Microsoft Says Recovery From Malware Becoming Impossible
An anonymous reader wrote to mention an eWeek Story about Microsoft's assertion that PCs may no longer be able to recover from the most aggressive Malware. From the article: "[Danseglio] cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."
'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."
:-)
Ummmmm, how about switching?
Seriously though, NeXTstep certainly has a long history in certain TLA government agencies and OS X is beginning to make significant inroads there as well. In addition the timing is right for many businesses as the infrastructure costs to maintaining Windows are simply becoming too high.
And calling these recent instances is a joke. I was having to perform complete system wipes and reconstructions due to malware years ago which is why we have essentially completed a migration to OS X. We do have some windows systems still around, but they are hidden behind OS X machines and are run headless and without connection to the Internet. In fact, it's been interesting that those companies that deliver microscopes (electron, confocal and light) and such that are currently driven by Windows are asking their customers to simply not plug them into networks or the Internet, severely limiting their use. They of course have been suggesting sneakernet to move files and data around, but my solution is to network them all with a dedicated backbone behind a Mac mini that is now shipping with Gigabit Ethernet on board.
Visit Jonesblog and say hello.
Unrecoverable? What's wrong with FDISK?
J'aime mieux les méchants que les imbéciles, parce qu'ils se reposent. -- Alexandre Dumas
Companies like Sony pushing rootkits onto unsuspecting customers is part of the trend toward stealth and aggressive rooting of machines. Once a serious worm that can spread quickly and hide deeply gets around, people will realize how serious an issue rootkits are.
Oh You POS
Ok, so why was there no diasaster recovery plan in the first place? Surely the thought of an uber virus wrecking Windows had to have been brought up at some kind of meeting? Those who fail to plan plan to fail. Plain & Simple
--Taladon
Like Sweepstakes? Try out my service @ http://www.yourpowersweeps.com -- Free 21 day trial, no cc needed.
The govt's "war" on "cyperspace" is sure going well!
I think any of us that work on computer systems long ago figured out that the rebuilding of a system is far easier than trying to remove each piece of malware. Now, in cases where there is critical data on the machine then it would be worth it to try. The fact is, but the time we hear about the issue, it isn't a matter of removing one or two pieces, it is usually closer to 20 or 30.
Finally! A real reason to upgrade to Vista.
"Everyone needs to buy a copy of Windows Vista, which will solve the malware problem."
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
because they often use kernel hooks to avoid detection
Um, how about making it possible to DISABLE ADDING KERNEL HOOKS? There should at least be a reliable way to get a list of all currently-running kernel hooks, if there's not already.
Actually, no. MBR viruses and systems with multiple partitions sometimes cannot be guarenteed virus free without wiping all partition tables via fdisk or a low level format. Back in the day, I remember a virus named NYB that stuck around beyond fdisk on scsi drives. The only way to get rid of it was an actual low level format.
Like Sweepstakes? Try out my service @ http://www.yourpowersweeps.com -- Free 21 day trial, no cc needed.
You could never recover a compromised system reliably anyway. Once someone's got through your security to a certain level, you can't trust anything - including security tools and diagnostic information - that runs at that level or above. For a typical desktop PC or office server, that basically means you can't trust anything left on the system.
Any sort of virus removal or system clean-up after being cracked is just a calculated risk that the attack will have been completely removed, based on the fact that doing a complete rebuild of a system and restoring all the backed up data is expensive, and while not cleaning up 100% after an attack is potentially more expensive, the probability of this is low.
And no, running Linux or MacOS X instead of Windows doesn't change this, despite the number of people flippantly suggesting these alternatives. I'd have told you this earlier and saved a dozen posts, but apparently it's been 4 minutes since I last successfully posted a comment, so I can't post another one yet... ;-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless.
Whereas, if they had been using thin clients with no local storage, the only recovery action would have been on the server. And if they had been running non-Windows on the server, they wouldn't have had these infestations in the first place. A full-blown Windows PC on every desktop in an enterprise is just an expensive welfare program for MCSE types.
I see the first few comments suggesting a switch to Linux or Macintosh. At least where I work, in the educational sector, that's impossible. The time spent retraining faculty and staff alone would outweigh the security benefits, especially when you consider all the specialized software floating around that hasn't been ported (curse you, Department of Education).
That being said, we haven't had much trouble with malware, and we're mainly an XP Pro/2K shop. We don't allow our users to run as administrators--period. That includes techs. Those who need the ability to install stuff have a local account which is prohibited from actually logging into the computer and has no rights to the domain. Ever since we implemented that things have been pretty quiet. In the rare case when somebody's machine does go down we can take a ghost image for backup purposes (if they aren't storing stuff on the network), and then re-ghost with a clean image. Average turnaround time: two hours.
No statement is true, not even this one.
Why is there never any retaliation against the companies that produce this software? If someone overseas comes up with a way to play a DVD on his own computer then he's pursued endlessly. If someone puts out a warning about how Adobe's encryption is not so secure then they're drug over to the US for trial. But if someone writes malware that destroys thousands of computers, including government property, then absolutely nothing is done. It just seems a little odd to me.
The EDS solution (while EDS isn't the best organization, this solution is highly effective in malware prone environments); GigE to the console, unified desktop system. You have three or four builds of different machines (Laptop, High-performance desktop, 'Information worker' desktop, kiosk) with an imaged pushed every night. Users data is stored nonlocally, in mapped network drives. Expensive to implement? Sure. Cost savings in the long run? You betcha! Plus, the helpdesk ends up with LEGITIMATE user issues, not 'Wah, I don't want to read the onscreen directions, you do it!'.
Informatus Technologicus
This is just one more attempt to soften up the consumer marketplace, tenderize it like a NY strip steak, so that joe average will be ready to buy a new PC, capable of running Vista so they don't have to worry about malware anymore, thanks to those really nice folks at Microsoft. The longer that MS has to soften the marketplace with FUD and 'smoke and mirrors' about how they are going to eliminate malware etc. with Vista, the more likely that people will 'wait for' Vista to ship rather than switch to before 2010, when Vista actually does ship SP2 so that it works. MS always makes more money by selling an OS license with new hardware then they ever did selling just the OS. We all know how that works.. so look forward to more of this MMSF in the coming months from the superheros in Redmond....
Support NYCountryLawyer RIAA vs People
I wish that the industry would say this proper. A PC is a personal computer. That includes apple and most linux boxes. OTH, the PCs that are having problems are Windows based PCs. Basically, the press should be saying that it impossible to remove malware from windows.
I prefer the "u" in honour as it seems to be missing these days.
Is this really news? seems to me it is a lot like saying, MS says the sky is blue.
There is so much malware out there that bypasses antivirus and spyware checkers, case in point when I used to use windows (I moved to Gentoo/Solaris 10 about 3 months ago) I was running ClamAV, and Norton AV, additionally I had 2 spyware checkers, all these products updated every night.
One morning I executed a crack program (I know but I was half asleep, oh and before people start complaining that I shouldn't use the crack, I purchased the software but it requires activation everytime you reinstall your machine and they won't supply a key after 10 reinstalls) my machine was infected right away with spyware and adware all through the system, my virus checkers didn't catch it, my spyware checkers didn't catch it, I was running all the anti-malware applications I could trying to clean the system nothing was working I was manually cleaning the registry. In the end I had to reinstall the system. I have a pretty secure network my PC had all the protection I could reasonably use but still I was heavily infected the only cure a complete reinstall.
GeekServ Unix Consulting Services (http://www.geekserv.com)
For some time it has been easier to wipe and reinstall rather than repair an infection, of course this is dependant on knowing where your data is to begin with - hint: this is why we have servers. A reinstall (automated of course) will take less than 2 hours and everything is guaranteed to be working properly afterward. Properly eradicating most spyware takes a lot longer than this and doesn't guarantee that you or the program/s you use have gotten everything. Why even take the risk of repairing a spyware infection?
On Windows boxes I still see many spyware infections on computers where the users don't even have administrative access. This includes the adding and changing of system services that users don't (read as shouldn't) have access to change as well as totally screwing over the Windows system restore which I might add helps malicious software coders than the users actually trying to restore system files. All this from surfing a malicious site in IE.
It really is impossible to trust an infected machine even after every effort has been made to remove the spyware. This is something every Microsoft admin I know has known for some time, this should be a non story except that it's about a government branch that had 2000 spyware infected client machines and no disaster recovery plan - heads should be rolling.
Formating doesn't come close to elimination real malware though. The boot sector isn't overwritten first of all unless you specify /s
Additionally, the malware could have virtualized your PC and whatever changes you make are to the virtual computer you are running on while the virus has real run of your hardware and resources. Even if that doesn't exist yet, one day it will because it is possible using software that is even freely available today, with some tweaks that bad people would only be too eager to implement.
Talk about the mother of all rootkits eh? Your computer would be like The Matrix, a virtual world where you think you are in charge but are really running a pawn cause you're pwn3d.
Oh You POS
"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here."
Now those sound like the words of someone who has 'been there and done that' more than a few times. If Microsoft is having those kinds of problems with the hardware, software, and expertise they have at their disposal, imagine the kinds of problem that 'Sam's Plumbing and Heating Co.' is having.
personal computers don't belong in the business workplace. Whatever genius (M$) decided it was better to move away from the terminal-server model to individual PC workstations and its subsequent adoption in corporate America is ultimately responsible for high TCO, virus and malware outbreaks, disruption of business continuity, etc. The capabilities of modern personal computers are not necessary for most work and only serve as a distraction, resulting in even lower productivity.
Oh, and death to all virus/malware writers!
I take care of a couple hundred machines and the FIRST thing I did when I was hired was to set up an automatic install. It's a pretty tiny investment when you think about it. I didn't even do the standard hard drive cloning, I did it the HARD way and scripted a full XP install, which then hooks into automatic application install after XP is done. This is BASIC stuff. I can't believe the outright negligence of an IT department that doesn't have some sort of restore process.
Free The Lapland Six!!!
http://www.whatiwore.com
What I wore, now with 100% more pool project!
Microsoft has screwed up for so long, in such a bad way, that now they can't even recommend using their operating system anymore?
Yes, I know I'm borderline troll, here, but lets look at the progress over the years here with Microsoft OSes:
1) DOS
Not much of an operating system. In fact, it does not meet my definition of an operating system. It started out as a purchased in house rip off of CPM or whatever, and IBM was conned into bundling it with their monopoly PC biz at the time. It took years to add features like memory management, disk caching, multi-tasking was a joke. Reliability was abysmal. Yuck. How did a company start from that?
2) Windows 1.0 - 3.x where x 1
Junk. Nobody used it, except towards the 3.x days, and even then people dropped to DOS much of the time.
3) Windows 3.1 and 3.11. Yes, this was the first viable product from the company, but barely. This came out in 1993. Yes, 1993. And it only then almost had the functionality of a Xerox Star from 1981.
4) NT 3.51. The first time I sat behind one of these, I was amazed. This was the first solid 32bit offering I used and it just felt solid and real. Same ugly interface for 3.1x, but this was a real operating system.
5) Windows 95. Its claim to fame was that Mac people called it MacOS from 1984. Honestly, it was their greatest achievement to date after conning their way with IBM. I was pleased when it came out. It had issues, but was OK for the time.
6) NT 4.0. Late to market, but OK. basically 3.51 with 95 UI and some other enhancements. decent for a small company or workstation I guess at the time.
7) Win 98. Better than 95, especially with OSR2 or whatever it was called. Introduced USB and plug and play, but neither worked well.
8) Win ME. No comment besides this was the alpha quality OS that was the beginning of the merge between DOS/Win to NT. Everybody knows this was junk.
9) Win2k Added stability for the first time to their systems. This is where they took a bad UI and started making it worse. Slow as a dog.
10) XP. Never really used it, but again, more stability, aside from the fact that the legacy support from bullet #1 is now an infectious target for malware, viruses, spyware, worms, trojans, you name it, if you don't want it, it will be on your newly installed computer in seconds without a firewall. Sometime after XP came out, MS took a week or two off of writing cutting edge code to get their security in gear. We all appreciate that, right?
11) Vista. Looks like a revamping of Win2k. Bad UI made worse, and will be slow as a dog. Nothing to see here, please move along.
What I noticed in typing this, is that MS is _always_ about 10 years behind where the progress should be. Its now 2006, and XP is a clowny looking thing from the mid 90s. I will say that they sure know how to sell stuff to people. They get an A++ for that, but innovation and quality have never been their forte.
When a *nix box gets rooted, generally standard practice says that you rebuild the box. I'm unsure if this is the case with Windows rootings. That is just the way it is.
Malware wants to be "sticky". I'm surprised it has taken this long to become truly difficult if not downright impossible to remove.
What I wonder is if people will just tolerate the unremovable malware instead of the frustration and/or time of reinstalling the OS and applications and getting everything just right all over again. It's one thing for system administrators and geeks to reinstall. It another thing entirely for the average user to have full/incremental backups or cloned drives or some set of procedures for reinstallation.
This is definitely an interesting situation.
the guys who with XP-SP1 tried to isolate everybody who had a common serial number?
MS has finally awakened and smells the coffee.
but I have no cup for them any more.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I'm coming to the point where I feel that the core Windows environment needs to be booted from CD, or some other read-only media that can't be altered. Yes, additional drivers and installed programs will need to boot from the hard drive, however, a Safe Boot option to run your virus scan from as part of the read-only boot could then be used to much more easy remove the malware.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Where I used to work, we solved the problem by running with a solution that reinstalls the software on the machine remotely.
We used a Windows domain and DFS to ensure the users did not lose their data when rebuilding a machine. We then sent an OS image to the system remotely and remotely installed all the software on the system. We would regularly update our image to include all security patches. This was also complemented by a Windows Update Server to push security patches to deployed systems. This was complimented by antivirus and safer policies enforced on the systems. The system also scaled well to several thousand computers.
This may seem like a lot of work, but there are several turn key solutions to do this. (e.g. we used altiris). In addition, the work we did upfront saved us an immense amount of time later on. We were able to reinstall the software on hundreds of computers in 30 minutes. Every now and then we would get a straggler but dealing with 2 or 3 stragglers is much easier than trying to fix or reinstall all the computers by hand. It also allowed us to recover from major virus-related disasters. It wouldn't be difficult to fix 2000 computers and have time to enjoy lunch. (If you are wondering where the bandwidth comes from, we multicast.)
Once you've worked with a real X11 window manager, you can never go back to the crude hacks used on other platforms. Are you talking about an icon theme or something? Maybe you're thinking of KDE circa 1998?
You're talking about "de facto standards", not standards. Standards are publicly documented and have been the prime focus of Linux systems since before day 1. Undocumented, un-POSIX-compliant applications may be popular, but they are not "standards".
A nice try, but Unix-like systems have something that we call a "security model". Except in the case of people who refuse to apply updates or do things like purposefully disabling the firewall, this provides a level of protection that most other systems simply can't rival.
Think about it for a second. Apache with Linux or BSD run a huge majority of the servers on the Web. If you wanted to deliver spyware, you'd exploit and infect these systems with a delivery mechanism. The reason malware authors have to target the client OS with email worms and things that start their own mini-webservers is that it's just too freaking difficult to compromise Unix-like systems.
Of course, as long as the majority of client systems *do* run a swiss-cheesed NT variant with the security-hackaround-of-the-week, it's entirely theoretical as to whether a widespread change in client platforms would affect malware viability in that market.
1) Post bad "underpants gnome" style joke on /.
2) Karma!
How does the ordinary user do this?
I didn't have the foresight to make a Ghost image of my system from the factory. It's a DELL and the restore-to-factory-from-secret-hidden-partition doesn't work once I added a new partition to the drive (with Partition Magic).
So now it looks like I have to:
1. Make sure I have up to date backups of my data (always a good idea)
2. Purchase another copy of Windows even though I already paid for one
3. Dig through my records collecting all the keys to all my applications
4. Spend an entire day reinstalling Windows and all my applications. Anyone who says it only takes an hour to reinstall Windows must have a secret version I don't have access to. I have to babysit the install through ten reboots and many hours.
Is this the best way?!
What about after that? I can Ghost the Windows partition, but I'd still have to reinstall any applications installed after the Ghost was made. And it's no use putting the applications in another partition because the applications depend on cruft in the registry.
- For the complete works of Shakespeare: cat
I think a better headline would read World Says Recovery From Microsoft Becoming Impossible
Shirley you mean, 1) Post bad "underpants gnome" style joke on /.
2) ????
3) Karma! ;)
Exactly, MS's solution is to build in an auto self-destruct that's activated the moment malware is detected.
"Hi there, this is Eddy your shipboard^H^H^H^H^H^H^H^H^Hdesktop computer, and I'm delighted to inform you that I'm going to self destruct in 5 seocnds. Sorry, you don't have time to close all applications to save your precious data. We have a real emergency situation here! It would be pointless to save anything anyway, because we're going to format your entire harddisk to make sure every tinsy bit of malware is destroyed. Share and Enjoy!"
making relying on backups far less useful (pointless, perhaps?). I've talked with people before about having Windows viruses that don't sap resources (at first) or kill the machine, but which quietly change data in files. Modify a "3" to a "7" in a few Excel files. Change meeting times in Outlook by 10 minutes here or there. Eventually, get more malicious and start changing other bits of data in files (mainly MS Office files for maximum compatibility/reach).
A good virus won't be found out for awhile, and without knowing when it infected the system, you won't easily be able to tell how far back to go in the backups to pull 'clean' files.
This would have a devastating effect on the trust people have in any part of the system. What good is 'rebuilding' the system if you can't trust the data backups either?
creation science book
The original point is that this causes genuine harm to every computer owner, including large wealthy corporations, as well as the government itself.
Most computers are actually used in a workplace, rather than at home.
Please tell what such an "alternative operating system" is?
Vista, of course. It has Trusted Computing, so I know I'll never have to worry about security again.
Q: Why would Micro$oft say something like that?
A: Because they are about to release a new OS that will "solve" the problem.
Nah, they wouldn't do something like that.
In the land of the blind, the one-eyed man is king.
... especially if you're using XP.
There's a relatively inexpensive product for which you can purchase a license called 'WinINSTALL'. Not a lot of people seem to know about it for some reason, but the currently available version of the product makes it relatively painless to completely rebuild a PC's OS, complete with applications and various profile settings (shortcuts, your favorite background images, and so on).
It doesn't have the pain associated with image solutions; you don't have to worry about re-imaging your machines every time you change the software that you want installed on the boxes (although you do have to deal with setting up the software packages, which can be a little bit of a pain, depending on what you're installing, and how friendly your vendors have been towards corporate environments). You can even reset the employee's PC from you own PC, without having to visit their box. It just needs to be turned on.
It doesn't require you have some incredible mondo-server to make it run; you can use pretty much any Windows 2000 or better machine. Certainly, any of the machines being cranked out today can handle WinINSTALL. Hell, I've seen it work on circa-1999 machines without issue (I think that's about 500Mhz Pentiums with 64 megs of RAM). It's slow on such machines, but it seemed to work.
It's also likely to be around for a while; the product was first introduced to the Windows market back when Windows 3.11 was popular, maybe even before then. It used to win a lot of awards, but I think it just fell off everyone's radar over the years.
You can find more information about it here:
http://www.ondemandsoftware.com/
This is a product designed to deal with problems like this.
And so it goes.
I think I saw this same post and response for the last 137 windows virus related stories. Does this mean there's a glitch in the matrix?
If an officer ever threatens to taze you, say you have a pacemaker.
When people discuss the costs of *retraining* to use linux they're implying they've already trained their staff once before to use Windows. In many cases this isn't true - most users can't use Windows in the sense one can use Linux. Most windows users never add hardware, uninstall software, change the registry, edit a config file, update a package, etc... basic system tasks, but just click blindly in front them towards the light, or else they wouldn't shout "i've deleted the internet" , or get infected with malware by clicking "hot pics!!!!, downloading, install? , yes."
of course, the poor it department burdered with fixing their mess, a power windows users. but why? certainly all their jobs - adding scheduled tasks, performing a system upgrade, fixing the server are much easier in linux.
IT in the government is an absolute fucking joke. Take it from me, because I work in it. The amount of money that is pissed away on useless, broken, or otherwise unecessary shit is astounding.
On top of that, the people who actually make the decisions, have no fucking clue what they are doing.
All your base are belong to Google.
My missus and I both have an XP desktop each (amongst a few Linux boxes of mine). She's pretty regular with virus-scanning and spyware checkers, I'm totally paranoid and do regular checks on everything (Linux and Windows). Suffice it to say, going through this process one or twice a week, I never really find any problems - occasional suspect registry keys, odd dodgy cookie but probably put those down to over-zealous spyware programs.
Cue the visit from my sister one weekend, along with 13-year old niece and 11-year old nephew. Naturally, they navigate themselves to the XP desktops after asking for (and getting) permission from the missus to do so.
They're messing about on the PCs most of the day (cold Winter's day in England) and I occasionally look in on them - chatting with friends on MSN, playing the odd Flash game, looking at music sites (niece) and soccer and WWF wrestling sites (nephew). They seem to spend a lot of time in a chat site called something like "The Doll Palace" where they pick avatar characters and drag them to different rooms of the palace to chat - keeping an eye on them, just a lot of kids going "Cool", "Wow" and nattering about music, nothing suspect.
After they've gone home, I check the machines just to check they've been doing nothing suspect - nope, just kids being kids. Then I virus/spyware check both machines - three viruses (2 on one machine, 1 on the other) and about two dozen suspect spyware bits and pieces - I couldn't believe it, especially as one of the viruses needed a safe reboot of the PC, deleting a registry entry and then a couple of files.
God knows where they came from but I suspect a lot of this stuff is attached to seemingly innocent sites where kids flock to - "The Doll Palace" is definitely one I'd like to know more about...
Gentoo Linux - another day, another USE flag.
"A Mac-user with common sense!"
It's not common sense. It's wrong.
Microsoft is in a unique position. Because it has a virtual monopoly, Microsoft makes more money when its software has a lot of security vulnerabilities. For those who are ruled by money, morality has no force; "Maximizing Shareholder Value" is the way they live their lives.
Microsoft makes more money if it pressures its programmers to work too fast, so that they are sloppy, and then releases buggy software. Many people are fascinated by computers, and easily accept the world that Microsoft has created for them.
Here's a story about a Microsoft VP saying, "Oh, the next Windows operating system will be secure": "Safety and security is the overriding feature that most people will want to have Windows Vista for" .
So, Microsoft is once again telling us "The next version of Windows will be the good one." Before, Microsoft said Windows XP was "Built to be Dependable".
However, Vista will NOT include virus protection. Jim Allchin, co-president of Microsoft's platform products and services division told CRN, an industry magazine this:
CRN: In terms of security, how do you compare security in Vista vs. security in Windows XP SP2?
Allchin: SP2 was a very good system but compared to Vista, it's night and day.
CRN: Is there going to be antivirus in Vista?
Allchin: No, there is not.
CRN: Why?
Allchin: It's a complicated answer as to why not.
CRN: Was the decision based on technical concerns?
Allchin: It wasn't technical.
CRN: Will Vista resolve security problems once and for all?
Allchin: I'm not going to claim perfection or near perfection, but I think we're unrivaled in the work we've done. I believe security will be a huge problem for the industry for years and years and years but this will change the landscape in a fairly dramatic way.
Once again, Microsoft is taking advantage of the fact that most of its customers have little technical knowledge. Mr. Allchin said that "security will be a huge problem for the industry for years and years and years".
Microsoft charges for OneCare Live. That's another way to make money. Make sloppy software, and then sell protection against the sloppiness.
Note the emphasis on "beta testing" in Mr. Allchin's statements in the CRN interview. Someone said that Microsoft's motto is "The whole world is our beta tester."
--
Before, Saddam got Iraq oil profits and paid part to kill Iraqis. Now a few Americans get Iraq oil profits, and American citizens pay to kill Iraqis. Improvement?
At my workplace sometimes folks bring in their home PC's for me to clean off on my lunch break. A quick job pays a 6-pack of Mickey's. A longer job pays a 6-pack of Guinness. From those cleanup jobs I can vouch that the typical home user with an always-on DSL/cable Internet connection is in a world of hurt. I try to show folks how to Ghost their hard drive onto a DVD-R so that they can restore their system to a usable state rather than search through the haystack for all of the malware needles.
For example, the most recent cleanup I did entailed a laptop that had no antivirus software running on it. They did have a bundled AOL spyware app installed, but as far as I could tell it had never been run. I installed Avast! and Ad-aware from CD and ran full scans on the system. The result was over 300 virus and over 3,000 malware captures. Amazing that the computer could even launch an initial Windows Explorer session at all.
If things continue their downward spiral (i.e. - Microsoft dominance, widespread Internet exploits, monetary incentive for malware deployment, and foreign government turning a deaf ear on abuse reports) I would require that anyone with a Windows-based Internet-exposed PC have to earn an operator license. Much like someone would have to do to operate an automobile, motorcycle, ham radio, etc. This would include mandatory security training. And for God's sake, a brief explanation of imaging and recovering their hard drive in case they get hit with something later.
Seriously though, this scenario isn't viable. But perhaps virtualization technology offer a safe haven. Folks could just reboot their virtual image if they get slammed with something and get back to square one. Until the malware authors get one step ahead of that at least there would be some breathing room...
The whole account/priveliges issue on Windows is so convoluted as to be totally incomprehensible to the UNIX mind - I can't understand how the damn thing works!
"Me", "All My Mates", "Everyone Else In The World" and "If you're really good I'll let you run this as 'root'" is all I've ever needed to cover all the account bases...
Gentoo Linux - another day, another USE flag.
This is an admission of failure on Microsoft's part. The complexity and inflexibility of such a system is unacceptable and the efficacy is questionable. What's keeping the bad guys off your image server? If they root that, they have every machine in your organization. The same kind of thing can be said of local image copies, you are moving the target not fixing the root problem which is an unacceptably poor security model. The cost of all of this is a complete loss of user freedom within the organization. If your users can't chose the tools they need, they can't do the work that makes the company run. "Standardized desktop" a euphemism for vendor lock in.
Friends don't help friends install M$ junk.