[alephnerd]

So I work in this space and I am honestly quite surprised by the users here who think a Linux deployment would do any better. They won't.

This isn't a Windows vs Linux vs Solaris vs BSD issue, this is a "did I manage and configure ACLs, RBAC, GPO, and other security features correctly" issue.

For example, I've had customers have had RHEL 6.x enviromments that still got hit because they wrote a security group that allows all traffic from all ports from 0.0.0.0/0 (aka everywhere).

Security issues always come down to misconfigurations and the lack of best practices in my experience. In that regard, the MS suite is actually superior to Linux because if you need a Security Solution Partner, Microsoft Professional Services is infinitely more competent than the largest Linux solution partner righ now (IBM).

[taeric]

I'm with you right up to the "infinitely more competent" line.

The big thing that Microsoft and Windows have against them, is the crapshow that is all that they include on a standard installation. That said, from what I'm seeing, this is not really unique to Windows anymore. Seems everyone wants everything on the machine.

So, yes, it is theoretically possible to setup all access rules correctly. But it is essentially a lines of code problem, at this point. Given a mountain of things to setup, you will make a mistake somewhere.

[alephnerd]

It's generally professional services that set up these deployments at scale. MS's PS team is extremely competent and does push best practices in my experience. The issue is organizations that cheap out and decide to have an IT Service Desk guy manage everything from deployment to network architecture to security - these are extremely hard problems that require a large team of SME, not a single guy doing the best he can. City of Oakland is one of those kinds of organizations IME.

[nradov]

The lesson here is that the City of Oakland and similar organizations shouldn't be deploying such systems at all. They should lay off most of their IT staff and outsource their entire IT infrastructure to one of the large vendors who has the resources and technical competence to deal with advanced persistent security threats. Blaming the OS vendor won't accomplish anything.

[alephnerd]

Microsoft is an MSSP as well. And they are one of the multiple vendors the City of Oakland uses. But vendors can only do so much for organizations like Oakland as the final decision and implementation ends up getting stuck in red tape and bureaucratic hell between multiple disjointed teams.

[nradov]

What I'm proposing is that cities should outsource their entire IT infrastructure to a single vendor who runs the whole environment, including security. City employees shouldn't have any authority in these issues beyond vendor selection. I understand that might be politically difficult but what is the alternative? It isn't reasonable to expect city employees to have the skills and resources to defend against advanced persistent threats.

There is still room for city employees and other vendors to exert some control over higher level IT services and applications. But the core infrastructure needs to be under the control of a single competent vendor.

[PeterisP]

IMHO the core issue is a lack of resources - they can't afford an outsourced vendor that will do stuff properly just as much as they can't afford to do the same thing in-house. There's barely a budget to get hardware, and definitely not to deploy it properly; there's barely a budget to replace what dies of old age, and definitely not to do proper maintenance and updates.

[nradov]

Then the Oakland city council should make hard choices and reduce discretionary expenditures in other areas. That's a shame and it will hurt underprivileged city residents who are already struggling, but they need to face reality. I hate that we essentially all have to pay a "tax" to protect against IT security threats but what is the alternative? There doesn't seem to be a cheaper option that actually works.

[taeric]

I expect that pricing has made it so most all smaller places are these kinds of organizations.

And the incentives are to keep it that way. As long as MS's PS team can make more money from one whale of a customer than they can supporting local districts, expect that this will remain.

Such that I don't think it is excusable to say "if only they had paid the professional services."

[alephnerd]

You don't need professional services all the time, assuming you make sure to hire a large enough team of SMEs of your own, but a lot organization simply view tech as a cost center and try to spend almost nothing on it. That is the kind of issue City of Oakland faces (for everything btw - for example, starting salary for teachers in OUSD is $50k compared to $70-80k in the rest of the Bay Area). Also City of Oakland does 100% engage with Microsoft PS, but they don't have the requisite staff and budget to finish building out best practices.

[taeric]

I clearly don't know all the specifics of their case. Such that, if you have closer information, I am not trying to gaslight you on what you know.

I am concerned with "best practices" in our industry, though. Too many of them are not geared to wide adherence and have fantastically bad failure cases.

[alephnerd]

All good mate! There are some specifics I don't (and don't think I can) get into, but big picture, a lot of the core best practices in configuration management and security do work, the issue is whether you are able to hire people who can actually implement and understand WHY those practices are in place and how to iterate if said practices don't work. Most organizations across the globe have barely gotten a handle of ACLs and Security Groups, but evangelizing best practices for Endpoint Security, Cloud Security, OT Security, etc will take another 10-20 years simply because of inertia and the common sentiment that IT is a cost center.

Random think tanks doing thought leadership on CNN or at Brookings will jack themselves off to the notion of "online warfare" and whatnot, but those guys can barely type, let alone write cohesive policy.

I've been on both sides of this - both in the policy making world and in the private sector tech world - and cases like Oakland keep happening in a daily basis everywhere and will keep happening forever.

[908B64B197]

> Such that I don't think it is excusable to say "if only they had paid the professional services."

Would you apply the same logic to road infrastructure? Why hire those licensed engineers...

[taeric]

The target of the question is to the vendor of the road, though? If I pay to get roads installed and they counter that I should have paid for a more expensive process? Yeah, I'd say that is inexcusable. If they have strong reason to think that who they are selling to cannot maintain things correctly, they should consider not selling.

[nradov]

What specifically does a modern Windows installation include that is inappropriate or insecure in terms of default services or access rules?

[mr_mitm]

Just exposing SMB on port 445 by default is a huge issue. The vast majority of systems does not need to provide this service, yet there have been two catastrophic RCE vulnerabilities (MS08-067 and MS17-010) in this service. Also, it's basically like an SSH service for attackers to move laterally within the network. If it's not a file server, domain controller or print server, it should probably be turned off or at least severely restricted for a whitelist of hosts.

Next, the NTLMv2 authentication protocol is on by default and vulnerable to relay attacks and offline password guessing attacks. Plus: pass-the-hash vulnerable. Huge problem in corporate networks.

I'd argue the broadcast domain name resolution protocols like NBNS or mDNS are unsafe as well.

Disclaimer: if you were just talking about Windows on your home desktop PC, then yeah nevermind.

[taeric]

Certainly a fair question, but a big part of the problem is I don't know the specifics of what is on a new installation anymore. Worse, I'm not sure where to find such a list.

Just scanning on the things they are proud to list at https://learn.microsoft.com/en-us/windows/whats-new/windows-..., I'd be worried about Teams, Windows 365, and Widgets. I'd also be worried about all trial software that is on the machine. I could not find a list of that, though.

And again, this is not unique to Windows. It used to be OEM bloat that was added to all things. In linux land, it would have been all of the "power tools" included by default.

[nradov]

Do the popular Linux distributions for both desktop and server environments provide such a list? Have Teams, Windows 365, or Widgets been used as attack vectors against real systems?

Generally users in most enterprises are going to need instant messaging and online meeting tools, so if it's not Teams then it will be something else with an equivalent attack surface area. Windows 365 appears to be highly secure.

I'm not trying to defend Microsoft here. They have had many security flaws and there will be more to come. It's just not clear whether the alternatives are significantly better.

[galleywest200]

> Do the popular Linux distributions for both desktop and server environments provide such a list?

Yes, this is common. You are generally given the option at install how "minimal" you wish to go (do you even want a GUI installed, etc). These are often listed on the distributions website.

For example here is a few from Arch:

- Base (bare minimum) install: https://archlinux.org/packages/core/any/base/

- Base-devel (what you need to run makepkg): https://archlinux.org/packages/core/any/base-devel/

[taeric]

I already said this is not unique to Windows. Such that I don't see the point of the first question. On whether those have been source of attacks, I don't have numbers. I do remember getting hacked through Office back in the day. The whole "open this document" crap college students did to each other. To that end, I fully cede this could just be a false view from my side.

I'd expect most attacks are still of the "what is your password" variety. That along with a giant shared drive that everyone just dumps everything into.

And I don't mean this as an offensive against just Microsoft. They are/were somewhat unique in the success they had with embrace/extend. That said, the blame almost as surely rests on typical "growth at all costs" mental model that is modern business.