I just love this bit from the MS release: <quote> Because of these changes to the core operating system of Windows XP and of Windows Server 2003, extensive changes to file permissions on the root of the operating system are no longer required.
Additional ACL changes may invalidate all or most of the application compatibility testing that is performed by Microsoft. Frequently, changes such as these have not undergone the in-depth testing that Microsoft has performed on other settings. Support cases and field experience has shown that ACL edits change the fundamental behavior of the operating system, frequently in unintended ways. These changes affect application compatibility and stability and reduce functionality, both in terms of performance and capability. </quote> This is called FUD. Microsoft has not once BOTHERED to investigate and publish least privilege on their OS. Here in DoD land the NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on the matter of fixing the sad excuse that is windows filesystem security. Mostly because M$ itself has never published anything. To be fair, it's improved a little bit since NT4 but LocalSystem in particular has WAY too much access. Of course the vendor doesn't want you to change anything. They can't be bothered to configure their OS correctly to begin with. If M$ wanted to they could ship Vista with proper filesystem permissions out of the box and nobody would notice. They just can't be bothered. Afterall, when you have such a disorganized OS going 16 different ways, and an ISV community that has for decades been getting away with murder, would you want to spend the time to figure out which in-house programmer was being an idiot and assuming he could just step all over the filesystem? Programmers are just plain sloppy. They have no incentive to make security a priority. For all the PR about M$'s new "we care about security" schtick, not a whole heck of a lot is going to change. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
