Slashdot Mirror
Microsoft Retracts Private Folder Option
An anonymous reader writes "Just recently, an update to Windows added the option to password-encrypt a personal folder. The intent was to allow users who share PCs to have a measure of privacy, but C|Net reports the company is now removing that functionality with a patch. IT managers hit the roof when the option was added, complaining of the possibility of lost passwords and inaccessible data." From the article: "'Oh great, have they even thought about the impact this could have on enterprises. I'm already trying to frantically find information on this product so that A) I can block to all our desktops and B) figure out how we then support it when users inevitably lose files. I can see the benefit in this product for home users, but it's a bit of a sloppy release by Microsoft,' Stuart Graham said in a posting on Windows Server-related site MSBlog."
Here is an idea for those IT managers complaining, DONT allow users to install applications. What kind of a security policy do you have that allows users to just install software. Frankly I like this feature, it is simple to use for home, and is a better option than EFS at home.
Because its not IT people developing the features.
At most companies the closest developers (and PM's if you're MS) at come to IT is when they have a problem with their office workstation. They call/email IT and someone swings by to fix the problem.
Sure, there are companies where the IT people think up & implement features in key products. MS is not one of them.
MS seems to have forgotten who their real customer is.
They didn't make controlling this easy enough for that customer.
Security solutions need to be thought out a bit more carefully.
What about using backdoored crypto with corporate issued keys? Wouldn't this make most everyone happy?
Gee, I can't even download, much less install, *anything*.msi behind our firewall (which makes both the Berlin and Great Walls look like garden decorations). So maybe M$ is responding to inept or poor "IT managers" - in which case there's the real problem.
I know from personal experience that you can use Group Policy to do things as trivial/unimportant as set the desktop background and disallow the user from changing it.
I know this because the last time I received a new machine, that's exactly what the IT department (of another branch of the company - don't ask, it's a long and boring story) did. Of course, they reckoned without two facts:
1) We're not part of the corporate Active Directory
2) We all get local admin
That took about 5 minutes of googling to circumvent. The point is though, if done properly, you can indeed lock a machine down tight using group policy.
It's official. Most of you are morons.
I work at a small company, where my role only requires me to spend part of my time as an IT admin. I take this same approach, and find it's mutually beneficial. Users don't have install rights, but I also will install things on individual workstations that people ask for. (They actually used to have install rights on their personal workstations - not if they logged into others - but I had to take it away because they'd blindly install some web background program that would install 30 spyware applications. They were understanding when I removed that right after they saw the damage it caused). I've helped people setup their personal email accounts in thunderbird.
I've read articles talking about how if you don't allow people time to do personal tasks at work, that instead of taking 5 or 10 or even 30 minutes of work time, they'll take a sick or vacation day to catch up on errands, and I can see this happening. Personally I don't really mind fixing a server issue on the weekend or late at night, because I'm afforded this flexibility at work. At some offices, as soon as it hits 5:00pm, everyone drops what they're doing and goes home.. that's just a sad situation. It's not that people should be expected to work late, or work exactly their 8 hours per day, but if, for example, a task will take 20 minutes to finish before you go home, versus 45 minutes if you have to start in the morning when it's no longer fresh in your mind, it's better to stay the 20 minutes. In a company where workers are prohibited from doing anythink but work on company time, they're obviously not going to be willing to go the other way, and sacrifice their personal time for work.
Speak before you think
I understand the temptation to blame this all on incompetent Windows administrators, but depending on how the company is structured, IT may have little clout in enforcing policies on limited user rights. And sometimes the economic costs of such policies is difficult for the company to swallow. Take the following somewhat fictionalized examples.
Dozens legacy Windows applications developed in-house by a team of lackluster programmers. These applications, targetting some godawful blend of Oracle 7.34, Visual Basic 4, and sundry third-party OCXs, require (naturally) administrative rights to run. Now not only do those users need elevated rights, the developers do too (under the convenient fiction of needing to maintain those applications).
Or take the new payroll package that HR has just dropped a cool half million on (without first consulting IT to verify that it meets standards). Hey, it requires administrative rights to function. I guess all of Human Resources gets full control over their PC after all.
Take the conveyor belt system software, where the vendor has mercifully updated their code and the new version even supports running with limited user rights. Fantastic! Wait, what's that? The business doesn't want to spend $300,000 for an upgrade they don't need? Bummer. So hey, those operators still need administrative rights.
Not to mention that in many corporations there's a select group of people (not infrequently executives and administrative assistants) whose lack of computer skills is matched only by their demands for special perks and privileges completely outside of written policy.
You want to talk about patching? Say you have an ActiveX-based document retrieval system that's absolutely vital to the business. Now Microsoft thoughtfully releases a patch that wreaks havoc on the ActiveX user experience. OK, so corporate adoption is nonexistent. They must've been kidding. What kind of novice admin would deploy something like that to his network?
What's Microsoft's solution? Roll it into the cumulative IE security updates from now until eternity. Now the document system's vendor comes along and says, hey, don't apply this patch until we come out with a fix. No ETA. So now you, our erstwhile Windows Administrator, are faced with a decision: either take a vital component of your business offline, or leave known Internet Explorer vulnerabilities unpatched. At least Microsoft's monthly cycle leaves a faint glimmer of hope that you can resolve the inevitable conflicts in time for next month's set of patch-related problems.
There are environments where IT policy can be consistent, sane and rational. Is this the norm? I don't know. Not on any site where I've ever worked. Usually the company ties itself to the mast of at least one policy-destroying application, and always there's the endless parade of winks and nods and concessions to those with decision-making power.
But feel free to continue to blame "incompetent" Windows administrators. In between putting out fires and dealing with the sneering bluster of developers and the delusional expectations of business managers, they truly deserve your contempt for taking that vacation.
Don't get me wrong; it's a fun game and the pay can be nearly as good as you are. The fact that you can't win makes it so much more satisfying when you do.
We had a policy... We won't stop you but if you screw it up we re-image the disk and you start all over again.
It worked...
As others have said, these things don't apply to CEOs.. that get local admin because.. well.. are you going to refuse someone who can fire your ass?
I don't remember hearing any complaints about the File Vault functionality in Mac OS X. How is this different?
Realistically, it is often better to let users know that they are not being treated like a bunch of slaves, crooks, children or sheep at the workplace, but that management and IT administration have the right and ability to lock things down at any time for any reason. More importantly, it helps to let users know how public some of the activities they naively think are private actually are.
Pointing out to a user that her favorite screensaver or wallpaper image comes from an external (to the organization) source that is not to be trusted, and showing her a relatively easy to read headline article on a major Web site she's heard of that details how such external connections cause real problems serves a couple of major purposes. It shows that you aren't making rules just because you can (or enjoy lording them over hapless users) and also encourages her to learn more about computers, how they work on the 'Net, and computer security.
I prefer education to enforcement as my primary means of preventing internally generated IT hassles. If users have to be treated like dumb and/or malicious animals, why would one want to be working in IT for such an organization? Most organizations, unlike public schools and correctional institutions, do not have to allow just anybody more than guest access to their systems. Don't expect to get much useful work out of users who are treated like school kids or convicts, but do expect to see them strive for excellence as they develop innovative ways to get around your rules/edicts, just as children and felons do in other areas of real life.
Oh, yeah, a good system administrator should study Sun Tzu's The Art of War, everything I posted above notwithstanding...just in case it comes to that.
"You're young, you're drunk, you're in bed, you have knives; shit happens." -- Angelina Jolie
Instead of Microsoft trying to throw the dog [us, the customer] a bone [their garbage bug riddled software] -- why don't they do their job, damn IT. Really! There are complex problems in IT and at this moment a zero day PowerPoint exploit in the wilds. What does Microsoft do? Patch it? No, they introduce a not very well documented way for more virus to possibly sneak into our infrastructure. It is no wonder [with WGA] that we no longer even ALLOW access to *.microsoft.com at the router level anymore. We've been forced to this and they probably wonder why.
... if they are not running as "administrator". I didn't create this problem. Microsoft did. They should be working on fixing this problem in the EXISTING software -- not introducing more garbage and spending so much time and money on developing "Vista" would have been a good start.
... and where Windows is absolutely needed -- going BACK to Windows 2000 and locking it down as much as possible. My solution is Windows just isn't allowed to talk to the Internet. EVER. For that type of work the user can use their Linux box and/or Mac. Windows is being removed full stop.
The funny thing is I do trust most of my users -- it is Microsoft I do not trust. The engineers can't even PROPERLY run AutoCAD 100% the way they want and need to
And Microsoft probably wonders why there are (and there are) companies out there ripping out XP
It is easier to work on solutions where Windows isn't even used. Shout at Microsoft? No -- they won't (and haven't) listened anyway.
He said the *users* couldn't update Firefox, which is true. Standard users don't have write access to the default installation directory of *any* program. Unless an admin does something monumentally stupid, users cannot install or update apps.
Hell, a Windows admin with half a clue will disable ActiveX (or allow only ActiveX controls to function on internal/approved sites) and block the installation of even certified drivers, so the OP's comment about kind-of-sort-of fudging an install wouldn't work either. The only class of vulnerabilities that can't be mitigated easily on Windows are cross-site/cross-zone IE attacks, most of which execute with the permissions of the current user (although there were a few notable ones that allowed system privileges prior to XP SP2... not sure if there are any post-SP2 without researching).
Also, your assertion that Windows does not provide a centralized auto-update feature is patently wrong. Be knowledgeable before criticizing. You make open source advocates look like ignorant, frothing zealots when you blow up into a clueless rant. Google for Software Update Services (or SUS). It is exactly what you claim does not exist, and it works for all of the mainline MS products (Windows, Office, IE, and their server products).
Microsoft actually has tightened up a bit since the Win9x days, although there is still a lot of room for improvement. If you want to be taken seriously in a discussion that affects a feature on the their current OS, however, at least keep your criticisms up to date. The biggest security threats on Windows now are, in my opinion:
Now there are some legitimate criticisms. Use those if you want to rag on MS. But for the love of Bob Almighty, stop ranting about things that half-trained Windows admin already knows how to deal with. It only casts the open source and Linux advocates in a bad light when you don't educate yourself before attempting to educate others.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
You're falling into the oxymoron of "windows security" again.
I find it amusing that Mac OS has had filevault for what, several years now, with no resulting cataclysm. MS introduces it and half the PC IT flip their lids and MS runs scared. What is wrong with these people? Sorry if I sound like a BOFH but if the user puts data into a vault and then loses their password, they will get no pity from me. Do we cry for the neighbor that just locked his keys in his car while it was running? No, we laugh and point fingers. Some actions carry a built-in penalty for blatant stupidity, and this is one of them. If I put a hammer in the toolbox at work and Joe cracks his thumb trying to hang a picture in his cubicle, do we chase after me for leaving a dangerous object within reach of the monkeys? No, again we laugh and point fingers.
If your company is impossibly tilted toward the users, then just add a line to the AUP that states that filevault or whatever is not and cannot be supported by IT and if you have problems with it you should not expect any help.
In some organizations, the head of IT thinks he's god. More often though it seems, the users think they are the chosen ones and that IT can do the work of gods.
I work for the Department of Redundancy Department.
The contract that employees sign does not allow for any penalties against employees if they underperform or otherwise fail in their duties. For example, if an engineer works for a month on something and then, upon review, it is a pile of junk and has to be thrown out and redone, the engineer is not liable for any sort of loss. It's his manager's fault (and a good deal of it is indeed the manager's fault.) But things like locking doors... if a laptop is stolen from someone's office do you think it's possible to subtract the cost from the paycheck of the guy who walked out for lunch without bothering to lock the door? Not in this state. You are more likely to end up being countersued for mental anguish suffered, and besides the employee's job description did not mention being a guard.
Not sure if you were purposely missing my point, or were just adding more info.
A policy blocking the use of the Folder lock application would be 'easy' to implement as easy as creating a local or AD Recovery Agent.
The people yelling about this the most are the 'least' likely to be running with well defined AD policies with EFS Agents set or might not even be running under a AD environment. (Think mom and pop organizations too.)
BTW, you do realize that the EFS Recovery Agent 'does not' require AD? It can be setup on stand alone computers as well as be set enterprise wide with AD...
Another pitfall, is businesses that don't set this up until after a key employee has left and 'already' encrypted their files, finding out the hard way they should have been paying attention to EFS and options for limiting it or adding in the Admin user key to the mix.
This, just like locked Zips or tons of other sample technologies are out there, hence why I don't see how enterprise users would scream about the private folder application unless they maybe don't fully understand that this is one of the tiny forms of problems they could have with users encrypting data in one format or another.