Tuesday, 8 December 2009

The Bolt-on Operating System

For years I’ve wondered why on earth so much is crammed into the Windows base image. Sure, they’ve got a decade worth of hardware to support, and since vendors don’t create standardised, reusable code like Linux, this is a significant factor in bloat.

But one of the longest running gripes I have with Microsoft’s OS offerings is that all manners of features are included that I don’t care about – and some that I am super-passionate about are just plain gone! The base installation for almost any major distribution of Linux will include a lot of productivity tools, but leave out some others. It comes down to personal choice, but since all the software is free and available to install from the Internet, this is no inconvenience at all - assuming good Internet connectivity.

That last point is actually quite big, since the distribution may contain an impressive array of software, in the end I’m probably going to want something that didn’t ship on the CD. Can’t have it both ways I guess.

But obviously, the last thing Microsoft would want is to not install something, then have you go back to the installation disc for the features you’re enabling. Of course, they STILL haven’t figured out that Unknown Device from Unknown Manufacturer isn’t a helpful message.

One of my recurring gripes (that is before I started blogging, so I can’t really prove it) is that my Windows Server has a GUI. Seriously, I don’t want a GUI. I want my apps installed on my server, and the management interface installed on a workstation somewhere else. Or the way Linux handles it, X as a process, in my own privilege space that can be launched just for me, and perhaps VNC or X-like somewhere else. The problem of course is that almost every Windows application requires a GUI to install. Sure, MSIs offer silent installs, but so often these line-of-business apps don’t have neat MSI or respect the silent option.

There are two things I’m getting at here;

First, even though the product is named “Windows”, and it’s grown out of a desktop graphical OS that pretty much reinvented the way we deal with computers (though much cred to Apple), I want a server. No people standing in front of it, so no pretty colours required. All the prettiness should be produced by the apps and displayed as IP packets. And on the same note, I see a bunch of sound drivers hanging around.

Well, Windows Server 2008 has the Core option you tell me. It’s a good step in the right direction, but I was genuinely disappointed to see the command prompt surrounded by a window. MMC is still there. I had actually expected to see a text console only, no graphics. Quite simply, it’s a waste of resources. Any app, service or component worth its’ salt is manageable remotely, from simple DHCP up to complex SQL Server clusters. It’s also a danger, as I recall at least one major outage at a previous company thanks to faulty graphics card drivers from <server vendor name censored>. And the GDI component, dating back to Windows 95, handles page and print rendering. Exploits in the 16/32 bit era and in the 32-bit era come to mind. That last one spans products over three release generations, all for a component that doesn’t belong there in the first place.

If I want graphics processing, print rendering etc, then let me add it on later, the way I would Ghostscript on Linux to make a PDF. That brings me on to my second point, and the trust of my argument: components that don’t belong.

The Sasser worm devastated computer estates around the world, by exploiting code hooks in the LSASS.exe process that handles security arbitration between requesting apps/users and security providers. Read closely into the articles, and you’ll notice that it is specifically a problem with code for dcpromo, the process that turns Windows Server into a Domain Controller. The applicable hotfixes patch the code on Windows Server.

On XP, the hotfix removes the code.

Just what was it doing there in the first place? I know the server and desktop products share a codebase, but this irks me. I’ve personally implemented (though not used) a hack to enable RAID on Windows XP that officially doesn’t support it, since the raid driver and all the GUI code is present but disabled. I suspect the same is true of the EFS code in all Home versions of Vista (since you can read EFS-encrypted files from Windows XP upgrades just fine).

Windows Server 2008 requires you to specifically add features to your server before activating them, like AD Directory Service (AD DS), and installations of SQL Server and Exchange (at least) check for updates to the installer before running, getting them closer to the model of Linux distributions – adding a feature from the online repository ALWAYS adds the latest version.

In the end, the development models of these two are very different, so I’m keen to see what further advances can be made on both sides. As always, security and functionality butt heads, somehow I end up with the headache…

No comments:

Post a Comment