Can I assume these machine are running either Win2k or WinXP?
If they are, read up on IPSEC. If not, bless your heart.
You can set a IPSEC policy on all of these machines that will make them require require authentication in order to communicate with each other and/or the servers they talk to. You can use, Kerberos (domain required for Kerberos. It's probably not for you), Certificate, or a shared key as the authentication mechanism. This will keep any foreign machines from connecting to and infecting your obviously un-patched/unsecured boxes. Shared key would be the most flexible, as any Windows 2k/XP/2k3 box could be set up to connect to the machines with very little hassle. Shared key is not the most secure method, but it would be good enough to stop nasties and script kids in their tracks.
This is all built into Windows, it's fairly easy to configure, and as long as your doing authentication only the overhead should be minimal.
I'm sorry I can't recommend a Linux solution to you, but it sounds like you've got much bigger problems than Windows, and that if you did move to a Linux solution, those machines would probably be owned in time anyway.
In the two OS's I run (FreeBSD and Windows), programs can easily stay inside of the users space and still propogate - for example, by connecting out via email, or IRC, and they can easily set themselves to start at boot-time, before logon (FreeBSD : crontab/Windows: Task Scheduler).
What in OSX prevents this?
Can regular users in OSX start their own crontab? Can an IRC client executable run from a users folder? How about a little self contained SMTP engine?
As for other browsers not giving out warnings like Safari, for a any file you download, Internet explorer warns that 'Files from the internet might be dangerous, and not to open the file if you don't trust the source'. Firefox just asks what you want to do - open or save.
"2.) When you download this.tgz file in Safari, Safari warns you that it's an application, and you have to click to continue."
So does every other browser on the planet. This saftey feature doesn't seem to ptotect Windows users. Why would it protect Mac users if there were enough of them to be relevant?
"3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue."
Does every single program you run in OSX require an admin password, or just programs that try to write outside of the user's space? Could not a program be written to stay inside of the user's space and thus, not require a password?
Those numbers are a tad high, but close to normal for that generation of Athlons. You could probably lower it to stable levels by replacaing the heatsink and/or the thermal pad, but unless you do some kind of extreme cooling, your not going to get it much below 65-70 degrees celcius when it's under extreme load. I have an AthlonXP 2800 and it would go up to 80 degrees and lock up when under load, and it turned out to be because I used thermal grease instead of a thermal pad. With those gen processors you are supposed to use a thermal pad (for what reason, I don't know) instead of grease. I bought a new thermal pad and reseated my heatsink with it, and my machine has never had heat issues, or locked up since.
[completely offtopic] I always caught shit from other mp3'ers back in the late 90's because of my 'huge' 256kb songs. People that would download from me would frequently complain that my files were too big and that there was no use encoding them at bitrates that high because "128kbps was already CD Quality".
It was also really easy to start flamewars by bringing up the topic. You could just go into an mp3 IRC channel, make an offhand comment like "128kbps mp3 files sound like crap; 192-156 is really needed to approach true CD Quality", and people would immediately start arguing with you - probably in a subconscious effort to justify the fact that they had spent the last three months encoding their entire CD collection at 128kbps.
"Even kernel vulnerabilities fall into this category...with Windows you have all the vulnerabilties, in Linux you can completely bypass vulnerabilities in parts of the kernel by not compiling the code that you don't need."
But did you ever think that compiling/maintaining/deploying multiple versions of custom kernels to different systems might actually lead to an increase in TCO for some organizations?
That's the fun thing about these stupid TCO debates. Everyone looks at it from their specific POV and can dish out an endless amount of 'but I can just can do this.' type answers to any criticism of 'their' system.
Regardless of how much more patching it would require, I would think that maintaining as uniform a software base as possible accross different classes of machines would be better for TCO.
Oops! I just did it myself. I'm looking at your point from my POV.
You might have a tightly controlled set of systems that all conform to a strict set a of specifications, and a well documented system of compiling, testing and deploying customize, streamlined, de-bloated configs to these systems.
In that case, that's a good point you have there.;)
"If you could run most apps in non admin and set up the file permissions properly, you'd eliminate a lot of viruses as a side effect."
This assumes that if an OS like OSX was relevant, virus writers would write viruses for it that assumed admin/root permissions. Malware doesn't *need* root/admin permissions to carry our their primary tasks.
Around 1997, I discovered the magic of mpeg-layer3. I hung out in #mpeg3 on effnet and was part of what was probably the first ever mp3 trading circle. An aquaintance of mine had a CD of the rare Nirvana/Jesus Lizard single, which had Nirvana's "Oh The Guilt" on it. I borrowed it from him and ripped it to wave and encoded it a 256KB mp3 and returned the CD. Over the next year or so, quite a few people nabbed the song from me during normal trading sessions in #mpeg3. Sometime later I made a boo-boo and lost a folder permanently, and one of the files in it was that song. I was bummed, as the person I borrowed the CD from was gone and the CD was long out of print and cost a lot of money if you happened to find a copy. I forgot about it.
Quite a few years later - I think ~2002, I was on some p2p app, typed in "Oh the Guilt" and got a hit. I downloaded it, and it was a 256KB mp3 of the song. The file modification date in 1997, and the tags were typed in exactly the I would have put them if I had encoded the song. I can't prove it, but I'm pretty sure I got my file back.
I don't know. We've been deploying Office to our users via AD for five years now, starting with Office 2000 and now with Office 2003. User rights have never been an issue.
Is this a CD based install? One thing I would suggest is to run regmon and filemon while the problem happens and try to seee WTF the installer is trying to access that the user doesn't have access too.
You could also visit the MS Newsgroups and ask. There are people in those newsgroups that probably forgotten more about Windows than I know and would know off-hand the cause of your problem.
You bring up an interesting point. I had never thought of the fact that there are virtually no GUI backup utils for unix/linux. I did a search at Freshports.org and all I found was 'kdar'. That's great if you use KDE, but what if you use gnome, or worse, a lightweight wm like fluxbox. Having to install a bunch of KDE libs just to use one program would suck.
It doesn't seem like writing a GUI front-end to tar/gzip would be rocket science.
That's definitely something that desktop UNIX's need.
"also, the "load device driver" permission can be given to specific users or groups without granting admin permissions as well."
Load device driver != Install device driver. I think DVD Movie factory actually installs the device driver every time you start it. I tried giving my account that right under secrituy settings and it still didn't work. I'll have to double check though.
"You're somewhat right about XP Home, but you can always use cacls or just set folders as "local shared". Not ideal, of course, but you don't have to grant full rights."
Yeah, but for 99.8% of Windows users, this is beyond the scope of their abilities.:\
"The real kicker is games, some of which have semi-valid reasons (anti-cheating methods, for example), and programs that think they know better than you, and deliberately die if you aren't an admin (even if you have addressed all the issues they think they're solving)."
This pisses me of more than anything. I'm not a huge gamer, but do enjoy them on the PC from time to time. A friend of mine gave me the OEM version of Far Cry a month or so ago. I played the singleplayer version fine after editing file permissions to make it work, but when playing online punkbuster would not work, regardless of what rights I assigned to my user account. Punkbuster used to work as long as you gave your account several rights under the local security policy, but recently they've changed it so basically, it checks to see if you are a member of the local admin group and dies if you aren't *regardless* of what rights you have. I also play America's Army on FreeBSD, and Punkbuster works just fine under a normal user account there. Why the double standard?
But if you think about it, your average user isn't going to be using any type of unix anyway. Even the noobish linux distros still have issues that are too compilcated for average users.
"Under Windows, a virus could wipe everyone personnal files plus the operating system"
Not if the user is running isn't running as an admin*. A limted user in Windows has no more rights to the OS and others files and a regular user in UNIX.
In fact, a limited user in Windows is somewhat more restricted as by default, they can't even browse other users' directories/files let-alone modify them. In unix (at least in FreeBSD and OpenBSD which I use) one user can read other users files by default.
*Yes I know it's difficult to do, but I am still right.
I can list tons. The reason people don't give out lists of programs is because there are so many that it just seems obvious. Kind of like saying "Fire can burn you" and then listing a bunch of newpaper articles about people getting injured from burns. I've run my Windows box as a limited user for a long time now, and if administering Windows wasn't what I do for a living, then I probably would be completely lost trying to get things to work.
* Crimson Editor (a code editor - saves config to program directory) * WinTV2000 (for my Hauppauge TV Card - saves config to program directory) * WintV Scheduler (for my Hauppauge TV Card - saves config to program directory) * DVD Movie Factory 3 (Came with Hauppauge TV Card - loads a device driver when run) * Plextools Professional (App for my Plextor DVD Burner - needs direct access to hardware + saves config files in program directory and/or HKEY_LOCAL_MACHINE\Software) * Trillian - writes config files to program directory * Win AMP - writes config files to program directory
Now these are just apps I either use right now, or have used recently that either break completely or don't fully work without admin rights. Almost all of the programs can be fixed with simple file permission changes (simple if you use XP Pro. With XP Home it's not so simple), but a couple are not so simple. Nero Burn rights has to be installed to make plextools work, and the WinTV apps were fixed by giving users rights to a reg key in HKLM\SOFTWARE. What's perplexing about the WinTV apps is when monitoring it, they never actually wrote anything to the key I had to give access to. It just checked to see if they could write to it and died if it couldn't. As for DVD Movie factory, I haven't been able to get it to work as a non-admin. It loads some sort of driver on startup and even when you give users the right to load and unload device drivers it doesn't work. For it, I use the hack linked to in my sig.
If you only use MS products, then running as a non-admin isn't that hard, because MS if pretty good at writing their apps to work as non-admin but when you delve into the world of third party software in Windows, apps that break are very common.
The most frustrating part is that it's not that complicated to write a Windows app that works properly as non-admin. In 99% of cases, you can get by following two rules - 1) Don't write to the program directory after install and 2) Don't write to HKLM\Software\ after install. That's it.
Here are some more links to software that break as admin....
It seems to be getting better now. Five years ago, programs that work as a limited users in WIndows were almost non-existant. Now it seems the majority of new products that come out work jsut fine - but there are still offenders out there that ruin it for everyone.
I did side work a long time ago for the head of our HR Department. I set up a new PC he had bought for his home. I transfered all of his apps/settings/docs over from his old win95 box to his new box (which ran WinME). This included all of his quickbooks records, and a plethora of other very important business applications related to a business he owned on the side. That was great, but the thing that made his day was when I transfered his Freecell stats over. He had 13,000+ games on record.
Slashdot Mirror
Can I assume these machine are running either Win2k or WinXP?
If they are, read up on IPSEC. If not, bless your heart.
You can set a IPSEC policy on all of these machines that will make them require require authentication in order to communicate with each other and/or the servers they talk to. You can use, Kerberos (domain required for Kerberos. It's probably not for you), Certificate, or a shared key as the authentication mechanism. This will keep any foreign machines from connecting to and infecting your obviously un-patched/unsecured boxes. Shared key would be the most flexible, as any Windows 2k/XP/2k3 box could be set up to connect to the machines with very little hassle. Shared key is not the most secure method, but it would be good enough to stop nasties and script kids in their tracks.
This is all built into Windows, it's fairly easy to configure, and as long as your doing authentication only the overhead should be minimal.
I'm sorry I can't recommend a Linux solution to you, but it sounds like you've got much bigger problems than Windows, and that if you did move to a Linux solution, those machines would probably be owned in time anyway.
True the jail might be locked down, but as with Joan River's face, a compromise to one little area can still leave you with quite the ugly mess.
"Better yet, quit now before the whole thing goes to hell..."
"Thirded". I work at a College. You're in for a HUGE F*****G NIGHTMARE.
In the two OS's I run (FreeBSD and Windows), programs can easily stay inside of the users space and still propogate - for example, by connecting out via email, or IRC, and they can easily set themselves to start at boot-time, before logon (FreeBSD : crontab/Windows: Task Scheduler).
What in OSX prevents this?
Can regular users in OSX start their own crontab? Can an IRC client executable run from a users folder? How about a little self contained SMTP engine?
As for other browsers not giving out warnings like Safari, for a any file you download, Internet explorer warns that 'Files from the internet might be dangerous, and not to open the file if you don't trust the source'. Firefox just asks what you want to do - open or save.
"2.) When you download this .tgz file in Safari, Safari warns you that it's an application, and you have to click to continue."
So does every other browser on the planet. This saftey feature doesn't seem to ptotect Windows users. Why would it protect Mac users if there were enough of them to be relevant?
"3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue."
Does every single program you run in OSX require an admin password, or just programs that try to write outside of the user's space? Could not a program be written to stay inside of the user's space and thus, not require a password?
"There's already a good precedent for this kind of thing you know."
I take it you're talking about this?
Those numbers are a tad high, but close to normal for that generation of Athlons. You could probably lower it to stable levels by replacaing the heatsink and/or the thermal pad, but unless you do some kind of extreme cooling, your not going to get it much below 65-70 degrees celcius when it's under extreme load. I have an AthlonXP 2800 and it would go up to 80 degrees and lock up when under load, and it turned out to be because I used thermal grease instead of a thermal pad. With those gen processors you are supposed to use a thermal pad (for what reason, I don't know) instead of grease. I bought a new thermal pad and reseated my heatsink with it, and my machine has never had heat issues, or locked up since.
[completely offtopic]
I always caught shit from other mp3'ers back in the late 90's because of my 'huge' 256kb songs. People that would download from me would frequently complain that my files were too big and that there was no use encoding them at bitrates that high because "128kbps was already CD Quality".
It was also really easy to start flamewars by bringing up the topic. You could just go into an mp3 IRC channel, make an offhand comment like "128kbps mp3 files sound like crap; 192-156 is really needed to approach true CD Quality", and people would immediately start arguing with you - probably in a subconscious effort to justify the fact that they had spent the last three months encoding their entire CD collection at 128kbps.
"Even kernel vulnerabilities fall into this category...with Windows you have all the vulnerabilties, in Linux you can completely bypass vulnerabilities in parts of the kernel by not compiling the code that you don't need."
;)
But did you ever think that compiling/maintaining/deploying multiple versions of custom kernels to different systems might actually lead to an increase in TCO for some organizations?
That's the fun thing about these stupid TCO debates. Everyone looks at it from their specific POV and can dish out an endless amount of 'but I can just can do this.' type answers to any criticism of 'their' system.
Regardless of how much more patching it would require, I would think that maintaining as uniform a software base as possible accross different classes of machines would be better for TCO.
Oops! I just did it myself. I'm looking at your point from my POV.
You might have a tightly controlled set of systems that all conform to a strict set a of specifications, and a well documented system of compiling, testing and deploying customize, streamlined, de-bloated configs to these systems.
In that case, that's a good point you have there.
"You're living in a dream world."
My 'dreamworld' doesn't involve least priviledge magically stopping ignorant users from introducing hostile code into their systems.
"The reason that other OS'es -- which don't provide admin access by default -- are more secure is not coincidence.
Of course not. They are secure because nobody uses them.
"If Microsoft took steps to minimize routine use of admin access, it would take away a hugely useful tool for malware authors."
Vista will do this....and it won't stop malware. In fact, I doubt if it will even slow it down.
"If you could run most apps in non admin and set up the file permissions properly, you'd eliminate a lot of viruses as a side effect."
This assumes that if an OS like OSX was relevant, virus writers would write viruses for it that assumed admin/root permissions. Malware doesn't *need* root/admin permissions to carry our their primary tasks.
Around 1997, I discovered the magic of mpeg-layer3. I hung out in #mpeg3 on effnet and was part of what was probably the first ever mp3 trading circle. An aquaintance of mine had a CD of the rare Nirvana/Jesus Lizard single, which had Nirvana's "Oh The Guilt" on it. I borrowed it from him and ripped it to wave and encoded it a 256KB mp3 and returned the CD. Over the next year or so, quite a few people nabbed the song from me during normal trading sessions in #mpeg3. Sometime later I made a boo-boo and lost a folder permanently, and one of the files in it was that song. I was bummed, as the person I borrowed the CD from was gone and the CD was long out of print and cost a lot of money if you happened to find a copy. I forgot about it.
Quite a few years later - I think ~2002, I was on some p2p app, typed in "Oh the Guilt" and got a hit. I downloaded it, and it was a 256KB mp3 of the song. The file modification date in 1997, and the tags were typed in exactly the I would have put them if I had encoded the song. I can't prove it, but I'm pretty sure I got my file back.
I don't know. We've been deploying Office to our users via AD for five years now, starting with Office 2000 and now with Office 2003. User rights have never been an issue.
Is this a CD based install? One thing I would suggest is to run regmon and filemon while the problem happens and try to seee WTF the installer is trying to access that the user doesn't have access too.
You could also visit the MS Newsgroups and ask. There are people in those newsgroups that probably forgotten more about Windows than I know and would know off-hand the cause of your problem.
You bring up an interesting point. I had never thought of the fact that there are virtually no GUI backup utils for unix/linux. I did a search at Freshports.org and all I found was 'kdar'. That's great if you use KDE, but what if you use gnome, or worse, a lightweight wm like fluxbox. Having to install a bunch of KDE libs just to use one program would suck.
It doesn't seem like writing a GUI front-end to tar/gzip would be rocket science.
That's definitely something that desktop UNIX's need.
"also, the "load device driver" permission can be given to specific users or groups without granting admin permissions as well."
:\
Load device driver != Install device driver. I think DVD Movie factory actually installs the device driver every time you start it. I tried giving my account that right under secrituy settings and it still didn't work. I'll have to double check though.
"You're somewhat right about XP Home, but you can always use cacls or just set folders as "local shared". Not ideal, of course, but you don't have to grant full rights."
Yeah, but for 99.8% of Windows users, this is beyond the scope of their abilities.
"The real kicker is games, some of which have semi-valid reasons (anti-cheating methods, for example), and programs that think they know better than you, and deliberately die if you aren't an admin (even if you have addressed all the issues they think they're solving)."
This pisses me of more than anything. I'm not a huge gamer, but do enjoy them on the PC from time to time. A friend of mine gave me the OEM version of Far Cry a month or so ago. I played the singleplayer version fine after editing file permissions to make it work, but when playing online punkbuster would not work, regardless of what rights I assigned to my user account. Punkbuster used to work as long as you gave your account several rights under the local security policy, but recently they've changed it so basically, it checks to see if you are a member of the local admin group and dies if you aren't *regardless* of what rights you have. I also play America's Army on FreeBSD, and Punkbuster works just fine under a normal user account there. Why the double standard?
I understand. I was just being pedantic.
But if you think about it, your average user isn't going to be using any type of unix anyway. Even the noobish linux distros still have issues that are too compilcated for average users.
So this whole comparison is kind of pointless.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Applets\FreeCell
Yeah, I agree it's stupid that you can't have both.
"Under Windows, a virus could wipe everyone personnal files plus the operating system"
Not if the user is running isn't running as an admin*. A limted user in Windows has no more rights to the OS and others files and a regular user in UNIX.
In fact, a limited user in Windows is somewhat more restricted as by default, they can't even browse other users' directories/files let-alone modify them. In unix (at least in FreeBSD and OpenBSD which I use) one user can read other users files by default.
*Yes I know it's difficult to do, but I am still right.
Turn of "use the welcome screen" setting in XP and when you press ctrl+alt+delete you will get the "change password" button.
I can list tons. The reason people don't give out lists of programs is because there are so many that it just seems obvious. Kind of like saying "Fire can burn you" and then listing a bunch of newpaper articles about people getting injured from burns. I've run my Windows box as a limited user for a long time now, and if administering Windows wasn't what I do for a living, then I probably would be completely lost trying to get things to work.
h .HallOfShame
* Crimson Editor (a code editor - saves config to program directory)
* WinTV2000 (for my Hauppauge TV Card - saves config to program directory)
* WintV Scheduler (for my Hauppauge TV Card - saves config to program directory)
* DVD Movie Factory 3 (Came with Hauppauge TV Card - loads a device driver when run)
* Plextools Professional (App for my Plextor DVD Burner - needs direct access to hardware + saves config files in program directory and/or HKEY_LOCAL_MACHINE\Software)
* Trillian - writes config files to program directory
* Win AMP - writes config files to program directory
Now these are just apps I either use right now, or have used recently that either break completely or don't fully work without admin rights. Almost all of the programs can be fixed with simple file permission changes (simple if you use XP Pro. With XP Home it's not so simple), but a couple are not so simple. Nero Burn rights has to be installed to make plextools work, and the WinTV apps were fixed by giving users rights to a reg key in HKLM\SOFTWARE. What's perplexing about the WinTV apps is when monitoring it, they never actually wrote anything to the key I had to give access to. It just checked to see if they could write to it and died if it couldn't. As for DVD Movie factory, I haven't been able to get it to work as a non-admin. It loads some sort of driver on startup and even when you give users the right to load and unload device drivers it doesn't work. For it, I use the hack linked to in my sig.
If you only use MS products, then running as a non-admin isn't that hard, because MS if pretty good at writing their apps to work as non-admin but when you delve into the world of third party software in Windows, apps that break are very common.
The most frustrating part is that it's not that complicated to write a Windows app that works properly as non-admin. In 99% of cases, you can get by following two rules - 1) Don't write to the program directory after install and 2) Don't write to HKLM\Software\ after install. That's it.
Here are some more links to software that break as admin....
http://www.threatcode.com/admin_rights.htm
http://www.pluralsight.com/wiki/default.aspx/Keit
It seems to be getting better now. Five years ago, programs that work as a limited users in WIndows were almost non-existant. Now it seems the majority of new products that come out work jsut fine - but there are still offenders out there that ruin it for everyone.
So I take it that Chapelle show skit about prince isn't far off?
I did side work a long time ago for the head of our HR Department. I set up a new PC he had bought for his home. I transfered all of his apps/settings/docs over from his old win95 box to his new box (which ran WinME). This included all of his quickbooks records, and a plethora of other very important business applications related to a business he owned on the side. That was great, but the thing that made his day was when I transfered his Freecell stats over. He had 13,000+ games on record.
IIRC, it was just a single registry key.
I still use the one megapixel HP PhotoSmart C200 I bought back in 1999.