Home About UsOur mission, Our name, Contacting us Events & Topics Articles Business General Technical Surveys FAQ

Windows? No worries

March 4, 2005

These are the results of a survey question put to PANUG and BizNix members based on these points recently made by a software vendor to their customer:

1. You should not be afraid of using Windows computers if they use virus-scanners and keep them up to date. People who are infected by viruses don't have up-to-date virus scanners.
2. You should use one of the inexpensive firewall boxes that can be purchased at the local computer store. These provide adequate security.
3. Dumb terminals are obsolete and should be replaced by computers running Windows.

We also asked how much weight a vendor's opinion should carry in evaluating a company's support staff.

These are the responses:

Mikel K Bidwell - Pope & Talbot

Windows machines are only safe from KNOWN viruses. Someone always has to be the first person or company to be infected by new, UNKNOWN viruses. No matter how fast you apply virus updates, you're still vulnerable. Where does this vendor think those virus updates come from, the virus writers themselves?

---

Bill Dewey - Preston Gates

Good grief. Obviously this person doesn't actually use a Windows PC connected to the Internet. Anti-virus vendors typically get virus updates published between 2 and 24 hours after each new outbreak. By this time, the virus or worm has made it around the world. We routinely (2-3 times each year) have to take manual measures to stop propagation before definitions can be updated.

Inexpensive firewall boxes might provide adequate security for the casual home user but for a company? Uh, yeah.

---

Ed Sawicki - Tailored Computers

Think total cost of ownership. New Wyse terminals cost between $375 and 495 for quantity one but there are no additional expense - no virus scanners and yearly subscription, no spyware scanners, no software updates, no consulting fees to try to lock down the desktop.

---

John McKean, State of Oregon

One thing that should not be overlooked with regard to the care and feeding of Windows computers is that maintaining patches can be time consuming. Sure, you could just turn on automatic updates and trust that updates are installed as appropriate. Of course this does not protect you from day zero attacks against new, or undisclosed vulnerabilities. And, what if that attack disables automatic updates, the windows (or other) firewall, or virus protection?I personally would not utilize Microsoft's automatic update service in an enterprise environment. Deploying Microsoft's Software Update Service (SUS) is a different matter. The key here is the ability to monitor, and audit, the changes to Windows systems. This can be done either manually or automated but either way requires time and expertise on the part of the staff that maintain the Windows environment.

The bottom line is that "dumb" terminals do not require anti-spyware, virus protection, patches, firewalls, or maintenance related to on-going security threats. Since there are no moving parts, "dumb" terminals do not have hard drives that fail. One last point, there is no effective way to "lock down" a Windows computer. Give me a bootable CD-ROM, floppy, or USB device and I will be its administrator within the time it takes to boot the machine.

---

Tom Rich - Mt. Hood Computer Services, Inc.

I sell both Microsoft and Linux solutions to businesses. I believe in being an advocate for the customer, recommending what would be best for their business, not just the products I want to sell.

I think this vendor is doing a dis-service to his client, not acting in the client's best interest. If the terminals are already in place and will run the software, and will provide the employees with just the applications needed to do the job, and will reduce upfront cost as well as future maintenance cost, the client should insist on them and the vendor should too.

Running Windows desktops can be more flexible, but can be more expensive as well. No computer is "no worries" unless it is not connected to a network, in a locked closet and powered down. A Linux server with terminals attached and only business applications running is much safer from malware and mis-use than Windows desktops running PuTTY and who knows what else.

---

Shannon C. Dealy - DeaTech Research Inc.

As for point 1, virus scanners can only scan for viral techniques that are known - any new technique first begins by infecting computers before the companies that make the scanners become aware of them, characterize them, and release an update. This means that for every new virus released, your "up-to-date virus scanner"-protected machine is completely vulnerable for a period of hours, days, weeks, or even months, depending on how long it takes for the virus to be noticed, characterized and an update released. During that time, some computers (even ones with up to date virus scanners) must have been infected.

In recent years, new viral software has, in some cases, managed to saturate the Internet with it's attack in a matter of hours, not days or weeks, leaving no time for the people who make the scanners to perform their job and provide you with an update (and give your computer time to download it) before a fairly high degree of probability is reached that your computer may come under attack. Add to this the fact that some recent attacks target the anti-virus software.

As for point 2, this is utter rubbish. Even if the firewall is completely without bugs, all it does is block predefined types of internet access, and ALLOW other predefined types (you did want to be able to browse the internet, receive email, use voice over IP, etc.?), Firewalls simply narrow the available avenues of attack - it doesn't eliminate them. This, of course, ignores the fact that in many cases historically, firewalls have failed to provide the exact types of protection they were supposed to, as well as in often providing a new hole (the firewall itself) which could be used to attack other computers.

I am not saying that virus scanners and firewalls are a bad idea (everyone should be using them) but all they do is provide a significant statistical reduction in the chance of your computer getting infected - nothing more. This is true for Linux/UNIX type boxes as well. Though they are a safer alternative, they are by no means completely secure.

As for point 3, this is wrong. The terminals are more secure. I won't go so far as to say they can't be infected without more information about their internals. Lets just say it's extremely unlikely that a terminal can be infected. You should stick with the terminals when PC or Windows functionality is not needed.

Anyone who believes this vendor is eventually going to get a very nasty surprise.

---

An administrator of an educational institution
Name withheld by request

Windows? No worries - don't make me laugh. We have a firewall and virus protection that is updated on a regular basis. Does this stop viruses from getting on our network? No.

The reason is we have students and teachers who bring in their own personal machines which they don't realize have been infected with a virus. We constantly monitor our network so typically when a virus hits we know about it and I've seen our network administrator spend his entire day denying all traffic to specific IP addresses to prevent the virus from spreading.

On top of this you have to worry about Windows updates. We've all experienced or at least heard of people installing a Windows update which then breaks some other piece of software that the user needs or opens up a more critical threat than the one it was suppose to fix.

I would stick with the dumb terminals (are they really so dumb?), PC's running Linux, or Mac's running OS-X.

---

Christian Bayer - Timberline Lodge

I think this is a classic example of a vendor that has no qualms passing additional expense to the customer rather than incurring the cost of providing service.

I have seen something similar when a vendor specified that 1.3 GHz Willamette Celerons were insufficient but that 1.4 GHz Pentium 4s were adequate for an application. If you know processors then you realize that specific Celeron slays that specific Pentium in performance due to cache speed, cache size and (lower) number of pipelines. The result was an additional cost of $300 X 5 for new computers with lower performance.

Often software vendors are unwilling to provide support for a platform they don't have and these vendors frequently don't seem to know much about hardware. While this may seem somewhat understandable, I consider it inexcusable. Knowing your customer's environment is a responsibility a good vendor invests in. Unless the vendor will lower the purchase price to offset the additional cost of using the software due to the risks and hard costs involved by introducing more Windows computers to the network, I would seek another vendor. If a vendor says something won't work, consider it their responsibility to prove it so.

I think the vendor's competence should be in question at least as much as those maintaining the Windows computers. Perhaps Linux-based terminals would be a solution if the dumb terminals have shortcomings.

If you have physical access to the box, Windows absolutely can NOT be locked down unless there is NO access to removable media drives (floppy and CD-ROM), USB ports, the F8 key, the Scroll Lock key, the internet and the inside of the computer. Disabling the drives to boot in the BIOS is not a complete solution. It's possible, but takes a lot of work to make a Windows computer generally resistant to security problems, a complete 'lock down' is not possible though practical methods.

Perhaps those administering the Windows computers that suffered problems were at fault, but the users of the computers are a very likely source of them, although they are probably completely innocent of any malicious intent. Keep in mind that all the user has to do is visit a certain web page with Internet Explorer. Even a firewalled Windows machine is susceptible to... well, anything. No virus scanner can protect against this situation.

It doesn't take much to hack through an inexpensive firewall. I personally have three of them from different manufacturers, I have hacked through each one. The methods are well documented on the internet.

Protecting a Windows machine is like protecting your home. Make it less convenient to attack so that other (Windows) targets are relatively softer and therefore more attractive. That's really all you can hope for.

---

Roger Tait

If the company's support staff has an IT security policy and a plan to implement and maintain it on a regular basis, the customer's support staff is in good shape. The company ought to consider getting a second opinion about the vendor's advice. It also seems that the company's delegates that assess new technologies and the vendors of them aren't entirely qualified either, if they really believed what the vendor had to say.

1. The vendor has a vested interest, and so ought to be regarded more critically than this story suggests.
2. Windows is notoriously insecure and new viruses can't necessarily be anticipated by security updates. How can the vendor imply that Windows can be "locked down" and secured by current antivirus measures, which are essentially reactive in nature? This reasoning sounds very bizarre.
3. Terminals are more secure from computer viruses.
4. The survey didn't ask about total cost of ownership. It would appear to me that terminals would have a lower TCO than Windows systems.

Rating the security staff's ability to catch these points seems to be a good idea, and it may be advisable to invite a review of the IT security policy to ensure that measures are in place, but allowing a vendor to define themselves as the criteria against which the staff should be rated is an appalling exercise in managerial incompetency on the part of the customer. Vendors should NOT be assumed to "know better."

---

Keith Lofstrom - Keith Lofstrom Integrated Circuits

Both the vendor and the customer are correct, in a way ... terminals are hard to repair and find replacements for. PC hardware is ubiquitous. So the customer should be migrating over time to PC hardware, configured to only provide terminal program capability.

But this is very hard with Windows - it is too complex, and targeted towards "full users". The customer needs a simple system that does only terminal mode, and one they can clone without licensing worries.

I can think of two inexpensive and easy-to-maintain solutions:

1. DOS!, configured with an autoexec.bat that runs a terminal program with a TTY screen. There are free versions of DOS out there. There might be compatability issues with newer hardware, but we won't be using much beyond VGA and a serial port.
2. Text mode Linux, configured similarly.

The choice of (1) or (2) depends on the specifics of their available and trusted support staff. If they know DOS, use that. If they know Linux, do that. Full Windows is a complication with negative value added. If nothing else, you can't operate Windows without a mouse, and there are better uses for the table space.

An intriguing possibility, given the newer motherboards with built-in ethernet, is to load the appropriate memory image via BOOTP from a server. That way, all they have to do to configure a new "terminal" is to set up the CMOS config for BOOTP. They would not even need a hard drive, floppy, or CD. This could work with a very cheap new PC, and with a fast network would boot before the screen lit up.

OTOH, a disk-based (or CD or floppy-based) system would allow them to reuse hardware, and keep their RS232-only wiring. Pulling ethernet to all the machines, and maintaining it, has got to be more expensive and disruptive than leaving existing wiring in place. And since they already have users that are running full PC's, they could repurpose some of the older machines as terminals and buy those users newer PCs. Disk-based systems would require copying and maintaining a bunch of drives or media, but if you designed for the least common denominator you could probably develop a standard "use on any machine" hard drive image.

All that said, this has *got* to be a solved problem. Some searching on the internet should locate a "turn your PC into a terminal" disk or BOOTP-based image. This sounds like a nice little sealed system ...

---

Job Cacka, Network Administrator, Columbia Corrugated Box, Co.

I have been in the purchasing field for 6 years and the IT field off and on for 10 years (On for the last 2 years). Our company is setup similarly to the one in this description. We use an AIX server to run a legacy database with text-based menus. It works well and is relatively secure and virus resistant. I touch it about once a month for maybe an hour. IBM 3151, green screen terminals are used in our manufacturing facility to provide a login to the database. This allows us to enter job costing information at order run time.

The problem I have noticed with most integration vendors is their over reliance in MS Windows. For data entry tasks it is much easier, and faster if your hands never leave the keyboard. While the learning curve might be steeper with a text-based menu system, the data entry is much quicker. When seconds can be eliminated from each data entry item, it leaves more time to perform customer service-related tasks, which is why we are in business in the first place, not to pay people to move a mouse around.

Like many other companies we have noticed that computer hardware manufacturers have left the dumb terminal marketplace. Refurbished equipment is still readily available from companies like SourceOne, but this will not be around forever. There are two directions to go, in order to provide a replacement for the green screen terminals. The first as outlined by Ed's email is to install a full-featured but locked down PC with MS Windows. The cost involved in this setup is between $500 and $1000 for each PC and licensing, and you better hire an additional IT help desk employee if you need to replace more than about a dozen of these green screens.

The second option and the one we decided on, was to set up a Linux server and utilize gdm to provide a remote login. Linux does not suffer from the horrors of virus threats and is much easier to lock down (Windows XP can be broken into in about 10 minutes with a floppy disk boot and reset the administrative password, 8 minutes of that is reboot time). At the local PC we are running the PXES Universal Linux Thin Client, and this can also provide us with secure MS Windows access (we must still purchase MS licensing however). While we are using old PCs out of our Bone Yard for thin clients, a new thin client can be purchased for around $200 to $350 and if it is running Linux there is no licensing cost for the OS. Now with our Linux server we do pay a maintenance fee of $349 per year per server, but this allows us to keep the many packages up to date with less administration effort on our part.

With the thin clients we can do some additional modern tasks safely. For instance we can run our own IM server and have a IM login at each thin client. It is easier to understand the written word in a noisy plant rather than the spoken word over a telephone. Email can be made available, and virus protection addressed at the server level. With our thin client setup I am able to allow the plant to make their own notices and warning signs with Open Office (This is extremely useful in our understaffed remote offices). Because the thin clients use the TCP/IP protocol suite to communicate, the network is simplified by removing serial Dumb Terminals.

There are many disadvantages to using PCs, but the greatest is the ongoing, incalculable administrative costs for each PC. Also, before you say a PC can be locked down with MS Windows I want to have a day with the locked down unit, because I'll bet anyone reading this could break into it with free, readily available software from the Internet. Oh, BTW:

• Who is liable for a PC's misuse, the user, the owner, the administrator, the vendor?
• What happens when that PC gets infected with the next fast spreading Uber virus?
• Does the vendor come out and fix it?
• How long has the company employed their administrator, versus using their vendor's services?
• Which one do they trust more?
• If they trust their vendor more than their administrator then it would be best for the administrator to find other employment, because with that logic the business may not be around long.

---

While I expect you will get many of the typical Window-bashing responses, both parties have some problems to address. If the customer wanted a locked-down system, then the dumb terminals are ideal and the vendor should appreciate that. The customer already has them, they can only connect to the server and they can only do what is allowed there (with the exception of a "duck hunt" game we used to play with dumb terminals when the mainframe was down**).

However if the customer wanted more productivity, then a smart terminal approach would allow for the addition of other applications (WP, Spreadsheet, graphics, etc). Windows systems can be extremely locked down (just ask any school network administrator). Every system can be infected (Linux, OS/X, included - heck. I had three hackers try and get into my Cingular phone while I was in Las Vegas last week), but these infections can be limited or avoided by aggressive policy management, allowing only what is absolutely necessary and fully understanding the ramifications of every policy change.

Most administrators don't do this, instead relying on a software vendor to provide them with a turnkey setting that balances accessibility with some measure of safety. I don't blame the administrators - in most companies, it is next to impossible to keep up with user demands and do an adequate job learning and managing an ever-changing software landscape - I blame the vendors for not telling the companies the true costs of administration, and the customers for attempting to cut corners then whining when they feel the effects of their decisions.

** The duck hunt game was something an old programmer taught me back in the '70s on an otherwise useless dumb terminal: You hold the spacebar down and randomly press the X key, placing a series of X's around the screen. You then return the cursor to 1,1 and hold down the right cursor key while attempting to press the "period" key when the cursor crosses one of the Xs. Not high-tech, but something to do while we waited for the system to IPL...

---

Paul Rogers

Certainly the customer's reliance on SCO software is likely to be problematic in the future, so migration to another package is advisable. However, any vendor with such demonstrated ignorance of Windows' security issues or disregard for the customer's wishes for deployment, should be investigated as an unreliable supplier. Of course, the customer should investigate whether this was the vendor's position or just the presenter's, e.g. was the presenter a represetative of a channel partner who hoped to benefit from supplying the PC's?

---

Albert Dijkstra

The vendor's first point is negated by the second: the need to have those little inexpensive firewall boxes implies vendor's admission that up-to-date virus scanners on each M$ box does not offer enough protection. Additionally, does the vendor meet the customer's needs? Replacing each terminal with (an unnecessary "upgrade" to) a Window box and several of those little inexpensive firewall boxes sounds like an unnecesary costly proposition for the customer.

---

Back