psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Tuulilapsi
Re: MVP Summit: Friday notes
said by Tuulilapsi  :I believe MS should market limited user much more aggressively. That would be good for both their users' security and the reputation of NT as a secure operating system. It's bloody amazing how many "professionals" don't know about limited user on Windows. (Sorry for extending this tangent again, but...)
We've already gone back and forth on non-admin accounts in the past week, but I think it's worth noting again: limited/non-admin accounts are incompatible with too many apps. Microsoft may have had an opportunity way back when (perhaps with the NT 4 move to the Windows 95 Shell) to try to influence developers to make NT-compatible software, but it's actually going to be more effective for them change Windows than to try to coerce third party developers to "correct" incompatibilities in third party code.
(I would presume that the "Win9x emulation" being built into NT 6.0/Vista to provide Win9x compatibility will allow limited/non-admin user accounts to be marketed more heavily.)
I'm not sure what to make of the answers to Steve's "dogfooding" question. In the absence of information about other factors, it seems disappointing; however, I'd be more specifically interested in whether their application development and support "groups" (and others) walk that talk. I'd be curious about that breakdown of the presenters/speakers.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| take no prisoners
said by psloss :but it's actually going to be more effective for them change Windows than to try to coerce third party developers to "correct" incompatibilities in third party code. Coerce, hell. They should set out to deliberately break non-conforming software, and pre-emptively tell customers why they're going to do it.
"QuickBooks is a security hazard. Microsoft will protect you from dangerous software like that." |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
1 edit | reply to Steve
Re: MVP Summit: Friday notes
Yes, I understand there are in fact many programs that due to bad coding flat out refuse to work on nonadmin accounts. I suppose I've been lucky with my software. You, of course, are a programmer, so I can see how you'd run a much wider variety of different software than I do, and so you'd be more likely to face misbehaving apps.
That's a very good point you make about creator/owner, and one which people often seem to forget when recommending the use of MakeMeAdmin and the kind. I myself keep my admin and nonadmin accounts strictly seperate. The only thing I need to elevate my account to admin status for is changing the power saving options, but I only have to do that once, with the new installation, and that doesn't create the creator/owner issue.
I've been increasingly trying to spread the word, contacting the developers and urging others to do so as well, upon discovering programs that misbehave as non-admin. The day we see Windows nonadmin accounts become as common as Unix user accounts is the day many of the Windows security sucks myths come crashing down. Loudly.
Edited: I would actually readily support Dave's suggestion. 
--
And lead me not into temptation - for I can find my way there myself easily enough. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to dave
Re: take no prisoners
said by dave :Coerce, hell. They should set out to deliberately break non-conforming software, and pre-emptively tell customers why they're going to do it. "QuickBooks is a security hazard. Microsoft will protect you from dangerous software like that." If they just changed the default account type in XP to limited user, I think they'd be there today, except for the "Hall of Shame" prompting. Maybe if they were to channel someone/something like Marvin from "Hitchhiker's Guide to the Galaxy" for insulting prompts it could be mildly entertaining...although I guess it depends on whether one insults the user or the ISV.
--
Feedback? e-mail: stuff@lupwa.org |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Steve
Re: MVP Summit: Friday notes
One of the big cheeses had the correct response in my mind anyways and you know if he is going to do it, then everyone else in the company (except maybe one guy) is going to do it also (that would be a hint for just about anyone). He is currently running as Admin for another couple of months when he switches over to Vista at which time he will be running as a non-Admin. The problem is while the current OS had multi-lever users, it was never used in such a fashion by anyone, hence a lot of software breaks at non-Admin level including the OS. So a new OS is needed to correct these problems, and once that is done the idea of running as a non-Admin works, hence why the short wait at MS, and the slightly longer wait for the rest of us. Now I run my kids with non-Admin on their computers which works fine as they don't have too many issues, but certainly issues exist for people using more advanced software. Microsoft knows this and I think they 'got it' with Vista and so its workable as a non-Admin, now the question is will the third party vendors get it. Link Logger works with non-Admin as it was a goal for me four years ago, but somethings are only available to Admin users as that was part of the 'security' setup (ie only Admins could change the IP address of the firewall). Users will also have to learn that some software features or functionality of some products will be reserved for Admin level users and that is in itself is an issue. In short based on what I saw and heard from Microsoft during the meetings and some of my discussions with other folks (both Softies and otherwise), I know I can safely say that Microsoft 'got it', and their future products will demonstrate that.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:  | reply to Steve
And the sad thing is that Jim Allchin goes to retirement or elsewhere when VISTA is Gold.
That is the saddest news from the Summit.
The replacement plans for senior exec's is unclear. Jim will be missed big time. |
|
jig
join:2001-01-05
Hacienda Heights, CA
| reply to Steve
Some quick questions:
Does the windows rights management services suite include a widget to scrub documents before distribution? My guess is no, since the services seem to be meant as a general tool, rather than office specific, say. But, at the same time you mentioned that you could allow/deny copy paste so maybe revision history is also locked down by default or something.
"Clear my tracks" does/doesn't scrub the physical disk location where the browser history etc were before deletion? You mentioned FBI...
IPsec without encryption is sniffable, correct? IPsec domain isolation sounds fun.
What is Antigen? Or maybe a better question, why do they call it antigen?
Is it particularly hard to falsify IPsec credentials? |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by jig :Does the windows rights management services suite include a widget to scrub documents before distribution? My guess is no, since the services seem to be meant as a general tool, rather than office specific, say. It does not. RMS doesn't know anything about applications - it appears to just manage data streams - but an application can choose to do what it likes. Office is what defines and enforces the list of things ("no printing", "disallow paste", etc.) to restrict.
I don't know of any "scrub document" features, but I seem to remember hearing that Office might have this somewhere. But I doubt RMS has anything to do with it."Clear my tracks" does/doesn't scrub the physical disk location where the browser history etc were before deletion? You mentioned FBI... It doesn't do a secure erase, I was joking about the FBI, and this is a fine time to remind everybody that I speak for myself only and never ever speak for Microsoft.IPsec without encryption is sniffable, correct? Yep, sure is: ESP+NUL is essentially in cleartext. In a switched environment, sniffing is not quite the same risk that unauthorized access of resources is.What is Antigen? It's an antivirus technology that they seem to have purchased from Sybari, with unknown plans for some kind of integration into Windows. I saw a drive-by of the technology on the first day, but I skipped the Antigen deep-dive session on Saturday so I could learn more about IPsec.Is it particularly hard to falsify IPsec credentials? I think it's pretty hard, but it depends on how the key exchange is done up front. One can use something really simple, like a manual shared secret, or more advanced stuff with certs and/or kerberos, but in any case it's not something so simple as sniffing a password or replaying a session. IPsec seems to be based on solid crypto.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to jig
said by jig :"Clear my tracks" does/doesn't scrub the physical disk location where the browser history etc were before deletion? You mentioned FBI... I was very surprised to hear about this and I did ask them about it as I have built tools for forensics in this area in the past and what most people don't realize is the information is in a couple of different hives so doing a 'delete files/cookies' from IE didn't get rid of your history as far as anyone doing forensics on your system was concerned. The response was that the hives would be cleared but the drive space wouldn't be reset and by this they mean that yes the information within the hives would be removed, but that space on the drives wouldn't be cleared so technically you could reconstruct the hive as far as 'deleted' data wasn't written over on the drive (or you have access to an electron microscope sort of thing).
I'm sure there are a number of security groups who are not overly pleased about this, but in reality the bad guys are going to be the first in line to get IE7/Vista anyways as it really is way more secure and no one needs security like people with something to hide.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
elvey
Spamassassin
join:2001-02-17
San Francisco, CA
·Pacific Bell - SBC
·Comcast
·SONIC.NET
| reply to Steve
Thanks, Steve. A lot of interesting stuff there.
said by Steve :Your BBR login information is referenced by a cookie, and most of us would prefer not to login every time. I have to login (almost) every time, I guess cuz I'm (almost) always coming from a different IP.
I wonder how hard it would be to use a macro player to automate MSAS enterprise-wide. (I miss the 'Recorder' Acessory that was in Windows (thru WfW 3.11, IIRC).)
said by Steve :the folks at Intuit don't ever hear about this except from a a couple of whiney Microsoft MVPs. We're not customers, so they could hardly care less. Have you obtained a refund for said clients from Intuit? As I've mentioned on BBR, I did this with AV vendors and it had the desired effect. (Well, at least there was a correlation, and the support folks did state that they would fix the problem...)
"All QuickBooks products have an unconditional 60-day money back satisfaction guarantee." - »www.quickbooks.com/support/servi···ectronic
--
SBC is the world's second-largest SpamHaus and leads an Organized Crime Syndicate. |
|
