how-to block ads
|
|
Share Topic
 |
 |
|
|
 rchandraStargate Universe fanPremium
join:2000-11-09
14225-2105
1 edit | reply to k1ll3rdr4g0n
Re: There is something not right Sorry, I apologize. Grand stupidity on my part, it looked like a screen shot. I don't spend as much time on BBR as I used to, and I hadn't seen that feature before.
Also, so sorry that you're so displeased; but I'm going to ignore your advice not to counsel people on running computers more securely. We'll just have to disagree I guess on outlook; I don't have the defeatist attitude that no matter what, I'll be p0wned, and therefore you at least seem to be implying don't even try because it's hopeless.
Oh, and I was reading along on that page to which you linked. It's basically saying, in part, what I was advocating, albeit for a different environment: don't run as the superuser (which is close to being in the Administrators group in Windows, but not quite...you need the well-known SID for SYSTEM in your security token to be truly superuser on Windows).
As for the complaints about having to log in as admin anyway, yes, that should be done, PITA that it is. A good percentage of installers with which I have personal experience run great under sudowin or runas...the most notable exception for me being that MS updates will mysteriously fail, even if I run runas /user:someadmin iexplore. It's as the author states though: it's the stupidity of the software (in some cases, installer) authors. If at all possible, one should not patronize products whose installers are wonky like that, and moreover those which will not run properly without special privileges.
If you happen to have a thorough enough understanding, go mucking about with things like procmon, regedit, and setacl, and only make the bare minimum of files and registry entries more permissive. For me, it's been well worth the initial effort. I've had my %USERPROFILE% corrupted a couple of times by malware, but because the user under which I was running had very limited rights to anything else, that's all I had to do: recreate a few personal things but the rest of the system was fine.
Same thing goes when I'm running in a Linux environment: I've had some damage done in my home directory, but it was relatively easy to fix because of the limited rights I have around my systems, and for keeping a couple of backups around. | | |
|
| said by rchandra:Sorry, I apologize. Grand stupidity on my part, it looked like a screen shot. I don't spend as much time on BBR as I used to, and I hadn't seen that feature before. Also, so sorry that you're so displeased; but I'm going to ignore your advice not to counsel people on running computers more securely. We'll just have to disagree I guess on outlook; I don't have the defeatist attitude that no matter what, I'll be p0wned, and therefore you at least seem to be implying don't even try because it's hopeless. Oh, and I was reading along on that page to which you linked. It's basically saying, in part, what I was advocating, albeit for a different environment: don't run as the superuser (which is close to being in the Administrators group in Windows, but not quite...you need the well-known SID for SYSTEM in your security token to be truly superuser on Windows). As for the complaints about having to log in as admin anyway, yes, that should be done, PITA that it is. A good percentage of installers with which I have personal experience run great under sudowin or runas...the most notable exception for me being that MS updates will mysteriously fail, even if I run runas /user:someadmin iexplore. It's as the author states though: it's the stupidity of the software (in some cases, installer) authors. If at all possible, one should not patronize products whose installers are wonky like that, and moreover those which will not run properly without special privileges. If you happen to have a thorough enough understanding, go mucking about with things like procmon, regedit, and setacl, and only make the bare minimum of files and registry entries more permissive. For me, it's been well worth the initial effort. I've had my %USERPROFILE% corrupted a couple of times by malware, but because the user under which I was running had very limited rights to anything else, that's all I had to do: recreate a few personal things but the rest of the system was fine. Same thing goes when I'm running in a Linux environment: I've had some damage done in my home directory, but it was relatively easy to fix because of the limited rights I have around my systems, and for keeping a couple of backups around. Sorry if that sounded hostile, but from your first couple of sentences and the general atmosphere of DSLR, it made me feel uneasy.
I don't believe in no security, but there is a saying "There is security, then there is insanity." I have seen a many environments where the insanity was apparent. For example, I don't see the merit in making a MySQL user that can only access from a specific IP address...when the network is protected by 2 firewalls. The only thing I can see that you are protecting against is yourself.
If you are working with things that will potentially wreak havok on your system, then you should setup a sandbox....its defiantly a lot easier than being a perfectionist and tweaking the permission on everything.
I too have noticed that updates fail when using runas. It really is a shame that Microsoft hasn't adopted the mindset of Linux (when you need admin rights, prompt for your username/password). I should say in a sane way. Ubuntu doesn't prompt me when I want to change a simple setting, such as screensavers, but if I want to change usernames/passwords then it will prompt me.
»force.coresecurity.com/ is a program you may be interested in if you don't already know about it. | |
rchandraStargate Universe fanPremium
join:2000-11-09
14225-2105
1 edit | no, hadn't seen that before, thanks.
still was grand stupidity and arrogance on my part. I ought to know by now things aren't always as they look.
edit: forgot to say...I didn't want to give up on running as a very limited user, but at the same time, my choices for the program I had in mind, Avaya IVR Designer (AID), while writing that stuff about procmon etc. were, bend the system by "unholy" ACL additions, or go find work somewhere else  . The latter seemed lots more difficult. I was an IVR programmer who was thus forced to use AID (and its bundled Borland database dependency). All I can think is, Avaya must have wrote it or contracted to have it written back in the Win98 days when there basically was no security.
For the sandbox, I like QEmu (usually Linux host with XP guest) in nonrecording mode, which I can always commit the changes back to the "real" disk image if things seem OK.
I've always found that IP address restriction faciliity in MySQL more trouble than what it's worth...much more worth it to work on application level security like TLS and strong passwords. | |
|
