WinNT Real time performance

A

Anthony Kerstens

This is all very interesting. However, one thing that sticks in my mind is that there is not a thing made by Man that cannot be broken into or disable by some ingenious character.

I might come off as a fatalist, but the best anyone can truly hope for is to decide from a range of options and pray it is good enough. That's where risk analysis comes in.

Anthony Kerstens P.Eng.
 
D
It takes only a few minutes to use winnt's policy editor to restrict user rights. However, it takes several hours to several days of planning to
decide HOW you are going to restrict these rights. For instance--I set up my operator stations so that when the users log in they see a completely blank desktop and empty start menu, except for the one program they are to run. Further, they can not run any applications I have not added to the "allowed run list." There are LOTS of other restrictions I added to lock down the machine entirely, but these are the main ones.

That said, [email protected] is correct when he says that you can't make a program run with different user priveleges. This is a different issue entirely than simply restricting access using Policy Editor. When a user logs in he is assigned a security ID. Whenever a task is performed (application run, file opened, network action) the security ID is checked against the ACL (access control list) to see if that user has the appropriate permission.

Thus, logging in under my personal account would not allow me to access objects requiring administrator access because any activities performed during my login session are associated with my security ID. Conversely, when logged in as Administrator, I obtain the Administrator security ID and can then access objects restricted to the Administrator--but I can NOT
access objects that are restricted for use by my personal login account.

However, under Windows 2000, presumably I would be able to log in on my personal account and access objects using the security ID of another user. This is an instance of accessing objects/running programs with the priveleges of another user. I haven't seen this firsthand so I don't know how well it is implemented.
 
R
My guess is they are not experts at breaking security though.

Besides, the most common way security is broken is from an inside job. Passwords are not changed. Passwords are written down. Easily guessed passwords are used.

Administrators use the same password on 100 different machines, that is known by 10-15 people in the IS dept. Difficult, near impossible to maintain security in that environment and still be able to use the computer.
 
D
--- roger Irwin <[email protected]> wrote:
lots of pro Linux stuff...

Great stuff, Roger. Sounds like you have a mirror
image of my experience - mine is mostly NT with a fair bit of HP-UX and Solaris thrown in (and a tiny smidgen of QNX).

I agree with a great deal of what you have to say.

A couple of points:

I think there are only two real reasons to use NT over (your favorite OS here). 1)Everyone has Windows at home - NT looks the same as Win9x, so the users are not as intimidated by it. This is also a major disadvantage because, as you pointed out, they are often more willing to go in and monkey with stuff than they would be on a command line nix machine.
2)Everyone is using Microsoft Office. And for getting data from the factory floor to the accounting office in a hurry (or orders in the other direction) it is awfully easy to set up a SQL database that takes data from your Windows application in the factory and feeds it to the Windows application on the cpa's desktop. Getting data to and from the factory is one of our next big jobs in this field. If you are not already
doing it you will be soon.

If you use Embedded NT you can get the exact same
scalability in terms of OS size and complexity that you get with Linux. The big disadvantage is that it is very expensive. The big advantage is that even part time administrators like most of us controls engineers are can use the GUI configuration to build a kernal with an absolute minimum of consulting the book to remember the exact syntax for setting up the driver. And yes, I fully agree that Windows (any version) is the worst collection of code bloat found on the planet.

You can get that bare green screen on startup by using the policy editor found in the Windows NT Resource Kit (poledit.exe).

You can mount partitions (or directories for that
matter) simply by sharing that partition or directory, then mounting the share name from your remote computer. The default share for any partition is the administrative share, which is the partition letter followed by '$', so for c:\ the admin share is \\computer name\c$ - anyone who has admin privileges can grab it at any time.

I do true system administration/configuration tasks at most a couple of times a week. Heavy duty hard core configuration/administration - maybe once a month. When I was working with HP-UX and Solarix in a similar amount whenever I had to do any heavy duty work I spent half my time going through books to remember the correct syntax for that command line stuff (yes, HP-UX has a gui sys admin utility group, but half of the important stuff you can't do through it, and the other
half is faster and cleaner if you do it command line, even counting the book time). NT is a true gui driven OS - so it is a matter of remembering basically where I need to go, recognizing the cues that I am given once I get there, and digging in. Which is a good thing, since 99% of the books out there are aimed at IS types who rarely want to set up systems the way we do.

The ASCII file configuration certainly sounds really good.

MS Image Composer can edit/import/export your photos. No idea where I got it from - probably a WinNT disk.

If I fully understand symbolic links then there is a way to do this with NT. In the Control Panel>System utility, Environment tab, define a variable. For example, say that you are hitting a UNIX server and want to link to a path - define variable name UNIX_PATH, value \usr\bin Then you can call this link elsewhere by the syntax %UNIX_PATH% wherever you need to insert that link.

Davis Gentry
Controls Project Engineer
Carpenter Company
 
I agree with you in that Windows NT does provide security. That level of security maybe all what you need. But I do not think that the level of security that NT can provide is higher than what can be provided by Linux. In both environments you can set up access permissions for files,
directories and executables. But Linux systems let you mark an executable to run with the
priviledges of the owner (and not of the user) and that can help a lot to implement custom security schemes. AFAIK, the only executables in NT that run with priviledges different that those of the user are Services (NT version of Unix daemons). If you know of a way to mark an ordinary executable in NT to run with the owner priviledges (regardless of the actual user) please let me know, because I have not found a way to do it. According to an earlier post, Linux has no security at all, and all I am trying to do is to prove that such a statement is false because
Linux has more security features than NT. I am still waiting for a reference to the publication that states that Linux has no security at all.

Regards,
Guido Urdaneta

P.S. Sorry for my bad english, but my native tongue is spanish.
 
I think that you do not understand what I am trying to say.
I was not asking if in NT you can set user and/or group permisions on executables.
The security scheme that I have been unable to reproduce in NT is the following:
User A has access to file F
User B does not have access of any kind to file F
Program P is set to run with priviledges of user A
User B is allowed to run program P
User B can read or write to file F only by means of program P because the program, not the user, has access to file F.

I do not know how to do this in NT. I think it cannot be done. This is
what I was asking and if somebody knows how to do it, please tell me.

Thanks in advance,
Guido Urdaneta
 
A

Al Pawlowski, PE

When you try to change the herd's direction you often get some growling; sometimes you get stomped.

Even though they are seldom optimal for any particular task, MS products overwhelmingly have the momemtum right now. Given our nature, they may
well have it a while longer.

For now, I plan to go along enough to minimize the stomping and smile back at the growls.
 
P

Pierre Desrochers

Roger - We are using NT because we can pickup the phone and talk to dozens of people for solutions when something does not work ... for Linux it's not the case ... but will be soon and then we will switch our area of expertize and integrate our apps to Linux... but then everybody will be doing the same ... and then someone will build a better mouse trap... Application running on Linux will multiply... diversify... We will get them from everywhere in the world ... and then Linux will start experiencing the same problem as NT.
A typicall PC as suffered the installation of dozens and more software packages with poorly writen drivers. Some of them left behind traces of codes... these are the most likely responsible for 80% of our problems... the next 10% comes from bad configuration and the last 10% does not exist (ask Bill he'll tell you...)

I strongly beleive that since NT is more widely spread, the result is more bad programmers are influencing its development, this will be the same with Linux...

We have just found the origin of a memory leak in an NT loaded with a SCADA app. How would Linux differ from NT in this case... the Software package was just not good ...

Pierre -
 
P

Phil Covington

Roger,

If you like Unix/Linux better than NT then use it! Reading your message has left me wondering who you are trying to convince... us or yourself? Or is this just a troll?

If you are really not "TRYING TO START AN IS HOLY WAR" then I would suggest you try not referring to Windows 2000 as a "monstrosity" and refrain from comments such as being "condemned" to use NT.

No one is forcing you to use NT. Unfortunately, not everyone shares your lovely vision of Linux/Unix as the cure for all human suffering...

I use both Windows and Linux; there are things that I both like and dislike in each operating system. But I don't worship Saint Linus... or /Saint Bill.

Regards,

Phil Covington
 
D
[email protected]
> From: "Gwinup, David" <[email protected]>
>it takes several hours to several days of planning to decide HOW you are going to restrict these rights.<

Good point.

> That said, [email protected] is correct when he says that you can't make a program run with different user priveleges.<
....clip...
> This is an instance of accessing objects/running
programs with the priveleges of another user.<

Ok - seems that I misunderstood the question. Having grown up with Windows -> WinNT I have never had that capability, and never used it under any of the UNIX systems I've used. That being said - why would this be done? It seems to me that this is simply going around all of the security that you have spent such time planning and implementing. If a user needs access to an executable, why not simply assign accessin the policy to his id or group?

Davis Gentry
Controls Project Engineer
Carpenter Company
 
P
Last weekend, a friend of mine was talking about his new job. He was given a small "egg" that
is somehow synched to his PC. The "egg" is on his keychain, and every *30 seconds* it generates a new PW for his PC. That is, his password changes randomly every 30 seconds... every minute... every hour... every day... all year... etc. I have never even heard of this before, but it seems to be pretty major security. Does anyone know more about this or how it works?

Paul T
 
A

Anthony Kerstens

Yet another decision made. I understand this because the end user should always be consulted as to his requirements. That said, that conversation with the end user is a prime opportunity to be nice, smile, and argue your point of view.

You can't make an omelet without breaking a few eggs. The trick is which eggs get broken.

Also, don't forget that the herd mentality gave MS a foothold in the first place, at the expense of other companies who had superior products.

Anthony Kerstens P.Eng.
 
D
What you fail to take into account is the issue of open-source versus non open-source. Linux is open-source, which means that ANYONE can go in and
fix a bug with the system. In fact, by the time you discover a bug, it's likely that someone has already patched it. Compare this to Windows NT
where there are quite a number of known issues/bugs but nobody can fix them except Microsoft. There are plenty of known bugs in Windows NT 4.0 that Microsoft has stated they don't plan to fix. The solution is upgrading to
Windows2000, and of course paying Microsoft the appropriate license fees to do so. If such problems were encountered under an open OS such as Linux, you could fix the bugs yourself.

This is also true for drivers. Have a buggy driver in Linux? Fix it yourself. Have a buggy driver in NT? Live with it.

How many applications do you install/de-install on a PC that is intended for process control anyway? I would hope that only the minimum required software is installed. Anything more and you're asking for trouble--on any OS.
 
D
Over the past year or two I've come up with several situations where I'd like to set up an operator account to run with another user's privileges, though I can't recall what those situations were at the moment. But here's one example of how I would use this feature from day to day.

I am usually logged into my NT machine on my desktop using my regular domain account. However, I often have to do things such as adding a user to the domain using usrmgr.exe or tweaking a policy on a remote machine using poledit.exe. Since my regular user account does not have admin priveleges, I would either have to shut down all my running applications, log out of my machine & back in as Administrator, or else go up to the server room to run the apropriate programs from one of the servers. If, however, I could tell
poledit.exe and usrmgr.exe to run with the priveleges of the domain administrator, I could just run them from my own account without much extra work (though I might want to set it up so it would still ask me for the admin password before running).

And BTW, I do realize that I could add my regular domain account to the Domain Administrators group on the Domain Controller. However, this is a
very dangerous approach since I frequently walk away from my computer at various times during the day and don't always remember to lock it up.
That's not so bad with my regular domain account, but would be very risky leaving an unattended machine logged in as Domain Admin.
 
R
Vegeta wrote:

> In both environments you can set up access permissions for files,
> directories and executables.

But irrespective of what you can set, Linux and all the other POSIX compliant OS's, allow Superuser access as well. The lack of this in NT means that one is often using an Administrator login when a user with occasional su would be
more appropriate, this is not so much a security issue as a failsafe one, it is easier to do damage with administrator rights!

Anyway, AFAIK, the new NT has fixed this limitation, but having never seen such a machine I was wondering how the NT5 'su' compares with 'nix, for example what degree of control do I have?
 
M
Unfortunately, you seem to be the exception. I find it is much easier to find both people and documentation describing how to do things under Linux, which under NT I can't. For instance, I
would like to set up a system that will allow someone make a ppp connection by dialing into the plant to initiate the connection, but then have the plant hang up the phone and dial back to
complete the connection. I did it under Linux, unfortunately, the program that I want to run on the remote system only runs under NT. I've searched Microsofts knowledge base, done newsgroup searches, and web searches, but I haven't found any documents describing how to do it under NT.

Mark Blunier
Any opinions expressed in this message are not necessarily those of the company.
 
R
Davis Gentry wrote:

>If a user needs access to an executable, why not simply assign access
in the policy to his id or group?

A user can develop/install software that is available to him, or just his group, without requiring the intervention of somebody with
Administrator level priviledges. The advantage of this is only really appreciated on large systems however, not your typical NT setup, I certainly think it is a non issue for control apps.
 
R
Pierre Desrochers wrote:

> .. and then Linux will start experiencing the same problem as NT.
> A typicall PC as suffered the installation of dozens and more software
> packages with poorly writen drivers.

No, things are a bit different with open source. Also, the Linux philosophy is to ingtegrate and re-use and simplify, rather than to compete by adding on more. Some wit recently remarked that the Linux user base is growing at about the same
rate as NT source code. I think that sums it up really.

You see allthougth Linux is now distributed and supported by commercial companies, these companies do not get to define how the core stuff evolves, development is led by users and programming purists, not marketing focus groups.
There is a difference.

Have you ever looked at the Linux kernel source code, it is suprisingly readable code. For me it has served as an inspiration to how I write my own software. Not too spartan, not too complex. Clear and straightforward. BTW, in the guides
section of the LDP (www.ldp.org) there are several documents that will help you understand the big picture.

> We have just found the origin of a memory leak in an NT loaded with a SCADA
> app. How would Linux differ from NT in this case... the Software package
> was just not good ...

Linux is simpler than NT, it is easier to get it right. It is also easier to understand what your code should be doing when you can see what your app is calling (and trace into it with a debugger).
 
R
> 2)Everyone is using Microsoft Office. And for getting data from the factory floor to the accounting office in a hurry (or orders in the other direction) it is awfully easy to set up a SQL database that takes data from your Windows application in the factory and feeds it to the Windows application on the cpa's desktop. Getting data to and from the factory is one of our next big jobs in this field. If you are not already
doing it you will be soon.<

This is exactly the sort of thing I am doing, currently I am using Borland C++Builder, but there is nothing here that could not be done on
'nix in the same way. Actually I could do it more easily, but perhaps this is because I know 'nix better. Come to think of it, the Inprise SQL
server you get with C++ builder also runs under Linux, so I could do it the SAME way, with the remote access advantages thrown in for free, but
I am trying to convince myself that windows is somehow better at this.


> If you use Embedded NT you can get the exact same scalability in terms of OS size and complexity that you get with Linux. The big disadvantage is that it is very expensive. The big advantage is that even part time administrators like most of us controls engineers are can use the GUI configuration to build a kernal with an absolute minimum of consulting the book to remember the exact syntax for setting up the driver.<

Can you compile an NT kernel and dynamically configure it with modules? This sounds great, I would love to cut NT down to size, not to mention
eliminate all those reboots. How do you do it.

> You can get that bare green screen on startup by using the policy editor found in the Windows NT Resource Kit (poledit.exe).<

Poledit from the Windows NT resource kit seems to be proposed as a solution to so many problems that I would expect to see it pole position on the Start Menu. Instead, I cannot find it at all. I carfully checked the 'custom'options on the install menu, and no mention of it. Is it in a service pack or something?

> You can mount partitions (or directories for that matter) simply by sharing that partition or directory, then mounting the share name from your remote computer. The default share for any partition is the administrative share, which is the partition letter followed by '$', so for c:\ the admin share is \\computer name\c$ - anyone who has admin privileges can grab it at any time.<

Thats a clever work around, is there any performance hit? Also, what about sec. issues. I assume that any user who will use such links must
have network access to the machine, i.e. an operators login can be used to access a machine remotely.

> The ASCII file configuration certainly sounds really good.
>
> MS Image Composer can edit/import/export your photos. No idea where I got it from - probably a WinNT disk.<

Not mine. Do US distributions of NT have software that the Italian ones do not? Allthougth I have always been using NT workstation, perhaps a lot of commands people keep talking about are only on NT server.

> If I fully understand symbolic links then there is a way to do this with NT. In the Control Panel>System utility, Environment tab, define a variable. For example, say that you are hitting a UNIX server and want to link to a path - define variable name UNIX_PATH, value \usr\bin Then you can call this link elsewhere by the syntax %UNIX_PATH% wherever you need to insert that link.<

Not quite the same thougth is it. For example one use for symlinks is for dealing with programs that have thier own ideas about where files/directories should be. Another is for extending space on a full disk by moving chunks to another linked area. Sometimes you can get away
with NT 'graX-Mozilla-Status: 0009s will not be fooled by this.
 
Top