× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2007

Re: How Secure is Windows, Really?

NOTE: The contents of this post are my own personal opinions and not
necessarily those of my employer!

There are many other arguments that arise from this thread. The primary
intent of this post, however, is to argue that the average customer must be
concerned about malicious Windows code stored in files residing on i5/OS.

SECURE SYSTEM DEFINITION

The definition of a secure system is one that allows only the intended
people to access resources on that system for only the intended purposes.

Each customer defines the "intended people" and the "intended purposes".  A
system can not be said to be secure (or not) unless you know the
people/purposes (i.e. the security policy) to be enforced on that system.
UserIDs and passwords pretty much cover the people part. The access control
model chosen and implemented by the customer covers the intended purposes
part.

ANY system can be "secured" and, conversely (I think "conversely" is right
:-) ), NO system is inherently secure or not. Security is differentiated
between platforms based how much it will cost you to make the system
"secure" (using my definition above).

The statement "you shouldn't use i5/OS as a PC file server" is the same
argument that Windows security apologists make; that is: "if people would
only use and protect their systems correctly, there wouldn't be any
problems." This argument isn't any more valid for i5/OS than it is for
Windows!  The fact of the matter is that many customers access data from
i5/OS for use on workstations.
Do customers need to be concerned about malicious Windows code on i5/OS
systems? Yes.

Why? Because most customers:

  1. Access their i5/OS systems over a network.
  2. Use one or more TCP/IP-based servers to access their systems.
  3. Don't, or can't afford to, turn off all of the servers that could
  potentially be used to store malicious windows code in files in i5/OS.
  4. Use an "open access control model" (i.e. PUBILC *CHANGE or *ALL) on
  most objects and stream files
  5. Will find it too much effort/cost to ensure that you have
  configured everything necessary to preclude the possibility of malicious
  windows code having been stored in i5/OS
  6. Will find It too much effort/cost to ensure that what you
  configured six months ago hasn't been changed
  7. Will find it too much effort/cost to ensure that all non-security
  related changes to the system have no impact on the way access control is
  currently managed.
  8. Will find it too much effort/cost to prove, to themselves or a
  third party, that they haven't made any mistakes and have thought about all
  possible methods of attack (not to mention the new ones that keep cropping
  up).

Most customers that run AV on their windows PC's also run it on their
PC-based PC file servers. Even if they do dynamic AV scanning on
workstations, most customers want to remove malicious code from their
network -- if for no other reason than the possibility that some yahoo turns
dynamic scanning off!

In addition, some i5/OS customers HAVE been impacted by malicious Windows
code stored in files on i5/OS. From a business point of view, it is
immaterial whether those impacts were to i5/OS or their Windows network.
This proves that it is at least possible for malicious Windows code to
reside in files on i5/OS.

Most i5/OS installations are configured, for business reasons, to be
accessed from PCs over an internal network. Many use Netserver which is the
most likely interface to be used to store or access malicious code; although
it is by no means the only possible interface that could be used. Most
customers implement an open access control model that makes it incredibly
easy to store, modify, or retrieve files over the internal network.

Assuming that you agree with the above, then i5/OS can be and is often
easily used, either on purpose or accidentally, as a file server for PCs.
As such, it has the same AV scanning requirements as any PC-based file
server.

Do most customers need to be concerned about malicious windows code hiding
in i5/OS? Given, that i5/OS can be used as a file server for legitimate
business purposes, that there are other interfaces that are not necessarily
intended to be used to store, modify, or retrieve PC files can be used to do
so, some i5/OS customers have been negatively impacted by malicious Windows
code stored (but not necessarily executed) on i5/OS.......in my opinion the
answer is obviously and overwhelmingly yes!

Does this detract from the value that i5/OS brings to security? Absolutely
not! Security is about how much it costs you to protect your business
resources -- not about whether they are inherently and magically protected
by the system. I believe that it will cost customers less to implement their
security policies on i5/OS. The fact that some customer decisions and
actions are required does not diminish this in the least. Neither should it
be a surprise.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.