Go ahead
This must be some new definition of "Secure boot" that I was previously unaware of - it's time to upgrade to Linux anyway.
Lenovo server admins should disable Windows Update and apply a UEFI fix to avoid Microsoft’s November security patches freezing their systems. The world’s third-largest server-maker advised the step after revealing that 19 configurations of its x M5 and M6 rack, as well as its x6 systems are susceptible. Lenovo’s machines are …
Sure, what's the Windows equivalent to systemd?
Sound stupid? That's because it is.
Horses for courses, and I've not worked in a workplace that uses Lync and I've been doing IT and network management for 20 years.
In fact, even Exchange is rare in some industries, even in Windows-only environments.
Hedging your bets on a product that only works on Windows is a dumb business decision, even if "everyone else does it". We found that out in the 90's but some of us never learn.
And with virtualisation, it really doesn't matter what OS the server runs any more, so long as the individual VM's (which is where the Lync Server would sit) have the right OS.
In this case, what we're questioning is why you'd run a Windows hypervisor, not a Windows server serving a Windows-only application that you've decided to standardise on. Plenty of places survive just fine without ever having had, used, or afforded Lync.
Not that that makes Linux any better or worse, to be honest. But at least it's not Mac.
(P.S. 30+ virtual servers, about 60% Windows, 30% Linux).
With cloud services, virtualisation and modern systems, you're an idiot to put all your eggs in one basket. For instance, here, if you had all Lenovo servers with all Windows Server and had - as recommended - auto-update turned on, you would have taken all EVERYTHING in one fell swoop. That's just stupid.
And how long, honestly, before Lync / Skype is "just another cloud-service"? Not long, it's already here:
https://technet.microsoft.com/en-us/cloud/gg671923.aspx
Without turning this into a contest, 30+ servers aren't really much to write home about.
The game changes when running enterprise IT systems when you are dealing with hundreds of servers and thousands of users. For all it's faults, Microsoft has a decent directory system that links very well with a lot of it's other products.
Now perhaps if a software house wanted to run purely Linux and had the expertise to deploy full Chef/Puppet orchestration then the argument may hold a bit of weight.
PS. I am not a fan of Hyper-V and much prefer VMWare.
>Now perhaps if a software house wanted to run purely Linux and had the expertise to deploy full Chef/Puppet orchestration then the argument may hold a bit of weight.
You should in any case deploy that, it has many advantages over AD, even for windows-only/windows-mostly shops, and can comfortably be implemented alongside AD.
UNIX supported LDAP natively a decade before Microsoft, what are you mumbling ? LDAP is quite a widespread protocol. Kerberos is another example, again, was available on UNIX ~20 years before Windows ... just saying.
AD/GPO suck when it comes to managing non-Windows systems or even non-registry-centric programs on Windows, on the other hand, Samba+OpenLDAP+Chef/puppet kicks ass, for those who cannot leave Windows 100%.
That is all very true but the real issue is always the bottom line.
Let's face it, it's cheaper to hire Windows professionals over Linux AND Windows professionals.
If I wanted to deploy Chef/Puppet within an enterprise environment then I would want to make sure that it was done correctly and supported by competent engineers. Windows does a lot of this stuff already for a lower TCO.
I love a bit of UNIX but sometimes you need to be pragmatic when working with limited budgets.
You mean "hire dozens of Windows professionals over" two or three "Linux AND Windows professionals".
One Linux professional can handle many more systems than one Windows professional. The ratios reported are around 50 linux servers to 1 Windows server... But it does vary. Facebook is reported to use 1 engineer for some 1,000,000 users... or 1 engineer per 130 servers (I believe that was for the same engineer).
But the number varies a lot depending on the environment. For a while I was the Kerberos maintenance (and support) for about 15,000 users scattered across the world using several dozen different computer centers, so I tended to get the admins calling about any problems. If I added up all the servers supported that would be several thousand (between 30 and 100 per center, depending on the center).
Anywhere security was mandatory ... left windows out. You can't secure that.
My point, is saying "upgrade to Linux" is the usual dumb blinkered answer that some people give out as a stock answer, it's a little sad and pathetic.
As you said horses for courses.
(About 4000 servers about 64% Windows, 34% Linux and a smattering of custom black boxes running all kinds of random stuff)
"My point, is saying "upgrade to Linux" is the usual dumb blinkered answer that some people give out as a stock answer, it's a little sad and pathetic"
...and in response, the usual dumb blinkered answer is "Linux is useless because I can randomly think of one application I use that doesn't have a Linux version, even though numerous alternatives exist". The only thing more pathetic than the "Linux does everything" answer is the "Linux doesn't run every Windows application and I don't want to think or put in any effort to migrate" answer
>Horses for courses, and I've not worked in a workplace that uses Lync and I've been doing IT and network management for 20 years.
While I agree with all of the arguments you make, I have to point out that doing something for a long time != doing it well. For example, the Bush family was in the oval office for how long? I'm sure you can think of other examples--nearly everyone works with at least one.
Can you let everyone know the Linux equivalent of Lync.
That would have been fine if lync actually worked. Ever since it was renamed Skype for Business its "success rate" is about 30%. That drops to sub<10% if there are people on Mac, VPNs, etc.
You can get the Skype For Business functionality on Linux using google talk and google apps (if you surrender to the idea of google knowing each and every step you make). It also works properly on a mobile (something Lync stopped doing once it became Skype for Business). IM works. Video works significantly better than Lync, Presence works, whiteboarding and other conference facilities also work and so does calendaring. It has only one massive downside - it pretty much requires VOIP and you need decent data connectivity. Not usable out in the sticks. The upside is that it is significantly more reliable than Skype For Business.
Alternatively - you get that easily using webex + a decent xmpp server of your choice. It is a bit more hassle and you need to cobble it together for a team. It has the advantage that it works pretty much anywhere and the bandwidth requirements are ~ NIL unless you have an idiot PHB in the team which insists on his mug always being displayed to his subordinates.
In both cases you also can integrate into that 3rd party systems and apps. Something which you can forget about as far as lync is concerned.
I have to use all 3 of these on a weekly basis and I would overall rate them: Webex, Hangouts and Skype for Business as a very remote unreliable third.
"No problem. Can you let everyone know the Linux equivalent of Lync. Linux is good, but it can't do everything."
I don't know about Lync, but can you let me know how to stop Windows Servers from needing a reboot every month or from being the biggest target of malware?
It's hardly surprising that vender's propriety software package inter-operates with vender's other propriety software.
Also, if other devices are compromised somehow, intruders will look for vulnerable machines to expand and gather more information and privileges....
Pure "uptime" is really a "my dick is bigger than yours" thing - for teenagers sysadmins (and lazy ones). The only thing that is important is you have to match your services needs - including keeping the systems and their data secure. I really don't care if I reboot every n days (including Linux for kernel updates, and some services could need to be restarted anyway to load fixed code...), only I care to perform them when they don't impact services, or impact is minimal and anyway well planned.
> I don't know about Lync, but can you let me know how to stop Windows Servers from needing a reboot every month or from being the biggest target of malware?
How can we stop Linux from needing a reboot every two weeks due to kernel issues?
USN-3147-1: Linux kernel vulnerabilities - 30th November 2016
USN-3126-1: Linux kernel vulnerabilities - 11th November 2016
USN-3107-1: Linux kernel vulnerability - 19th October 2016
USN-3099-1: Linux kernel vulnerabilities - 11th October 2016
USN-3084-1: Linux kernel vulnerabilities - 19th September 2016
USN-3072-1: Linux kernel vulnerabilities - 29th August 2016
USN-3055-1: Linux kernel vulnerabilities - 10th August 2016
USN-3035-1: Linux kernel vulnerability - 14th July 2016
Every OS needs patches. You can elect not to patch any system, but standing up Linux as not needing patches and Windows does is pretty absurd.
Depends on your distribution... Ksplice allows for replacing the kernel without a reboot...
There are also other methods of patching a kernel without rebooting...
You also are not required to reboot - just apply the patches. When you next do a PM/other reason to reboot, then the kernel will be the patched one.
It is up to the administrator and management do decide when to do a reboot.
Unless you are on Windows when it is at the will of Microsoft.
Unless you are on Windows when it is at the will of Microsoft.
Only if you're daft enough to configure the server to reboot automatically if required. If you're a bit sensible, it will just sit there saying "Patches installed, please reboot", and if you're really sensible, it will sit there saying "Patches downloaded - ready to install".
The idea that Windows forces reboots is totally incorrect.
Is Ksplice the default? No, it isn't. It *can* be used, and you have to test carefully it won't create more problems than it solves.
Sure, you're not required to reboot - but until you do, the old kernel is active and any vulnerability in it also. It's a matter of managing risks.
Nor Windows Server reboots on its own unless you configure it to do so.
How can we stop Linux from needing a reboot every two weeks due to kernel issues?
there is a reason why firewalls and other security related devices run older vetted kernels... if you are going to run bleeding edge stuff on your servers (and even workstations) you will be cut and have some blood loss at some point...
but then again, the v4 of the linux kernel has introduced inline patching (or something like that) where the kernel gets the fixes but the machine doesn't have to be rebooted...
so -1
Every OS needs patches. You can elect not to patch any system, but standing up Linux as not needing patches and Windows does is pretty absurd.
but i tend to agree with this statement in general so +1
that's a balance so your points remain the same ;)
>Linux equivalent of Lync.
>You know the one that does IM, Video,Ppresence, whiteboarding, all with office suite and calendaring?
BS, Lync is so bad that they replaced it with Teams, which also suffers some of the same issues ... like, messages no appearing ... you get the notification pop up "New message from x", then you go to the conversation with "x", and of course, the message is not there ... yes, a reboot temporarily fixes it, but that does not count, right ?
Anyway, POL is your friend, if you insist on that crap ....
I find pidgin(with sipe) works just fine for me. The whiteboarding crap in lync just plain does not work in a properly secured environment. Desktop sharing in lync works, but it really doesn't suit my requirements.
Other than the fact that having Lync and Outlook365 running on a windows system eventually chews up every last scrap of ram and then some, eventually hanging windows, I don't see an advantage to S4B.
No problem. Can you let everyone know the Linux equivalent of Lync.
You know the one that does IM, Video,Ppresence, whiteboarding, all with office suite and calendaring?
And that s just one example.
Linux is good, but it can't do everything.
But wouldn't NOT running Lync be a feature rather than a shortcoming???
I only have experience of using a single Lenovo product - the Thinkpad W541. And I think it's a bag of washing. For it's spec it's slow, expensive and it refuses to boot Ubuntu. Under both Windows and Mint the screen flickers when watching video's and despite an outstanding support case that I registered with the thing over a year ago, no answer. The support for projectors is dire (one or the other, not the two at the same time).
I guess the same "get it out the door fast" approach to firmware applies to servers as well as their laptops.
> time to upgrade to Linux anyway
Good luck with trying to dual boot Windows 10 and Linux. I tried for a day to get round UEFI problems (on an HP junker, not a LeNovo) and concluded that whatever Win10 had done to the UEFI meant that none of the recipes and tricks for dual boot installation worked: all I could ever boot was bloody Win10, event though Linux Mint had installed perfectly.
Solution: blew away Windows completely on that machine. Worked like a charm.
Wouldn't be surprised.
Another well-known Lenovo "feature" is on their Desktop / Laptop range. If you install a new, standalone, licensed MS Office without wiping the machine and reinstalling the OS[1], it fucks the licensing up. Apparently Lenovo have done something naughty to the OEM version of "Get Office". Uninstalling the "Get Office" app doesn't help as they haven't tweaked the uninstall routine to recognise and remove the registry keys they've cocked up...
So, proven form for playing fast and loose with the MS standards...and not getting away with it(!)
[1] Ok you can manually edit the registry but, given Lenovo's record, it's safer to nuke the site from orbit.
As an end user I don't see this problem. And, kindly, Microsoft automatically install my Win10 updates that will work 100% on the time and will never brick my system, alter its configuration or impact my workflow at all.
Thankfully, Microsoft have explained that they are infallible, always correct and there'll never be an occasion when they get it wrong and cost me time and money so I'm happy for them to continue.
Windows doesn't affect your hardware. Simply blacklist some UEFI policies which are deemed insecure. Of course the system won't boot if it relies on them.
But wouldn't that be the ultimate method for making MSWin secure; prevent it from ever booting up?
MS have previous form with this sort of shite..
Not quite on the same scale.. but some baytrail tablets have been bricked by MS updating the firmware on the device.. Reboot.. dead tablet.
The only way to recover the tablet is to reflash the firmware with an external hardware programmer.
One guy has had MS pay for the repair.
See http://linxtablet.co.uk/viewtopic.php?f=36&t=2253
Not quite on the same scale.. but some baytrail tablets have been bricked by MS updating the firmware on the device.. Reboot.. dead tablet.
While back I saw the same thing on a HP AIO machine. IIRC Win 10 (may've been 8, should search the comments for my post) was updating the firmware as part of the updates, only screwed things up such that the machine would only boot with a small few RAM modules - in that case a 1 or 2G module. Only found it by fluke. Fix was to install 8, then re-flash to the latest HP firmware, then make sure 10 couldn't install on the machine. Took us a couple of events before we understood what was going on.
This was a user machine, so updates were automatic (no other option) and reboots were forced (no other option, not even to save open files!)
(quick search - original post is http://forums.theregister.co.uk/forum/containing/2681764 )
Microsoft still think people will trust them to delivery Windows as a service when it borks good machines and then pass of the problem to Lenovo to fix ?
While I may not be a friend to Microsoft, I wouldn't put it past Lenovo to have cocked this one up. I'm sure they aquired a whole bunch of operational procedures from IBM when they bought out the rack server systems.
Even after all the previous recent software disasters and now this from Microsoft server software, Lenovo remains abnormally committed to Microsoft - to the extreme degree of dissing configuration requests for Redhat or SuSE Enterprise Linux on their servers and being embroiled in dispute over Linux install on their Yoga tablet.
Any person, business, organization or government interested in deploying the far superior Linux or BSD UNIX-Like operating systems (OS) for their reliability, performance or security needs should never consider Lenovo, unless they too, are like Lenovo have Redmonds finger up their anus.
Lenovo has almost every flavor of Linux for their servers. https://lenovopress.com/osig#support=all They have alliance agreements with Redhat, and they install more SAP than any other vendor on SuSE.
True, more work needs to be done to include more linux friendly hardware on a subset of their tablets/laptops. http://mjg59.dreamwidth.org/44694.html
Or Slurp is installing backdoors that require some UEFI policies to set differently. Wouldn't be surprised either way. My limited experience with UEFI is it an incompetent "solution" to the problem of 'bloat being a buggy mess. Instead of fixing 'bloat, Slurp forces others to find a solution. Mine is not to use 'bloat.
I was called in to help set up a new desktop. Not as a tech consultant, but as a relative. On another table was a kaput 2013-era HP Pavilion, regraded to Windows 10. Its demise had been foretold months earlier by it taking more than an hour to boot up. But by then it was in repair mode loop, tested for hours. I thought I'd take a stab and the only thing I could think of was to change the boot order in BIOS, boot a PE USB and remove the suspected malware. A first attempt didn't change anything. The second, deeper, attempt caused the computer to make me enter a 4-digit code. I believe that was defeating the UEFI-thing, but what do I *know*? Sadly, it didn't boot my USB stick, but happily it did boot to Windows 10. It was obviously a damaged Windows 10, but at least I was able to remove about 1,000 unwanted entries with mwb. Also removed one protection service that the owner had signed up for, leaving two still there. Then I connected the Internet, which may have been a far bridge. 12 hours later, much had changed on the display, including improved screen resolution, but also a different colour scheme with a yellowish-greenish cast. I thought, oh maybe there was a piece of software that filtered out blue during night time, but couldn't find such a thing on the computer. Or maybe a hardware issue had developed. Don't know the conclusion, as my time at the venue was up.
Anyway, this story is too long. No smoking gun, but it does tend to support the thought that a UEFI computer was borked by a Windows 10 upgrade. But who cares? Perhaps more importantly, it instantiates (couldn't resist) a way that might make use of perfectly good computers without tearing them down for parts: change the boot-order so drastically that it makes you input the UEFI-breaking code.
Please correct my mistakes!