If you don't know enough how to set up your production machine, you
John Earl to do it for you.
Come on... I like John and all, but that BS. Lukas is right, MS has
learned (is learning?) from its mistakes about the on-by-default model
of security, and it's amazing to see IBM walk right into the same trap.
If nothing else, look at iSeries web access. OK, the entire thing is off
by default, but if you turn it on (any part of it) then the entire thing
is on by default. So, some poor iSeries admin goes to a local user group
meeting and sees that he can provide report access to his users via
Access for Web, goes back and flips the switch, seems simple enough.
However, he's just allowed every user to run random database UPDATES
against his iSeries! Why? Well, buried in Access for Web is also a
database access/update component, and, except for those FEW shops
running w/good object-level security, public has change rights to the
tables in the libraries.
If you don't do either, you deserve what you get.
OK, so those shops running unsecured Windows servers got what they
deserved? It's not MS's fault that they didn't lock down the server,
they allowed users Admin rights to the local machine, they didn't use
the baseline security analyzer and for IIS machines didn't run
IISLockdown, they didn't use group-policies and Active Directory to
enforce security policies, etc.
MS has learned their lesson, IBM shouldn't make the same mistake.