Projects:Windows for penguins und fruitarian

From 34C3_Wiki
Jump to: navigation, search
Description Conceptional difference between Windows and Linux and thinks you should know about Windows.
Has website
Persons working on
Tags education, security, defense, administration, windows
Other projects...


I'm currently writing on a webpage, that tries to help non technical people (e. g. company founders and decision makers) as well as Administrators getting to know current best practices, design considerations and best effort solutions (their limitations and reasons for them). My motivation for doing this is because I've seen things that violate the most basic guidelines and rules for good administration, which leads to more crude solutions that drifts one farther away from best practices as one likes. For example a wrongheaded permissions concept leading to scallability problems and security compromises (over permissioning). The key point of this page should be to allow everyone access to information that experts consider most basic and don't really think about, as it is common sense (at least for them). This should lead to having people not skilled in this fields making better decisions and to shrink down frustration of administrators joining the field later on. As the company develops, the grandson of the founder can at some point not hold up with the time and knowledge needed and an administrator has to be employed, often this administrator has to deal with a wrongly (or even patchworked) designed infrastructure not following standard designs. Currently I'm focusing on windows only (with few exceptions), as this is the field I'm most comfortable with (for enterprise infrastructures). After completing (or what feels close to it) I want to do the whole thing again but for a (nearly) linux only infrastructure.

What do you mean by "with few exceptions"? As mentioned before, there is a difference in the design of Windows and Linux and sometimes it doesn't make sense to use the one instead of the other. For example it does not make sense to use IIS for hosting a simple Wordpress webpage. But vice verse generally it does not makes sense to use a samba ActiveDirectory instead of a MS ActiveDirectory one in a windows infrastructure. The focus should not be the actual implementation but the reason why. Why do I consider the one to be destructive for the infrastructure design? Why shouldn't you follow down the rabbits hole?

My hope is that this leads to better decision making, so that the administrator that joins in later does not have to clean up the mess before he can start doing what he was employed for (maintain and scale the infrastructure). And also a key part of this is to show programmers how the administrators deal with bugs (not following guidelines) of their implementations (a software storing it's configuration within the executable folder or requesting administrative privileges). Also windows feels like the unloved stepchild in the chaos community, so I want to shine a light on it (everyone know facts before ranting about, keep the discussion clean and solution-focused). Another thing I hope to see in response to this are better implementation for certain things on the Linux/Windows part, like IPSec in Linux.

Currently open points are things many don't know about, often cited without source or which are just wrong:

  • Conceptional difference, Windows (one for all and all for one) <=> Windows (I'm better on my own)
  • Do I need Antivirus and the trust problem (Trusted parties).
  • Linux Subsystem in Windows (launching ELF-Binaries in Windows for devops)
  • Some useful settings for administrators (Windows is for careless users by default) or how to make windows suitable for the administrator.
  • Security and Considerations for Remote Administration and support
  • Capabilities of the Windows Firewall (Home vs Enterprise with GPO) or Usability vs Security
  • IPSec in Windows
  • How to grant permissions (for services, processes, registry keys, AD-Objects, Filesystem Objects, ...) or IGDLA (former AGDLP)
  • Security features (AppLocker, CredentialGuard, TPM, BitLocker) and what could happen if you don't implement one or the other (e. g. BitLocker without TPM)
  • Hyper-V and Windows/Linux Container (Docker for Windows Server 1709)
  • Windows Package Manager OneGet (equivalent to dpkg) or the software deployment problem of Windows
  • When to use IIS or MS Exchange (it's a groupware not a pure e-mail server) or IIS and Exchange vs nginx/apache and postfix
  • Why PowerShell is better than Bash (PowerShell 6 is available platform independently, but not yet stable)