Unfortunately, no one has figured out how to explain complex questions to regular users, and it seems doubtful that anyone will without users being somewhat more educated about how computers work.
For example, on the latest Vista Beta my friend was playing with on his laptop, it said...
"Do you want to allow Explorer.exe to do [some action]?"
Most users would be lost at the "explore.exe" part.:(
I disagree. There is nothing in the design of OSX that will prevent ill-informed users from screwing it up. The asking of the admin password is nice, but that doesn't even come close to bringing into the realm of foolproof.
Running as a limited user protects the OS, not the user and his/her files. Right now, running as a LU in Windows provides more protection than it does under other OSs because it assumed by malware writers that the user will have admin privileges. It's perfectly possible to write a worm or virus that lives inside the user's space - but malware writers write their worms so that they try to copy themselves into places like "C:\windows". As a result, most malware, when run under a limited account simply dies. A worm writer could just as easily start by assuming the user doesn't have admin rights, and either write the worm to live inside the users space, or try to escalate privileges via expliots, or by simply asking the user for the admin password. With Windows Vista, I think we will see a lot of this. Worms will simply ask the user to type in the admin password, and the user will do it because they won't know any better.:\
"Well, there are various mail clients that don't have this problem. Personally I use KMail with the HTML disabled (as is recommended)."
That's great. I use thunderbird on both Windows and FreeBSD.
But my point stands.
Recently there was a very, very nasty bug patched for KDE 3.4+, which would allow autoamtic code execution through many different avenues. In the past there have been multiple image rendering flaws, zlib flaws, gaim flaws, firefox/mozilla flaws, mplayer flaws, real player flaws, adobe acrobat flaws...that could all be used to automatically run code on non windows systems.
The flaws are there. The only ingreadient missing is the userbase to target.
I guess I should take back my assertion that there is no viable alternative. Linux or OSX *are* viable alternatives for the simple fact that they are under the radar at the moment. I actually recommend Macs to the Windows users I talk to that get themselves infected all the time. They never take my advice though.
It's not a troll at all. Whomever modded it that way obviously needs their mod privs taken away, but you are ignoring the fact that the exect same vulnerabilities (the ones that allow automatic code execution) that are found in Windows are frequently found in all other OS's. So, not it's not always the users fault, but until someone (ANYONE...PLEASE!) can write a desktop platform sans these types of flaws, there is no use hammering on Microsoft, because there is no viable alternative.
Reducing the monoculture and splitting marketshare between several OS's would probably help - at least with regards to these email worms, but I doubt if it would come close to solving the problem of users doing stupid things. The other option is to strip all of the functionlity out that can lead to these compromises, but would users buy it? Somehow I don't think they would.
I don't care how secure Microsoft makes Vista, users will continue to infect their systems, because all that is needed to be compromised is the ability to introduce new code into the system. If users can still do that with Vista, then they will be infected. They will learn t simply click yes through all of the security warnings when new code is run. I'm willing to bet they will even type in the admin password when viruses ask for them - because thats the way users are.
"2) windows accounts aren't true LUA, and can pretty frequently write to the registry, if not the windows directory."
False.
Limited users cannot write to the windows directory. They cannot write to the program files directory and the only part of the registry that they can write to is their own section of the hive which only affects them. By default the only place in the filesystem that they can write to, other than their own profile directory is the root of the system drive. In the root of the system drive, they can create new folders (but not files) and they write files into those folders that they have created. While that may seen like a vulnerability, they cannot write to any portion of the registry or filesystem that would cause files to execute automatically for other users of the system...so if a limited user downloaded a file and placed it in a folder in the root drive, and admin user would have to execute it for the malware to comprmise the system.
Re:We're still using NT4 domain controllers
on
Buy Vista or Else
·
· Score: 1
"It doesn't help with services that use Windows Networking, because they all run over the same port, using different named pipes. If you could bind the service to a specific interface that wouldn't be an issue."
Ok I get your gripe. Backup Exec comes to mind.
"After we got merged into the company domain, most of the virus problems we've had have come from infected computers in the same domain"
Ahh yes. Laptops and foreign networks - the bane of every IT dude's existence.
We were hit with Blaster a couple of years back when it came out and laptops were what brought it in on Monday. I had procrastinated on deploying WUS so all of our machines were bent over with the lube in hand.
What we did (besides deploying WUS immediately) was set a AD firewall policy that turns the firewall on with no exceptions allowed if the computer is not connected to our network. With that, even local admins can't change the firewall settings without removing the computer from the domain. No one has ever complained about it. I was ticked that Microsoft didn't backport the firewall capabilities in XP clients to Win2k, but we don't have too many 2k laptops so it wasn't too huge an issue.
Re:We're still using NT4 domain controllers
on
Buy Vista or Else
·
· Score: 1
First of all, sorry for making two replies to your original comment. My trigger finger went off a little too quickly.
Yes, I know that IPSEC isn't a windows only thing. I like UNIX-type OSs, (particularly FreeBSD) and the flexibility they gives you over Windows, but my point was, while Windows does give you less flexibility, it does give you the tools that are needed to get the job done.
You talk about limiting access to services on a local network - well that's exactly what I use it for. For example, I've got a MS SQL server with very sensitive info on it. I have an IPSEC policy on it that denies access to the sql server port for everyone except one machine, and with that one machine all communication must be authneticated with a shared key. When SQL Slammer came out a few years back, we had a SQL server onsite that was being maintained by a third party contrator and of course, they left the damn thing unpatched and wide open and it got infected. It blasted our internal network (to point of creating a DoS situation), but my SQL server, which wasn't pacthed (/me slaps myself on the hand for that) wasn't touched.
Other usefull things you can do on a domain are require kerberos authentication for sensitive Windows ports like (139,225,1025), so only clients that are domain members can talk to eachother on these ports. You would set up your servers to allow unautheticated communications (so the clients can get their policies from the DC) and make it mandatory for clients. This would keep rogue infected machines that are infected with the latest windows network worm from infecting your clients machines.
Re:We're still using NT4 domain controllers
on
Buy Vista or Else
·
· Score: 1
"And just to make it more fun, Microsoft screwed up the design of their port of Berkeley sockets to NT, and didn't fix the problem when they re-implemented it, so they can't run services from an inetd-style superserver. If they did that, you could control access to services without a firewall, and do it in a fine-grained manner..."
Have you tried using IPSEC? Or is not acceptable to control access to services using it since it's 'the Microsoft way'?
Re:We're still using NT4 domain controllers
on
Buy Vista or Else
·
· Score: 1
So basically, you are complaing that Windows isn't UNIX.
Clients need not have the firewall turned off to update themselves via a WSUS server, as the client intiates the connection. Slipstream an XPSP2 in your WindowsXP CD and the firewall will be on by default. In your default domain policy (or if you want to keep that clean, a seperate policy at the root of your domain), set the appropriate WSUS settings that will point the client to the WSUS server. When you join the PC to the domain it will get it's policy, and automagically update itself via WSUS - reboots and all. You might also need to set deadlines for all of the approved updates in WSUS so the computer updates itself right away.
If the computer is fairly new it should be able to update itself with all of the post-XPSP2 updates via WSUS in around 15-30 minutes with no interaction required.
Re:We're still using NT4 domain controllers
on
Buy Vista or Else
·
· Score: 1
XP added alot more in terms of remote management capabilities, like more WMI objects to interface with, and with SP2, firewall policies that can be set via AD. For laptops that are taken off site an onto foriegn networks, XP *is* signifigantly better than 2k.
"Even if you do have a license for each computer, as far as I know, there's no way to change the registration number of a Windows install once it's been installed and a ghost image has been made."
Most of the pages you will get when you google "slipstreaming" will talk about slipstreaming service packs, but you can also slipstream individual hotfixes into windows installations. Also not that Microsoft makes avaiable for download ISO Images containing every windows critical and security update. If you really want to make a slimpstreamed install of Windows with every single hotfix possible, this will save you time searching and download the iduvidual updates.
"...kldload bktr wasn't too terribly hard back in the day."
Hauppauge cards aren't based on the Brooktree chipset.
Re:NOT A Selling Point-But a "must have" for secur
on
Buy Vista or Else
·
· Score: 1
I've heard that Vista will silently redirect attempted writes to sensitive areas to the users space on the fly. So if the user clicks on an installer that doesn't ask for the admin password, and the installer tries to write files to the Program Files dir and registry entries to HKEY_LOCAL_MACHINE\Software hive, Vista will redirect the files to the users profile directory and the registry keys to HKEY_LOCAL_USER\Software.
...I really don't care what Microsoft's marketing line regarding Vista is. I already know what improvements Vista brings to the table, as do most other IT people who manage large numbers of Windows machines. As for home users, is marketing to them really all that necessary? The vast majority will get Vista by default when they get a new PC - and the vast majority of them won't even realize it, much less care about it.
As it is right now, Win2k and WinXP are fairly easy to manage on a large scale as long as you don't let everyone have admin rights to their local machines. Upgrading is out of the question in most corporate environments, because it cost too much money for what it's worth. Like the Joe Users of the world, Vista will appear when it starts coming on our new computers. Like 2000>XP, the XP>Vista transition will take at least three years, during which time we will have mixture of OS's out there.
There one time where we actually did upgrade existing computers was when we moved from Win9x to Win2000. The benefits of running 2000 on the desktop were so great in terms of time saved on support that it was worth it to us.
As for XP>Vista, I've seen the beta's and the new security features are nice, but as I said before managing 2000/XP is not a big problem and I don't see any reason to upgrade existing machines. IMO, the improvements in Vista are going to be the greatest for home users and IT shops that don't know what the hell they are doing. Those improvements still won't save users from themselves - but no OS can do that.
Oh come one dude. No need to call me names. It was only a (failed?) attempt at dry humor.
I just figured out how you can get your BSD section up. Disable javascript, reload the page and then click on "Sections". With javascript disabled you will get a page instead of that pop-over menu (doesn't work for me either) thingy. Scroll down to the "Customize Slashboxes" section. Check "use slashboxes" and then check the BSD box.
Slashdot Mirror
Unfortunately, no one has figured out how to explain complex questions to regular users, and it seems doubtful that anyone will without users being somewhat more educated about how computers work.
:(
For example, on the latest Vista Beta my friend was playing with on his laptop, it said...
"Do you want to allow Explorer.exe to do [some action]?"
Most users would be lost at the "explore.exe" part.
We're moving to a Blade Center/SAN/Vmaware ESX solution in a couple of months.
Guess we didn't get the memo?
I disagree. There is nothing in the design of OSX that will prevent ill-informed users from screwing it up. The asking of the admin password is nice, but that doesn't even come close to bringing into the realm of foolproof.
It's "batch", not "bash".
Running as a limited user protects the OS, not the user and his/her files. Right now, running as a LU in Windows provides more protection than it does under other OSs because it assumed by malware writers that the user will have admin privileges. It's perfectly possible to write a worm or virus that lives inside the user's space - but malware writers write their worms so that they try to copy themselves into places like "C:\windows". As a result, most malware, when run under a limited account simply dies. A worm writer could just as easily start by assuming the user doesn't have admin rights, and either write the worm to live inside the users space, or try to escalate privileges via expliots, or by simply asking the user for the admin password. With Windows Vista, I think we will see a lot of this. Worms will simply ask the user to type in the admin password, and the user will do it because they won't know any better. :\
"Well, there are various mail clients that don't have this problem. Personally I use KMail with the HTML disabled (as is recommended)."
That's great. I use thunderbird on both Windows and FreeBSD.
But my point stands.
Recently there was a very, very nasty bug patched for KDE 3.4+, which would allow autoamtic code execution through many different avenues. In the past there have been multiple image rendering flaws, zlib flaws, gaim flaws, firefox/mozilla flaws, mplayer flaws, real player flaws, adobe acrobat flaws...that could all be used to automatically run code on non windows systems.
The flaws are there. The only ingreadient missing is the userbase to target.
I guess I should take back my assertion that there is no viable alternative. Linux or OSX *are* viable alternatives for the simple fact that they are under the radar at the moment. I actually recommend Macs to the Windows users I talk to that get themselves infected all the time. They never take my advice though.
It's not a troll at all. Whomever modded it that way obviously needs their mod privs taken away, but you are ignoring the fact that the exect same vulnerabilities (the ones that allow automatic code execution) that are found in Windows are frequently found in all other OS's. So, not it's not always the users fault, but until someone (ANYONE...PLEASE!) can write a desktop platform sans these types of flaws, there is no use hammering on Microsoft, because there is no viable alternative.
Reducing the monoculture and splitting marketshare between several OS's would probably help - at least with regards to these email worms, but I doubt if it would come close to solving the problem of users doing stupid things. The other option is to strip all of the functionlity out that can lead to these compromises, but would users buy it? Somehow I don't think they would.
I don't care how secure Microsoft makes Vista, users will continue to infect their systems, because all that is needed to be compromised is the ability to introduce new code into the system. If users can still do that with Vista, then they will be infected. They will learn t simply click yes through all of the security warnings when new code is run. I'm willing to bet they will even type in the admin password when viruses ask for them - because thats the way users are.
1) few windows users run in LUA
True.
"2) windows accounts aren't true LUA, and can pretty frequently write to the registry, if not the windows directory."
False.
Limited users cannot write to the windows directory. They cannot write to the program files directory and the only part of the registry that they can write to is their own section of the hive which only affects them. By default the only place in the filesystem that they can write to, other than their own profile directory is the root of the system drive. In the root of the system drive, they can create new folders (but not files) and they write files into those folders that they have created. While that may seen like a vulnerability, they cannot write to any portion of the registry or filesystem that would cause files to execute automatically for other users of the system...so if a limited user downloaded a file and placed it in a folder in the root drive, and admin user would have to execute it for the malware to comprmise the system.
"It doesn't help with services that use Windows Networking, because they all run over the same port, using different named pipes. If you could bind the service to a specific interface that wouldn't be an issue."
Ok I get your gripe. Backup Exec comes to mind.
"After we got merged into the company domain, most of the virus problems we've had have come from infected computers in the same domain"
Ahh yes. Laptops and foreign networks - the bane of every IT dude's existence.
We were hit with Blaster a couple of years back when it came out and laptops were what brought it in on Monday. I had procrastinated on deploying WUS so all of our machines were bent over with the lube in hand.
What we did (besides deploying WUS immediately) was set a AD firewall policy that turns the firewall on with no exceptions allowed if the computer is not connected to our network. With that, even local admins can't change the firewall settings without removing the computer from the domain. No one has ever complained about it. I was ticked that Microsoft didn't backport the firewall capabilities in XP clients to Win2k, but we don't have too many 2k laptops so it wasn't too huge an issue.
First of all, sorry for making two replies to your original comment. My trigger finger went off a little too quickly.
Yes, I know that IPSEC isn't a windows only thing. I like UNIX-type OSs, (particularly FreeBSD) and the flexibility they gives you over Windows, but my point was, while Windows does give you less flexibility, it does give you the tools that are needed to get the job done.
You talk about limiting access to services on a local network - well that's exactly what I use it for. For example, I've got a MS SQL server with very sensitive info on it. I have an IPSEC policy on it that denies access to the sql server port for everyone except one machine, and with that one machine all communication must be authneticated with a shared key. When SQL Slammer came out a few years back, we had a SQL server onsite that was being maintained by a third party contrator and of course, they left the damn thing unpatched and wide open and it got infected. It blasted our internal network (to point of creating a DoS situation), but my SQL server, which wasn't pacthed (/me slaps myself on the hand for that) wasn't touched.
Other usefull things you can do on a domain are require kerberos authentication for sensitive Windows ports like (139,225,1025), so only clients that are domain members can talk to eachother on these ports. You would set up your servers to allow unautheticated communications (so the clients can get their policies from the DC) and make it mandatory for clients. This would keep rogue infected machines that are infected with the latest windows network worm from infecting your clients machines.
"And just to make it more fun, Microsoft screwed up the design of their port of Berkeley sockets to NT, and didn't fix the problem when they re-implemented it, so they can't run services from an inetd-style superserver. If they did that, you could control access to services without a firewall, and do it in a fine-grained manner..."
Have you tried using IPSEC? Or is not acceptable to control access to services using it since it's 'the Microsoft way'?
So basically, you are complaing that Windows isn't UNIX.
Clients need not have the firewall turned off to update themselves via a WSUS server, as the client intiates the connection. Slipstream an XPSP2 in your WindowsXP CD and the firewall will be on by default. In your default domain policy (or if you want to keep that clean, a seperate policy at the root of your domain), set the appropriate WSUS settings that will point the client to the WSUS server. When you join the PC to the domain it will get it's policy, and automagically update itself via WSUS - reboots and all. You might also need to set deadlines for all of the approved updates in WSUS so the computer updates itself right away.
If the computer is fairly new it should be able to update itself with all of the post-XPSP2 updates via WSUS in around 15-30 minutes with no interaction required.
XP added alot more in terms of remote management capabilities, like more WMI objects to interface with, and with SP2, firewall policies that can be set via AD. For laptops that are taken off site an onto foriegn networks, XP *is* signifigantly better than 2k.
Oh I didn't know that they were only for the current month. I guess that makes sense, since ALL of the updates would certainly take more than one CD.
You could allways just install WSUS on a machine and have it download all of the updates for whatever OS you want.
Well the bktr driver doesn't work with my Hauppauge WinTV PVR150 card, so I assumed it didn't use the Brooktree chipset.
My old ATI TV Wonder was based on the BT848 chipset and worked okay with it.
"Even if you do have a license for each computer, as far as I know, there's no way to change the registration number of a Windows install once it's been installed and a ghost image has been made."
Got sysprep?
They just started doing the ISO thing. Long overdue I say.
Most of the pages you will get when you google "slipstreaming" will talk about slipstreaming service packs, but you can also slipstream individual hotfixes into windows installations. Also not that Microsoft makes avaiable for download ISO Images containing every windows critical and security update. If you really want to make a slimpstreamed install of Windows with every single hotfix possible, this will save you time searching and download the iduvidual updates.
I meant newer Hauppauge cards.
"...kldload bktr wasn't too terribly hard back in the day."
Hauppauge cards aren't based on the Brooktree chipset.
I've heard that Vista will silently redirect attempted writes to sensitive areas to the users space on the fly. So if the user clicks on an installer that doesn't ask for the admin password, and the installer tries to write files to the Program Files dir and registry entries to HKEY_LOCAL_MACHINE\Software hive, Vista will redirect the files to the users profile directory and the registry keys to HKEY_LOCAL_USER\Software.
...I really don't care what Microsoft's marketing line regarding Vista is. I already know what improvements Vista brings to the table, as do most other IT people who manage large numbers of Windows machines. As for home users, is marketing to them really all that necessary? The vast majority will get Vista by default when they get a new PC - and the vast majority of them won't even realize it, much less care about it.
As it is right now, Win2k and WinXP are fairly easy to manage on a large scale as long as you don't let everyone have admin rights to their local machines. Upgrading is out of the question in most corporate environments, because it cost too much money for what it's worth. Like the Joe Users of the world, Vista will appear when it starts coming on our new computers. Like 2000>XP, the XP>Vista transition will take at least three years, during which time we will have mixture of OS's out there.
There one time where we actually did upgrade existing computers was when we moved from Win9x to Win2000. The benefits of running 2000 on the desktop were so great in terms of time saved on support that it was worth it to us.
As for XP>Vista, I've seen the beta's and the new security features are nice, but as I said before managing 2000/XP is not a big problem and I don't see any reason to upgrade existing machines. IMO, the improvements in Vista are going to be the greatest for home users and IT shops that don't know what the hell they are doing. Those improvements still won't save users from themselves - but no OS can do that.
Oh come one dude. No need to call me names. It was only a (failed?) attempt at dry humor.
:)
I just figured out how you can get your BSD section up. Disable javascript, reload the page and then click on "Sections". With javascript disabled you will get a page instead of that pop-over menu (doesn't work for me either) thingy. Scroll down to the "Customize Slashboxes" section. Check "use slashboxes" and then check the BSD box.
The BSD section should appear.
Cheers!
Try logging in.