New Shared Computer Toolkit for Windows

cygnusx writes "Microsoft Monitor and Ars Technica are reporting that Microsoft has released an administrative toolkit (beta) to help secure Windows machines that are shared by a number of people. Features include protecting the Windows partition from non-administrative changes and Group Policy-like access restrictions. This should be good news because Microsoft seems to be recognizing that not everyone can go down the Active Directory path to manage their Windows machines better."

Re:Useless for a lot of people.

[Sexy+Bern]

With the greatest of respect, TFA says:

Shared computers are commonly found in schools, libraries, Internet and gaming cafés, community centers, and other locations.

If you're running a lab with 100 terminals, you should already using group policies.

Group policies address the needs for a particular market sector. This lock-down tool addresses the needs of another market sector. They do appear to be trying to do "the right thing"!

administration isn't the problem!

[yagu]

The problem lies more in the design, architecture, and implementation. One facet recently appeared here (The 12-minute Windows Heist) and here (Windows Users Ignoring LUA Security).

Microsoft "grew up" from a fundamentally different mindset than real (no troll intended, just pragmatic viewpoint) computing technologies. Microsoft takes credit (rightly or wrongly) for inventing the PC. PC, that's Personal Computer... and the directory structure (among other things) especially reflects these roots:

• the directory structure is a cobbled together hodgepodge with little apparent cohesive design. In my opinion it is an incredibly "designed by committee" hack.
• any whiff of multi-user directory structure aside from not really being well designed is a cobbled hack on top of old directory structures and paradigms.
• while there certainly isn't any requirement a computer have mulitple users, the notion of multiple users logged into a Windows machine is completely foreign without third party add-ons (terminal servers, et. al.).
• the multilevel kernel architecture and hardware abstraction (HAL) early on were compromised to give direct access to hardware because HAL didn't allow for good enough performance for gaming.
• many programs because of buggy behavior (this is not necessarily Microsoft's fault, but it's still true) require(d) conditional code in NT/XP to run thus propogating buggy design right back into the "new" product.

The third item above was especially interesting to me when I worked at Microsoft. This was the early days of NT, and when I hired on, I didn't have a machine in my office powerful enough to run NT. Wanting to get an early start on learning as much as possible about NT I had an office peer set up an account for me on another NT machine. I asked how to "login" to that machine. He looked at me as if I were mad. His (their) notion of multi-user meant my account on his box gave me access to file services pretty much, not much more.

Administration tools, while a nice idea, in light of the historical artifacts of Windows are only a bandaid over a compound fracture. It might cover up the bleeding and hide the potentially fatal wound, but it isn't going to solve the problem. Microsoft should have taken the time to desing the "P" out of PC when they completely re-designed the underlying technology. Had they done so, many of these problems today either wouldn't exist or would be much easier to fix.

Re:administration isn't the problem!

[RzUpAnmsCwrds]

Oh, come on. Windows is, and has been for several years, a true multiuser-OS with a strong permission model.

"the directory structure is a cobbled together hodgepodge with little apparent cohesive design. In my opinion it is an incredibly "designed by committee" hack. "

Not true. Essentially, there are three directories, "Documents and Settings" (/home), "Program Files" (/bin), and "Windows" (no direct UNIQ equivilent).

The problem is not the directory structure, it is stupid applications that write to the root directory or the Windows folder.

"any whiff of multi-user directory structure aside from not really being well designed is a cobbled hack on top of old directory structures and paradigms. "

That doesn't even make sense. Like Linux and most other multiuser operating systems, individual users get their own home directories. In Windows, they also get their own registry branch.

"while there certainly isn't any requirement a computer have mulitple users, the notion of multiple users logged into a Windows machine is completely foreign without third party add-ons (terminal servers, et. al.)."

Bullshit. Try fast user switching in Windows sometime. Or, for that matter, log onto a server running Windows Server 2003. Just because *you* don't use the functionaltiy doesn't mean that it's not there. It's built into XP (though locked down) and into Windows Server 2000 and 2003.

"the multilevel kernel architecture and hardware abstraction (HAL) early on were compromised to give direct access to hardware because HAL didn't allow for good enough performance for gaming."

Also wrong. While there have been some compromises, such as moving the GDI into kernel-space, the HAL is still very much used in Windows 2000/XP/2003. DirectX uses the HAL. Indeed, Windows has much *more* hardware isolation than systems with a monolithic kernel, such as Linux.

"many programs because of buggy behavior (this is not necessarily Microsoft's fault, but it's still true) require(d) conditional code in NT/XP to run thus propogating buggy design right back into the "new" product."

This is not limited to Microsoft alone. Even CPUs must maintain bug-compatibility. Trying to run old code on a new platform is not an easy task, and the fact that 10-year-old appplications run at all is impressive.

Your information is out of date. Windows XP is not Windows 98, and it's not Windows NT4. Microsoft has made some poor design choices in the past, and those choices continue to impact their product today. But Windows XP is not the "inherently insecure" OS that you would have us believe. Its architecture is no less secure than Linux - indeed, Linux is a hodgepodge of code.

Do not sell Microsoft short. They didn't take 95% of the desktop OS market by being stupid. They did it by understanding what their customers would buy. In the end, people want their games to run. They want their copy of Acrobat 3.0 to run. To many of Microsoft's customers, that's more important than having a "pure" OS. To most users, loose permissions and open ports are a small price to pay for that functionality.

Re:Useless for a lot of people.

[emmetropia]

This is just the same as the User/Root-Approah Microsoft plans - too lat, as always!

Do any of you believe in better late than never? Honestly, people bitch that Microsoft does nothing about security, if they attempt, they're flamed for a "poor attempt". Even now, they're trying to up security in XP, and 2000 users cry that it's too late. My sweet jesus guys, at least there's an effort somewhere. 2000 is pretty well EOL'd, I don't think it's their major worry right now.

Yeah, i'll get flamed for saying that it's not their major worry, and most likely for even backing them, but i'm sick of reading this horse shit.

Let's turn the tables for a minute. I tried installing Mandrake 10 on my laptop a year (maybe year and a half now?) ago. I couldn't get my WiFi to work regardless of how much tweaking I did, what "hack" I tried to implement. There wasn't a driver to be found. I switched to winXP on my laptop because of this, and i'll run XP on my laptop now, until I get a new one, at which point in time, I can't say that i'll try and get my WiFi working again. Are there efforts to fix it? Sure. But i've waiting a year and a half for them. You can offer wifi, but I think it's too late, i've moved on.

I'd bet five dollars that someone will say that it's either a completely different situation, or that I didn't look hard enough. I'd be told to cut the developers a break, at least they're trying, right? I just hate when people play favourites. I'm going to shut up now.

Registration number

[gdav]

is generated randomly in javascript by the registration page. Eight digits - the first must be nonzero, the last is seven minus (the sum of the others, mod 7). E.g 10000006.