'Nix Is A Different Paradigm

Yeah, I hate that word “paradigm” as much as you do. But it fits here.

This thread on Slashdot caused me to think (which, in and of itself, is a bit of a prodigy, but don’t go there): Slashdot | Locking Down Linux Desktops In an Enterprise?

This fellow wants to move his entire enterprise from Windows to some form of Linux. The problem is the way that they’re presently implementing security and access control with Windows ADS Group Policies. Apparently, they already have their 300+ users fine-tuned in the AD as to what they can and cannot do. He wanted to know a quick and easy way to move all of that over to a Linux environment.

To me, the most important and interesting responses in the thread were from those who said, “stop thinking ‘Windows.’ Linux is different.” In other words, instead of worrying about protecting the network the way you would under Windows, learn how 'Nix works and protect your network that way.

(It’s not like large systems – including college networks with tens of thousands of workstations – haven’t been using Unix for years to do just that.)

(And while I’m being parenthetical, I’ll also agree with those posters who asked for more details: what does the guy mean by “locking down?” WHAT polices is he trying to enforce? It’s hard to answer his question unless you know more about what he wants to do.)

Everyone already knows that, when you’re moving a Windows user to Linux, they’re going to ask: “where’s [insert name of program] and how do I do [insert name of common Windows task].” Maybe we need to focus on stressing the differences, emphasizing those differences for what they are: STRENGTHS.

I personally think Linux is better because of the way that security is implemented, from the individual workstation all the way up to the WAN level.

What do you think? What would you tell this guy?

Yes, it’s a different paradigm but it’s also a different mindset and those who expect to transfer from one to another instantly are bound to fail. 25 years ago we gave the secretaries where I worked a word-processor to play with; we didn’t tell them to stop using their typewriters. 18 months later the head of the office had organised her work area to use the computer for most wordprocessing and the typewriter for envelopes and she was loving it.

By the end of the 1990s our department was one of the most computer literate in the organisation.

Not long after that I was talking to someone who had given his secretary a computer and could not understand why there hadn’t been an immediate improvement.

You have to think about a three to five year timescale if you are seriously interesting in a change in mindset and a change in people’s ways of working.

• smpoole7 wrote, On 03/11/2009 06:06 AM:

> Everyone already knows that, when you’re moving a Windows user to
> Linux, they’re going to ask: “where’s [insert name of program] and how
> do I do [insert name of common Windows task].” Maybe we need to focus on
> stressing the differences, emphasizing those differences for what they
> are: STRENGTHS.

No, first you must tell users how to do their job with the new application/OS. After that you can focus on strengths, but actually I wonder where you see them comparing Windows to Linux?

Uwe

Interesting … you brought back memories that I had shelved away and forgotten.

I remember in 1991 when we moved our organization of a handlful of expensive MacIntosh PCs (which were shared by all for general office computing/word processing) to Desktop Intel based PCs (running Windows-3.0) with a PC on every secretary, engineer and manager’s desk. At the time, almost all of the secretaries (not quite - some had to share) had a desktop MacIntosh, … and they had to migrate to Windows-3.0.

It was incredibly painful for some, but the fact was (at the time) we could not afford the overhead of a MacIntosh on every users desktop. Those who had no computer before (and had to share a Mac) were happy now that they had a Windows-3.0 PC on their desk. Those who had to convert from Mac to Windows were incredibly unhappy. Within a year after the conversion start, we had disposed of all of the old MacIntoshes, except for one, which we kept for legacy/archived documents.

There was a real mix of pain and interest at the time … It turned out to be a smart move, as our office production (with more computers, and engineers with their own computers so they could type their own documents, with out forcing a secretary to retype the document) increased.

On Wed, 2009-03-11 at 05:06 +0000, smpoole7 wrote:
> Yeah, I hate that word “paradigm” as much as you do. But it fits here.
>
>
> This thread on Slashdot caused me to think (which, in and of itself, is
> a bit of a prodigy, but don’t go there): ‘Slashdot | Locking Down Linux
> Desktops In an Enterprise?’
> (http://linux.slashdot.org/article.pl?sid=09/03/09/236230)
>
> This fellow wants to move his entire enterprise from Windows to some
> form of Linux. The problem is the way that they’re presently
> implementing security and access control with Windows ADS Group
> Policies. Apparently, they already have their 300+ users fine-tuned in
> the AD as to what they can and cannot do. He wanted to know a quick and
> easy way to move all of that over to a Linux environment
…snip…
> What do you think? What would you tell this guy?
>
>

I was tempted to respond… but with what? As you said, the person
is basically looking for WINDOWS. Thus the message is really just
an unintentional (probably) troll.

Or, you can believe that he’s actually looking for a solution and recommend
replacing his winders server(s) with SLES/OES, replace AD with eDirectory,
Exchange with Groupwise, and replace the desktops with SLED or openSuse (or
a combination)…
Might just get a convert…

“cjcox” <cjcox@no-mx.forums.opensuse.org> wrote in message
news:1236785559.25093.1.camel@geeko…
> On Wed, 2009-03-11 at 05:06 +0000, smpoole7 wrote:
>> Yeah, I hate that word “paradigm” as much as you do. But it fits here.
>>
>>
>> This thread on Slashdot caused me to think (which, in and of itself, is
>> a bit of a prodigy, but don’t go there): ‘Slashdot | Locking Down Linux
>> Desktops In an Enterprise?’
>> (http://linux.slashdot.org/article.pl?sid=09/03/09/236230)
>>
>> This fellow wants to move his entire enterprise from Windows to some
>> form of Linux. The problem is the way that they’re presently
>> implementing security and access control with Windows ADS Group
>> Policies. Apparently, they already have their 300+ users fine-tuned in
>> the AD as to what they can and cannot do. He wanted to know a quick and
>> easy way to move all of that over to a Linux environment
> …snip…
>> What do you think? What would you tell this guy?
>>
>>
>
> I was tempted to respond… but with what? As you said, the person
> is basically looking for WINDOWS. Thus the message is really just
> an unintentional (probably) troll.
>
>

On Wed, 2009-03-11 at 16:26 +0000, Brent Wolfe wrote:
> Or, you can believe that he’s actually looking for a solution and recommend
> replacing his winders server(s) with SLES/OES, replace AD with eDirectory,
> Exchange with Groupwise, and replace the desktops with SLED or openSuse (or
> a combination)…
> Might just get a convert…

Sigh… he’s looking for an EXACT one for one replacement for AD.

Looking to convert… no… NEEDING a consultant/contractor that knows
Linux… yes. Person could convert, but I fear their lack of knowledge
is the one thing that would prevent it from happening.

I’m not sure I understand the question. When you convert someone from ANY OS to another – oldcpu’s comments about switching his shop from Mac to Windows is a good example – people are going to say, “how do I?” and “Where is?”

It can be something as simple as Outlook Express or Internet Exploder; they’ve gotten used to them (and their many quirks). When they first get into Linux, they’ll complain that it’s different.

But the original thread on Slashdot, pointed to above, was from a guy who wanted to migrate a big 300+ user shop from Windows, but had decided it would cost too much. The more I think about it, I believe it was a troll post – someone who was covertly trying to repeat the Microsoft party line about “total cost of ownership” vis-a-vis Windows vs. Linux.

Even taking him at face value, though, the key was to understand that Windows and 'Nix are two different systems. They view security differently. People who’ve come up in a Windows business environment, and who then switch to Linux, are going to ask, “why doesn’t the firewall come up and warn me when a program accesses the Web?” (I get that a LOT.) “Where’s the anti-virus?” (Ditto.)

Then you get into more advanced stuff, like, “I want everyone in the sales department to be able to browse these Web sites, but no one else; they should only be able to print to this particular printer, too.” I can’t speak for everyone, and I’m anything BUT a gunslingin’ Unix SysAdmin, but I’d approach that problem with compartmentalization. It would never even occur to me to put everyone in the building on the same network (speed issues, if nothing else, would prevent me), with One Big Giant Omnibus Big Brother Access System™ to set individual policies like that.

In this particular example, I’d put sales on a separate subnet, with a separate firewall (if need be, with a separate IpCop or pfSense machine to do the Web filtering) JUST for that department. And so on.

• smpoole7 wrote, On 03/12/2009 03:46 AM:

> I’m not sure I understand the question. When you convert someone from
> ANY OS to another – oldcpu’s comments about switching his shop from Mac
> to Windows is a good example – people are going to say, “how do I?” and
> “Where is?”
>
> It can be something as simple as Outlook Express or Internet Exploder;
> they’ve gotten used to them (and their many quirks). When they first get
> into Linux, they’ll complain that it’s different.

Sure, there’ll be some bitching and moaning, but in a corporate environment, people have jobs to do and tasks to do. Ideally they don’t need the OS at all, only some apps and maybe printing. Switching them over to a different OS and new applications requires a lot of training. Users need to learn new things only to do the same job, so there’s absolutely no benefit for them. Their question “How do I…” is a valid question.

I wonder where you see the strength of Linux in comparison to Windows for the end user.

Uwe

It depends on what you want to do. I fully agree that apps are the key. The audio system that we use at our radio stations is NexGen, and the workstations are Windows-based. There’s no question of us changing for now, either. The only viable Open Source alternative is Rivendell, and we’re not ready to switch to that yet.

The file servers for this same system (we have two in a real-time mirror) run Novell 5.1. We were told that we were the last installation in the country to use that configuration. I don’t know what NexGen is using now for file servers.

But did you read the original post on Slashdot? I think you’re missing my (and the OP’s, over there) question. He wants to convert his shop to Open Source. From his comments, they could do the apps that they need under Linux (with SLED or some other equivalent). The main thing stopping them is the administration stuff that they’re currently doing with Windows’ AD/GPO. They don’t know how to migrate all of that over to Linux.

That’s why I said that the real problem in that case was a lack of flexibility in thinking, and pointed out that I’d approach his problem from a different perspective: if you said that everyone in Sales should only browse certain Websites and access certain hardware, I’d do it with a separate subnet/firewall/Web filter. It would never even occur to me to do it with One Giant Admin Database, ala the way they’re doing it now with Microsoft.

• smpoole7 wrote, On 03/13/2009 02:46 AM:

> But did you read the original post on Slashdot? I think you’re missing
> my (and the OP’s, over there) question. He wants to convert his shop
> to Open Source. From his comments, they could do the apps that they
> need under Linux (with SLED or some other equivalent). The main thing
> stopping them is the administration stuff that they’re currently doing
> with Windows’ AD/GPO. They don’t know how to migrate all of that over to
> Linux.

Yes, I read it, but I thought your emphasis on strengths referred to the end user experience. I agree there may be things he locked down on Windows which he doesn’t need to lock down on Linux, but assuming he doesn’t need to lock down anything on Linux is as wrong. Locking down user environments isn’t a security related problem, it helps minimizing help desk requirements. Same would be true for Linux. And he’s right, things get expensive then and you can as well leave Windows on the machines.

Who posted that French Police using Ubuntu message? That’s a good example. Some 10.000s machines, all look the same, all users do pretty much the same thing. No need to flexibly adjust rights and settings, one image and you’re done. Pretty close to a terminal. That’s a situation for Linux.
Using Linux on the Desktop in heterogenous, yet restricted environments is a waste of time and money, IMHO.

Uwe