WSL vs cygwin

Hi Everyone,

I didn’t see any posts around this lately.

TLDR: My work told me WSL is insecure and that I can use Cygwin instead…

So I’m a network engineer at a large security minded organization. We have a very locked down windows environment. I can’t install any software on my laptop myself, desktop has to make pushes to my laptop for me. I come from a Linux background and not being able to use tools like mtr, nmap, whois, and awk is killing me. So I reached out to security asking if they were willing to evaluate WSL for production use. Was just given a vague response that they looked into it and found that it was not secure. We have a local install of Cygwin that I was pointed to. Turns out its hot garbage, or at least the package we have local is.

“ls /usr/bin | grep ssh” takes over 35 seconds to return…

Does anyone have any thoughts on security issues with WSL? And does anyone know how I can make Cygwin less awful? Anyway thanks for any thoughts or solutions.

Their response reeks of your typical “I don’t care and I’m too busy to do anything more than pretend to entertain your request” response. I’d like to see them try to explain how WSL is insecure, but Windows is secure.

I remember running Cygwin on my Windows XP laptop back in school and using it to crack into a WEP network. The WLAN card I had didn’t have drivers for Linux so this was the only way I could get the job done.

I used to work somewhere with a similar policy. The Linux admins fought for and got permission for WSL, the main crux of the opposition was that security et al, could not prevent people from installing Linux tools onto a secured Windows laptop once they had WSL. Personally I found it amusing, I had long been using the standalone versions of Putty, and MobaXterm to either create SSH tunnels to circumvent security rules that blocked my work, or to run Linux commands and tools that I needed :wink:

I now work somewhere more sensible where local admin is permitted for engineers and sys admins :+1:

EDIT: SPAG

I agree, and I’m going to do more research into this before approaching them again. Kind of was hoping someone had already won this battle lol.

That is an awesome story. I did not have the balls to do something like this when I was younger. Its also sad that if you did this today and got caught they would expel you without a seconds thought…

My last job was the same. Sure it was a mac… but I had root and installed homebrew which made it fine. Only been at this job 4 months now, so ill see if I can’t break them down lol.

1 Like

Keep at it, ask “why?” like you are six years old and they’ll crack, they might hate you, but they will crack :rofl:

Believe it or not…it was for school.

I actually think the security guys have something there. When you start getting into things that create sessions windows itself is just really shit at separating permissions properly from a controllable standpoint with things like GPO and AD that aren’t the standard kind of user permissions.

Getting access to something like DCOM with sensible permissions in a large environment where you need to be able to control user permissions to what you can touch through it is pretty much a switch flipping from off to on with no steps in between from no access to full.

Not that it can’t be done, but you have to do things like grab ids for things from registry for specific items using VBS (fuckin, ew) and then spread a GPO out to appropriate OUs (or in my instance, to everything that needs to be monitored in my expertise.) Generally as well, Microsoft doesn’t seem to be to hurried on making that kind of stuff easier to manage.

So add in whatever container black magic is involved for WSL, and since we all know that no business on this planet actually keeps their OUs and AD environment sensible it’s just another layer of shit for the people that manage it.

@Hitemlow32 Ever thought of asking for a linux machine? If that’s not possible the thing I would do is start probing them for “What were the problems you found so far?” and then figure out what would need to be done to make it approved.

2 Likes