Win2000 Paranoia

[Ilwrath]

Man...  I tell you what....  I finally got sick of the daily battle against spyware and went with RedHat 9 on my main PC.  I can't say it's been totally painless, but with a few annoyances, I haven't booted into Windows in 2 weeks for anything other than a few games.  I'm thinking of blocking the Windows side of the PC at the firewall -- no access, at all.  

It really seems to be the only way to secure it, anymore.  It's hard enough setting firewall rules and patches to keep the 5kr1p7 kiddies out, but then you add in having to keep it from phoning home all the damn time...  It just isn't worth it...  ;-)  I'll put up with technical glitches, but when I have to fight my OS over politics, I draw the line.  Make mine "Free as in speech," please.  I've had enough financial and moral bankruptcy for a while.

[Ilwrath]

@Jaruzel

Almost ALL of the Windows 2000/XP 'phone home' services can be disabled, if you are bothered to learn the OS a little bit.

True... But they re-enable themselves after every service pack, several of the stand-alone critical updates (TechNet), all Internet Explorer point updates (5.0 -> 5.5 -> 6.0) and who knows when else...

Plus, having things disabled in Windows doesn't mean a whole hell of a lot.  I have a set of snapshots and logfiles of a Windows 2k server that I admin attempting to open an outgoing SMB connection on a network card SMB wasn't even bound to!!  

Back in the Windows 3.1 days, I used to hate Microsoft for putting out poor product.  Since then, the Windows 9x series was quite improved.  I stopped hating them.  The Windows NT series (I used to be NT4 server, workstation certified) was excellent.  Now the mainstream OS of Windows XP and Windows 2000 Pro/Server are technologically excellent, but I just can't live with the politics of Microsoft.  

I'm sick and tired of having to wonder what services got turned back on while I wasn't looking.  I'm sick and tired of them releasing patches to "Windows Update" while not allowing them to be downloaded elsewhere.  (Try to patch/fix the CRITICAL SECURITY FLAWS in the Microsoft VM without using Windows Update??  Guess what...  You can't, anymore, because they deleted the update patch files from their support areas, and claimed it was because of the court order, yet you can get the file from Windows Update!)  

In short, if I have to spend my time battling a computer, I'd rather be fighting over technical glitches, rather than fighting to disable the "features" certain companies feel I can't live without.

If you really are that paranoid, just de-install all network and modem drivers. That will make you nice and secure, and I hope you enjoy your isolation.

Don't even trust this...  See my comments above.  Honestly, I think the only way left to secure Windows is to pull the network (or phone) plug before booting it.

[Ilwrath]

Use a decent firewall and thats it. I used to use zone alarm but some IM spam still got through

Hmm... Yep.  Sounds pretty secure.  Of course, you realize that if the IM spam is getting through, it basically means you have no security at all at that moment....

Yes, a GOOD firewall, with GOOD rules set will make for a reasonably secure system.  The thing is, setting those rules is a real pain in the arse.  It's a never-ending job.  Do you want to see the rule-list for my firewall?  It has more blackholed ports than I can count.  As Karl Sagan would say "Billions and Billions"...  (Ok, maybe not that many, but still... it's more than 20 insecure ports I have to block in both directions!)  

I never had Win2K sp 3 attempting to connect to the internet by itself in the first place. I dunno what your settings are like but turn off automatic updates and other nonsense.

Would you even know?  Do you examine what packets are leaving your machine?  Do you run a firewall on a seperate machine?  Do you want to see my firewall logs for what kind of crap a Win2k machine with all non-essential services set to Disabled still spews out?  Hope you have a large e-mail account.  There's megs of it... From each 24x7 server, and that's for this month, alone.

In conclusion, though, yes, it is possible to secure yourself against most (>99%) of all threats to Windows.  My argument is that it has grown to be more trouble than it's worth. Therefore, in newer jobs I am using Linux more and more.  It's free from the BSA audits, it's free from many of the Windows annoyance virus/worms, and it's free from
auto-update features that turn themselves back on when I'm not looking.

What's best for you?  I don't know.  There's no doubt that a poorly configured Linux box is less secure than a well secured Windows box.  A little knowledge and prevention goes a long way...  

My only thought is that at this point, I'd rather spend my time fighting technical issues than political ones.  Probably a lot of it is that I'm just burned out on Microsoft, too, though.  There's only so many times you can go through the checklist of re-locking down a box before you just get so tired of looking at it that you'd rather chuck it out to the curb.  

At least with Linux, I'm running into NEW bugs, problems, and issues.  ;-)