Security → The FAQ and User Accounts

said by Didlysquat:

---

While were on security of Win2K/XP/XP Home, There is NO file system security if the partition is FAT32.

---

Exactly and then even many do not know how to take control of it..

Windows XP: Access control via Security
with screen shot

»www.windowsecurity.com/t ··· ity.html

Also not many are told to.."It's best to run antivirus and spyware removal tools in Safe Mode." This is because removal tools sometimes can't remove spyware from your computer while it's running.

Problem compound since some you will be helping have a Full clean installs of XP while others did an upgrade from 2000 or ME and you also must know if the user is running that home or Pro.

Over View of All Groups in Windows XP
»www.kellys-korner-xp.com ··· oups.htm

Protect your files in XP

»www.maxpc.co.uk/tutorial ··· 0&page=2

Understanding Shared Folders in Windows XP Professional
»www.winxpsolution.com/Un ··· Pro.aspx

Take more control
If you're running Windows XP Professional(or Windows XP Home edition in Safe mode), you have the ability to configure NTFS permissions in a much more granular fashion.

quote:

---

While were on security of Win2K/XP/XP Home, There is NO file system security if the partition is FAT32.

---

Correct.

That leaves the registry, and things on disk that the scanner locates through the registry (like Ad-aware and the cookies folder).

I had to clean up a machine for a friend. Her machine had three accounts. One for her and one for each of her two daughters. I ran Adaware, Spybot, and Spysweeper. I ran them under all three accounts, and they were picking up things in the other accounts that hadn't been picked up in the first one. In fact, there were a few registry keys that I couldn't get rid of without being in the right account. Even when I was in the administrator account, I still couldn't get rid of some of them, which I thought was really weird. Like someone else said, I would have expected that account to have complete and total access to everything.

Interesting (and unexpected) situation, isn't it?

Ok, I cleaned a machine with Ad-aware which found the following:

180Solutions
BlazeFind
Golden Palace Casino
IBIS Toolbar
ImIServer IEPlugin
istbar
WinFavorites
VX2
DyFuCA

Under the admin account it cleaned everything above except DyFuCA, which it did not find.

After scanning/cleaning the admin account, I scanned the other user account and everything was fixed except the following:

Golden Palace Casino
istbar
DyFuCA (which was not found under the admin account).

I'm running AdAware and Spybot under a limited account right now with NTFS and fairly strict file permissions. AdAware hung during the update, which I'd never tried before on this account, but after ending the app and restarting it's scanning fine, as a matter of fact both just completed.

Edit:

I guess AdAware didn't hang on updating. I must not have had permission to close the updater, because I couldn't close AdAware either without using task manager to kill it for me.

Hate to say it but you're wrong.

»www.microsoft.com/downlo ··· ylang=en

SubInACL.exe

You can set arbitrary ownership.

Even if no other access is granted or in fact is explicitly denied, all it takes is resetting it then all access is granted to the arbitrary account. That doesn't include decryption, that's separate access and depends on what certificates are granted permission to decrypt.

Requires use of backup/restore privilege. As I said:

quote:

---

If you happen to know how to invoke the (documented) arcane operations needed by backup/restore programs, you can do it.

---

Fairly obviously, the authors of subinacl.exe know how.

But here we're talking about (a) whether random scanning programs know how, and (b) whether you'd want to run one anyway.

I think ripping an API trace of what a known MS provided program is doing to change ownership is pretty trivial for any decent author. So... (a): duh... (b): depends.

said by 60632649:

---

I think ripping an API trace of what a known MS provided program is doing to change ownership is pretty trivial for any decent author. So... (a): duh... (b): depends.

---

Why bother with all that when you can just read the documentation?

My experience, however, is that most programmers can't read the documentation. I agree it's trivial for any decent programmer. However, there aren't so many of them around.

Just look at how many programmers haven't yet grasped that Windows NT/2000/XP is a multiuser system. Just look at how many have not yet grasped the admin/user distinction.

And no matter how good the programmer, I still don't want a scan program screwing around with object ownership on-the-fly.

Because even after reading the docs, there are still hundreds of API calls, and sometimes, a quick trace tells you specifically what to read up on. Nothing more really, sometimes it's quicker.

And my experience is that, most so called programmers, suck and program from drop down menus if they can even get that far. But not all of us.

said by dave:

---

Just look at how many programmers haven't yet grasped that Windows NT/2000/XP is a multiuser system. Just look at how many have not yet grasped the admin/user distinction.

---

You mean our friends at Google who are now putting their name behind Picasa, breaking both those rules (and others)?



-- B