[66907] in North American Network Operators' Group
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it,
daemon@ATHENA.MIT.EDU (kenw@kmsi.net)
Thu Jan 29 09:48:39 2004
Date: Thu, 29 Jan 2004 07:47:00 -0700
From: kenw@kmsi.net
In-reply-to: <Pine.LNX.4.44.0401290715170.27916-100000@login2.fas.harvard.edu>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 29 Jan 2004 07:41:20 -0500 (EST), you wrote:
>...
>When NTFS came out an ordinary user could not write the system directory
>tree Hence most users are running as Administrator or equivalent so that
>they can write into the system tree. This was a bad design decision by
>MS _and_ application developers. This _is_ fixable by MS by simply not=
=20
>allowing apps to write into the system tree. This of course is a "small=
=20
>matter of programming" but it would really improve the overall security=20
>posture of Windows.
>
>Now there are well written applications which do install their DLL's =
into=20
>their own tree these apps can usually be recognized by _not_ requiring a=
=20
>reboot after installation. =20
>...
Actually, it's more of an issue in the registry than the file system; =
older
apps tend to want to write the global HKLM, rather than the user-specific
HKCU.
But, regardless, Win2K and WinXP do have restricted-user modes that tie
this stuff down quite well. They tend to be used in corporate
environments. But for home users, it gets to be a pain in the butt,
because it prevents a lot of things users want to do, like installing
games, multimedia apps and spyware.
You can't really have it both ways; if you can install apps, you can
install viruses and trojans. I don't see this being much different
regardless of the OS you run. And until you have earned some battle =
scars,
you're not afraid of the pretty toys.
It would be nice, though, if there were a legitimate 'su' analog in =
Windows
-- sorry, "runas" doesn't cut it. Makes it hard to normally run
restricted, and explicitly enable temporary privs sometimes...
/kenw
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
=46ax (403)275-4535
kenw@kmsi.net
www.kmsi.net
