From owner-freebsd-questions@FreeBSD.ORG Mon May 21 00:35:40 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 12EBB16A421 for ; Mon, 21 May 2007 00:35:40 +0000 (UTC) (envelope-from hakmi@rogers.com) Received: from smtp102.rog.mail.re2.yahoo.com (smtp102.rog.mail.re2.yahoo.com [206.190.36.80]) by mx1.freebsd.org (Postfix) with SMTP id CBA9E13C45D for ; Mon, 21 May 2007 00:35:39 +0000 (UTC) (envelope-from hakmi@rogers.com) Received: (qmail 35894 invoked from network); 21 May 2007 00:08:59 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com; h=Received:X-YMail-OSG:From:To:Cc:References:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:In-reply-to:Thread-Index:X-MimeOLE; b=teAdnMYKhFIeNp/RJFz57DlY+kL1sdolAFsiQnvQLYDFQbJkX5CgN7H77HSxA6+DdmXLd1vFpvgcP3LRiRQ9waJyysrNYNQaQtcNhJYTNCyIan7tVfn8GcAgYIP44Yboayh3kbd6TacDS/fOppSuTyeMbhqClGc50es4EpJu8wU= ; Received: from unknown (HELO tamouh) (hakmi@rogers.com@74.104.205.212 with login) by smtp102.rog.mail.re2.yahoo.com with SMTP; 21 May 2007 00:08:59 -0000 X-YMail-OSG: ebmtE5cVM1ms1wXFJ.PAVEAOSgZpDjHVU.M6viLoc5cIySDqICi02oc.HnVDAMruvw-- From: "Tamouh H." To: "'Ted Mittelstaedt'" , "'Kevin Kinsey'" , "'Anton Galitch'" References: <20070520221917.GA91736@ezekiel.daleco.biz> Date: Sun, 20 May 2007 20:09:19 -0400 Message-ID: <1a9901c79b3c$4774abc0$6600a8c0@tamouh> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 In-reply-to: Thread-Index: AcebNi5CwHAtNCtZSMqjJr7ZR/lLCgABQkQg X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: questions@freebsd.org Subject: RE: just general questions about fbsd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2007 00:35:40 -0000 >=20 > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of=20 > Kevin Kinsey > > Sent: Sunday, May 20, 2007 3:19 PM > > To: Anton Galitch > > Cc: questions@freebsd.org > > Subject: Re: just general questions about fbsd > >=20 > >=20 > > Anton Galitch wrote: > > > Hi > > > Im writing an article about FreeBSD and want to ask some=20 > few question: > > >=20 > > > - What advanced features it has that for example Windows, or MacOS > > dont > > > have? > >=20 >=20 > Windows, even the server versions of Windows, are=20 > fundamentally desktop software operating systems that are at=20 > times pressed into being servers. >=20 > FreeBSD and the other UNIXES are fundamentally server=20 > operating systems that are at times pressed into being desktops. >=20 > Remember, UNIX came out of the multiuser environment, where=20 > you had a lot of people connected via dumb ASCII terminals to=20 > a single mainframe. > >From the beginning, concepts like reentrant code, and separation of > user authority, have been ingrained in it. >=20 > Consider for example the extreme difficulty that Microsoft=20 > has had with the simple concept of a "superuser". A=20 > superuser is, as you may know, a userID on the system that=20 > has authority to do anything, change anything, and that the=20 > normal security mechanisms do not apply to. > Under UNIX this is the "root" user ID. >=20 > Well, with Windows, in the Win 3.1/win95/win98/winME series,=20 > anyone who booted the Windows system was automatically the=20 > superuser. This causes a lot of problems as you might=20 > imagine with programs, as if a program has a bug or goes out=20 > of control somehow, since the user it is running under has no=20 > security, the program can destroy anything on the system. >=20 > With UNIX, normally, programs are not run under the superuser=20 > ID, they are run under a normal user ID. Thus programs=20 > cannot normally > damage the system. Microsoft observed the value of this paradigm > and so put it into Windows NT - although, under NT, they=20 > called the superuser "the administrative user" most likely,=20 > because they didn't want anyone to realize they were just=20 > copying how UNIX does things. But, "administrator" under=20 > Windows, and "root" under UNIX are essentially the same thing. >=20 > The problem, though, is that because the concept of the=20 > superuser ID was grafted onto Windows, if you setup Windows=20 > so that when it boots, a person logs into it as a regular=20 > user, they have a lot of problems. They cannot install=20 > software, they cannot run a lot of different network=20 > software, they cannot make changes in simple things like the=20 > screen resolution, and so on. Both Windows NT and Windows 2K=20 > were setup by Microsoft out of the box like this - when you=20 > installed them, you had to tell them a regular userID and an=20 > administrator userID. But, due to the problems, Microsoft=20 > went to a model in both Windows XP and Windows Vista, where=20 > when you install and set it up, BY DEFAULT, you are put in as=20 > a superuser (administrator) >=20 > This saves Microsoft a lot of support calls from people=20 > calling in demanding to know why the Windows OS won't let=20 > them do simple things like change screen resolution - but, it=20 > completely defeats the security in Windows, and makes even=20 > the most modern Windows no better than Windows 3.1 in terms=20 > of security. >=20 > This I think is one of the best illustrations of the=20 > different approaches of Windows and UNIX. With a server,=20 > since a lot of people are affected if an errant program=20 > crashes it, the security is never disabled by default, and=20 > the installer must deliberately choose to do it. With a=20 > desktop, nobody is really affected if it crashes except for 1=20 > person, so since usability is more important than security,=20 > by default this is why security in Windows Vista is subverted=20 > this way, out of the box. >=20 > There are a very great many people out there walking around=20 > who have setup Windows systems as servers, and not understood=20 > this, and as a result, caused their company to lose hundreds=20 > if not thousands of dollars of time and labor due to the=20 > Windows server crashing as a result of a virus knocking it=20 > down. A virus, I will say, that IF the Windows security had=20 > been properly enabled, would NOT have been able to take the=20 > Windows server down. >=20 > Ted Not to change this to Windows vs Unix thread. But I think they are two = different ball games. I work with both servers and have seen = advantages/disadvantages in both security and non-security related. The SYSTEM user is considered to be the superuser on Windows. This is = why many malicious codes that exploit a high risk vulnerability in OS = automatically grant their application a service or run it as a system = process. On the other hand, Windows has the ability to change the administrator = user or completely disable it. Something not available in Unix systems. = For example, a cracker or hacker targeting UNIX system will = automatically try to compromise the "root" user. It is 100% guaranteed = to be there. On the other hand in Windows, good sys admins will rename = or complete disable the administrator user hence making it more = difficult to know the administrator user. Anyway, this is an opinionated subject. FBSD is great in many aspects. = We use it because it is freely available, has a great community support, = doesn't need much rebooting once installed and is fairly quick to = backup/restore.