OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ji H. Lee (Ji.Lee_at_nstnet.com)
Date: Mon Oct 07 2002 - 13:35:41 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Microsoft has a free cd that can be ordered at the following link:

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
    ity/tools/tools/stkintro.asp

    The CD is the Microsoft Security Toolkit. It basically has all the
    baseline patches that you need to get you PC secure enough to get on the
    Internet.

    I don't believe it is fool-proof but it is a start.

    Ji Lee
    Northstar Technologies

    -----Original Message-----
    From: De Velopment [mailto:develwww2.kparker.org]
    Sent: Monday, October 07, 2002 9:47 AM
    To: Focus-MS
    Subject: Security issues, purchasing a new, pre-loaded, Windows XP
    computer

    Hello,

       I asked a casual question on another forum and believe I have
    opened a major can of worms.

       The casual question came up when a friend of mine told me that she
    purchased a new PC (I think Gateway, but manufacturer not important).
    The PC comes pre-loaded with Windows XP Home. Simple enough. There
    are probably millions of preloaded Windows XP boxes sold every week.

       The problem is security. Out of the box, Windows XP has some rather
    dangerous vulnerabilities, including Universal Plug-n-Play, a number
    of Internet Explorer / Outlook Express holes, including incorrectly
    labeling an executable file as an audio (sound) file, and just maybe
    a version of IIS that can be hit from outside by Code Red and Nimda.

       The question I brought up is what is required to make a PC, just
    purchased, with Windows XP, safe on the Internet? One answer I got
    was that all downloads, (Service Pack 1, Security Rollup, and
    miscellaneous patches) would come up to 105 Megabytes. The problem
    is that my friend only has dialup access! How long would it take
    to download 105 Megs on a dialup line? How about if the phone line
    is dirty? A related question, for those outside the USA, is how much
    would it cost to download all of these fixes?

       So, my question to this list: Exactly what should I tell my friend?
    How dangerous it it to have an unpatched Windows XP Home system on
    the Internet? How many steps does it take to secure it? And, does
    anybody have an estimate on how long it takes with Dialup? Can this
    upgrade be done at night while she is sleeping? (Or does it take
    several reboots and answers to questions (i.e. EULA) along the way?)

       Finally, has Microsoft been approached with the idea of releasing
    a bug-fix version of Windows XP that has the patches pre-applied,
    at least for the OEM distributers?

       Thanks in advance and best regards,

               Ken Parker