Domain: joeware.net
Stories and comments across the archive that link to joeware.net.
Comments · 8
-
Active Directory from Banyan?
"Active Directory was originally technology licensed from Banyan Vines."
Do you have anything to support that statement? In other words: Citation needed.
I've got a fair bit of experience with AD. I didn't work with StreetTalk much, but from what I've seen, they were radically different in their internals.
AD is basically LDAP bolted on top of the old NTLM domain system. Overall MSFT actually did a reasonably good job at that, but the old NTLM origins still poke through the covers in a few places (mainly the lower-level security stuff). The actual directory part of AD seems to have been derived from the Exchange Directory Service, which was an X.500 implementation that supported LDAP and integrated with NTLM domains (sound familiar?). When the DS moved from Exchange to Windows and became AD, Exchange lost its built-in DS and switched to using AD. AD uses the same ESE (Extensible Storage Engine, formerly known as the Exchange Storage Engine) backend that Exchange brought to life. In Windows and Exchange 2000, there were actually a number of problems because Exchange was still so tightly coupled to the directory that weird compatibility problems would occasionally crop up on Exchange servers -- especially if the server was also a Domain Controller.
This blog post I just found, purportedly from someone who actually worked at MSFT on AD back then, would appear to agree:
http://blog.joeware.net/2008/08/11/1420/ -
Some tips...
As someone who runs as a non-admin, I'll share a few tips I've learned on how best to make everything work...
1) Download CPAU, which works somewhat like RunAs but will let you create "job" files so you don't need to type a password each time.
2) Make three accounts, a "guest" (don't use the built-in guest account for this) user, a "poweruser", and an "admin" (don't use the built-in admin account for this). For the rest of this post, I'll call your real account "fred", the lower-permissioned account "barney", and the higher-permissioned account "gazoo".
3) Set the root of all drives to explicitly "deny" all permissions to "gazoo". This wouldn't even slow down an interactive attacker, but few hostile programs expect to need to take ownership and change permissions from an account already having admin privs.
4) Give "fred" write permission on "Documents and Settings\barney". Give "barney" read permission on "Documents and Settings\fred". Give "fred" read permission on "Documents and Settings\gazoo". That alone will solve 99% of permission problems you'll have.
5) Use CPAU to set up job files to run all your networking programs (browser, email, IM, etc) as "barney". Do the same for all programs that legitimately need admin access (many CD/DVD rippers, for example) to run as "gazoo".
6) To install most software (even well-behaved software that doesn't require admin to run), log in as admin (the real one, not "gazoo") and create its directory under Program Files, giving "fred" (or "barney" if it will run with reduced permissions) write permission to that dir. Then, install it while logged in as "fred" (or, again, as "barney" if applicable). Also, some pesky software will work best if you install it first as the user it will run as, and then as "fred". Firefox and Thunderbird fall into this category, because of the way they handle user profiles (Using the highly-recommended "Portable" versions of both will completely avoid this problem, btw).
The above will take care of most common problems you might have. Other problems will still pop up, however.
For example, good luck printing from your web browser - you can use Microsoft's TweakUI to edit the relevant ACLs, but that seems like about a 50/50 shot of working. I curently have two machines at home set up more-or-less as described above, and basically identical. One of them can print from "barney" and one can't. Wierd.
Also, get used to using UNC names. Mapped drives, even if mapped under all three accounts, will not show up for programs running as anyone but the currently logged-in user.
And some "experts" wonder why so many Windows users still run as admin. -
Re:Run as a Non-admin User
As another poster said, Windows XP in unusable in non-administrator mode (too much software requires admin rights), however there are plenty of things you can do to reduce your risk:
* Have a hard to guess admin password of over 14 characters, the length is supposed to make a better password hash.
* Use a proper NAT firewall router (this applies to ALL OS) to block port attacks given that a restricted user account is no protection again port attacks (system account).
* Use a proper software firewall (not Microsofts' joke) with excellent egress filtering at application level e.g. Agnitum Firewall Pro, NOT Zone Alarm or Norton!
* Have some good antivirus software, but don't expect it to protect you against zero day attacks.
* Never ever run Internet Explorer and Outlook Express, given that these are inherently insecure, because they support Active-X; use more secure web browser and email software instead. Other programs and services exist for Windows updates e.g. Bigfix (www.bigfix.com)and windiz update (Firefox extension).
* Run any link launched 'server' applications in a separate restricted account with CPUA (http://www.joeware.net/win/free/tools/cpau.htm), RunAs is useless for running most applications!
* Run untrusted in a restricted account with CPUA.
As for speedups, always prefer applications which use the minimum or no Active-X/COM component e.g. avoid most Symantec programs, but use Norton Windoctor from CD to clean up registry crud, use advanced mode and select your own fixes (Windoctor can be wrong). The (Executive Software) 'lite' defragger in XP is a sick joke, buy a copy of PerfectDisk, IMHO it is the best, it is fast, can defrag without file size gaps and can defrag system files, Executive Software, Symantec and O&O are not in the same league.
* Lastly don't allow any untrustworthy person physical access to your machine unless you keep all you critical data in a encrypted profile, given it is trivial to reset an admin password in NT OS's. -
Re:It could be the default option during install
The tool is called CPAU for those looking for it
-
Re:Non-admin Wiki!
This RunAs-like program, mentioned on the site, looks useful http://www.joeware.net/win/free/tools/cpau.htm Thanks!
-
Re:doh
Go ahead, be the first on your block to harden Windows with naive LUA. Spend the next two years chasing down truly arcane breakage.
I'll stand at the head of the line complaining that MS needs to make it a hell of a lot easier to run with reduced privelage, but really, it doesn't take that much effort... Not something Joe Sixpack could do, but something Joe Sixpack can use once properly set up for him.
First, you need exactly one third-party tool, and one nonstandard MS tool... Tweak UI on the MS side (I won't provide a link because they seem to move it weekly), and CPAU as the third-party tool.
Make your normal account a power user (still a little too powerful, but we'll take care of that). Install your AV software as admin, and everything else (except as noted below) as your normal user (using RunAs when necessary, but do not install anything else while actually logged in directly as admin).
Now, rename your true admin account (via a group policy). Create a new admin account (named something other than "administrator" or "owner", obviously). Create a restricted user account as well (you'll probably need to start it as a power user, and downgrade it once you finish all this annoyance).
Install anything network-related as your reduced permission user (browser, email (don't even bother trying to use Outlook as a non admin), instant messaging client, P2P app, and anything else you need). Don't bother configuring them yet, because for anything that stores its configuration in your profile, you'll just need to reconfigure them once you log in normally.
Now, as your normal user, use CPAU to create job files, to run your network apps as the reduced privelage user, and anything that absolutely requires admin rights to run as your new (but not renamed original!) admin account.
This gets you about 95% functional, and a hell of a lot safer than just running as an admin.
Now, you'll notice you can print or see Samba shares from any of your network apps. Use Tweak UI's ACL editor to give your reduced permission user access to your printers and shares (do a google search on this one... Not at all difficult, but more steps than I want to list here).
Now, when you notice a problem with a program, go to its installed directory, and if applicable, its profile directory, and give it fairly promiscuous permissions (ie, give everyone everything but full control). File permission wise, that amounts to almost the same thing as always running as admin, but limits any damage to the particular program too poorly written to behave. This alone makes most programs that demand to run as admin, runnable as a mere power user.
This really only leaves one problem, which you can fix, but probably shouldn't... Depending on what program you run, your "my documents" and desktop will not point to "your" documents and desktop. Just keep that in mind when you download a file to the desktop and then can't find it anywhere.
Meanwhile, I'll be using software on platforms that figured out most of this stuff a decade ago.
Great point... But like it or not (personally, I do not), people can't use Linux for everything. If you like RTS games, for example, you can't escape the simple fact that Microsoft makes the best of them, and they sure as hell won't port to Linux any time soon. The same goes for most popular games, for that matter; they just don't run on Linux. -
Re:It could be the default option during install
Would be better to not have the admin password stored plaintext. There are tools to setup encrypted saved runas. http://joeware.net/ has a freeware encrypted runas tool and I've seen various shareware versions.
-
Re:PowerDVD
CPAU would let you create a shortcut to launch PowerDVD as admin or power user while logged in locally as a guest.