He ran Clam AV on his Linux servers, but seemed surprised to hear that there were vulnerabilities that needed patching over the last year. See, he doesn’t subscribe to any vulnerability announcement lists. He said they were “too much noise.”
I think he threw the baby out with the bath water.
I asked him why he was still installing Windows 2000 and not XP Pro SP2 on client workstations. He said Windows 2000 was all he needed and he saw no reason to upgrade. Forget that SP2 has more than a hundred security improvements, including a host-based firewall and buffer overflow protection. Oh, and Windows 2000 is no longer officially supported by Microsoft.
I know there are millions of Windows 2000 computers out there in corporate America. Heck, I still see Windows 95 and MS-DOS machines in large enterprises. But if you’re buying new machines and installing Windows 2000 over Windows XP, at least tell me it’s an application compatibility issue or something like that. There are so many new security improvements in XP over 2000 that you would have to come up with truly serious viable issues for me to support your 2000-over-XP decision. Windows 2000 is 7 years old now. I wouldn’t support you running a Linux or BSD version that's 7 years old.
Of course, this guy wasn't using Active Directory, either. He was trying to install OpenLDAP, but said it was only to make user adds and changes easier. He ran VNC on all computers for remote support, each instance had a password of "password". I’m sure no hackers can figure that out.
It gets worse. Everyone’s user password is their first initial and last name, the same as their logon account names. This, despite the fact that the company has many fired employees now working for competitors, along with Internet-accessible e-mail and AS/400 sessions.
The CEO’s password is "password," of course, and his “password” is used as the root password on several of the servers and their open source database application. Passwords are never changed.
This would be just one isolated tragedy if I didn’t see it all the time. Just because you’re a Linux or BSD administrator doesn’t absolve you from your security responsibilities. Just because you don’t run Internet Explorer doesn’t mean you won’t be -- or haven’t been -- attacked.
And let me be clear: Many Linux, BSD, and Solaris administrators I know are excellent security caretakers. But they also know that you have to follow basic security guidelines regardless of what OS you run. You have to patch, you have to use good passwords, and you have to keep up with improving technologies.
The Linux administrator recently left his current job to become an outside Web programmer and Linux administrator for the military. He’s probably walking to his new job in his black t-shirt, jeans, and ponytail thinking he’s a security hot shot because he hates Windows and Bill Gates and can “roll his own” open source solutions. I wonder if he will ever wake up.
Meanwhile, his former boss hired me to “break into” their network because our friend the former admin had left without giving notice, sharing the admin password, or producing any documentation.
I connected a PPTP connection to his network and logged in as administrator with the password of "password." I found his password spreadsheet in OpenOffice. It was called passwd.xls and was password-protected with a password of …you guessed it…"password."