered to look for the error and it doesn't seem to coincide with any behavior I've seen.

8. RDP -- Remmina is pretty close to good enough, but sometimes I find copy/paste doesn't work, and the VNC function seems to have some compatibility issues.

9. CD/DVD Writing -- a problem solved long ago in Windows still gives me headaches in Ubuntu. System stutter will toast a disc, if I can even get it to burn at all.

10. Lock screen issues(not really productivity related...) Sometimes I will lock the desktop and close the screen(I don't often use standby) -- and open it back up and can use the desktop for 10-20 secs without entering a password. Then, as if it forgot, it will toss the locked screen up there and make me unlock it.

11. Task switcher grouping. I wish there was a way to turn this off without using the static application switcher. I alt-tab A LOT and don't like the delay I have to take in order to switch windows in a single application. To be fair, I hate the newer Windows behavior also that regroups windows in alphabetical order after the top few.

12. There's always some vendor rabbit hole that I get sucked into that would be easier to deal with on Windows. Maybe Dell packaged a bios update in a .exe file that can't be extracted without a Windows box(yes probably with Wine, but how much time am I going to spend getting that .exe to run?). Or some SAN management application, and don't even get me started on Java and Cisco's SDM, or some special VPN program I have to use to access a client's network that doesn't have a functional linux version, etc...

Those are the ones at the top of my head. I realize most can probably be solved with some time spent, but I'm still not yet nimble enough in linux to effectively compile/recompile things without following a step-by-step somewhere, and then when I do that, I'm left to my own devices to keep it updated, something I'd rather not spend cycles doing.

I'm running 16.04 LTS on a Latitude E7250 laptop. Chrome(not Chromium) is my main browser. There are tons of things that Ubuntu handles very well, and I paid nothing for it, so I can't complain much. One of the big complaint's I've heard about linux vs windows on laptops is battery life -- but I'm happy with what I get. Depending on what I'm doing, it will last anywhere from 2 to 12 hours. Standby and resume work well, though sometimes it seems that it shuts down instead of standby(though I haven't ruled out fat-finger in these cases), and all in all I think they've come a long way to making a usable OS for someone like me that's been using Windows since 3.0(though I'm quite comfortable on a command line).

As for the trust, it's mostly because I know TINSTAFL, and as it's free, I wonder where Canonical's interests are. The constant pestering to send error reports to Canonical are reminiscent of Windows trying to upload my crashdumps to MS. Whether or not these are memory dumps, I don't know, but to me Error report is often =Crashdump=memory dump= whatever info was in memory at that time is fired off to who knows where into an environment with unknown security.

[slackingoff2017]

Some legit complaints for sure.

Network manager pissed me off so much that I stopped using it. I recommend just shutting it off. All it seems to do is run the bash commands for you. Might as well just run them yourself.

Same with burning ISO's, it's easier to just use command line tools. The most dead reliable USB ISO burner I've used is the DD command. I've used it to burn all sorts of crazy stuff that windows refused to write.

[vetinari]

I won't address everything, just a few tips:

1) sounds definitely like a permission problem. Is your user member of the dialout group? If not, add it there, re-login and try again. You should not be forced to use the root user.

2) Exchange is a problem. There are several solutions, none of them is all that great: a) use Evolution, b) use Thunderbird with the proprietary plugin, c) use a proxy like davmail (davmail.sf.net).

3) There is Earth Pro for Linux too, it just isn't advertised. After installing the regular Earth, it will install also a repo for updates. Check what else is there in the repo - in the .rpm repo, there is the pro version. It has some bugs though - every time I try to use GPS tracing, it crashes.

5) Most distribution have a utility to make a boot drive. There are also other ways. If you intend to boot via UEFI, there's no need for special utilities to make the USB key. Just copy the iso content to the USB stick, on FAT{16,32}-formatted partition. If the UEFI bootloader can find the EFI directory in the root and it's content, it will boot fine.

This will not work for some windows editions, thought. For example, Windows 2012R2 has install.wim larger than 4 GB, so it won't fit on a FAT filesystem.

6) Do not fight the NetworkManager with ifconfig. If you want to use NetworkManager (and you want, if you use wifi, wwan, etc), change the IPs with nmcli. It's command line interface to the NM, so it will take note of this change and it won't cause difference between what the config files say and what is the reality on the interfaces.

[gambiting]

I don't understand how people aren't screaming about point 10 - I haven't had a linux distro which didn't do that, Ubuntu, Mint, Fedora, Arch - they all had this exact issue.

I close my laptop, it goes into sleep mode, I open the screen and my desktop is just there, I can happily use the browser, open apps, run commands, whatever, and then 10-20 seconds later the lock screen kicks in. It's insane that the architecture of the system even allows it to happen.

[nisa]

Long Time Ubuntu user feels your pain - I've solved most of the pain by using KDE (kubuntu backports ppa on 16.04) or switching to Arch with KDE.

Subjective List - only a few good solutions:

1. screen can be used for serial stuff - also allows logging everything to file and copy&paste - you add yourself to a group that uses that device if you don't want to be root.

2. Yup. It's a pain point. There is stuff like Play on Linux that eases some WINE pain points.

3. There is a Linux version: https://www.google.com/earth/download/gep/agree.html

4. Blame Gnome/Ubuntu. KDE is better in that regard (I know no the answer you want to hear)

5. Depending on the ISO dd is good enough. geteltorito is your friend: https://userpages.uni-koblenz.de/~krienke/ftp/noarch/getelto... - https://wiki.archlinux.org/index.php/Flashing_BIOS_from_Linu...

6. Yes. NetworkManager is a pain point. Plasma NM (KDE) works fine for me. There is nmcli that you can use via command line. It's not totally straight forward but should be good enough for automation.

7. This is apport - you can disable it - another major Ubuntu pain point. http://howtoubuntu.org/how-to-disable-stop-uninstall-apport-...

8. Yes. Remmina crashes for me a lot of times, I'm not using VNC that often but it's kind of pain in the ass. You could try using plain rdesktop and reading up on details - I've switchted NX where it is possible but it's also not perfect.

9. Only ever burned with k3b and never got problems.

10. Lightdm lockscreen sucks :( - sddm (again KDE) works far more reliable for me.

12. kwin/KDE gives you all the options. There might be some hidden GNOME or Ubuntu Tweak tool settings but I stopped bothering.

Battery life: powertop + tlp and it's now better than windows for me (on an Ivy Bridge i5 HP Notebook, should work similiar good on a Dell with Intel)

[nitrogen]

I think PuTTY for Linux will show a menu where you can access settings if you press Alt-Space (and that key isn't bound by your WM). You can change the copy/paste behavior in the PuTTY settings before you open the initial connection and save it as the default configuration (also scrollback settings).

Use K3B to burn CDs and turn on Burnfree/whatever it's called.

[xaldir]

1. I use minicom, but you may not like it.

2. Good point. What did you used? Exquilla, DavMail?

5. Use etcher!

9. k3b is the answer

Finally I think that Fedora/kde or Mint/cinnamon have an overall better user experience than Ubuntu.

[omegaham]

> 5. PUTTING AN ISO ON A USB DRIVE

  dd if=myiso.iso of=/dev/sdx && sync

Be careful! :)

[makomk]

The simplest way of getting a serial terminal under Linux is to run screen under your preferred graphical terminal program. First parameter is the port, second is the baud rate, Ctrl-A shift-K exits. To access the serial device without root you need to add your user to the appropriate group, probably dialout.

[ximeng]

Alt ` (backtick) switches between Windows in the same app for me - maybe not ideal but might help.

[oridecon]

The fact that they renamed the telemetry setting from "Off" to "Security" is no coincidence.

[JustSomeNobody]

Point taken...

[quickben]

Multibillion corporations with tens of thousands of programmers don't do things randomly.

[soundslikebull]

It sounds like the problem is that you didn't set your client's system up properly for PCI compliance. Don't blame Microsoft for your technical incompetence!