www.threatcode.com
If an application is written for TODAY's Windows XP logo it will run as
a non administrator.
Everyone right now.. go click on your time and date... go .. okay ..can
you change the date and time?
That is the quick and dirty test to see if you have admin rights...
You have administrator rights to your machine. Now go over to the
absolutely stupid-est user in the office. (If that's you... that's fine
;-) Do they have admin rights just like you? The one that will click
and download anything? That means not only can "you" install anything
you darn well please. so can they.
And if you do and they do.. so do all those lovely drive by browser
'sploits and stuff. Please go back and review the security bulletins
and see all the ones these days that say "will gain access in the rights
of the user context" ...that means if you are LUA (non admin) so are the
nasties... and studies have shown that if you run as non admin (which
...hello people.. Vista is doing this along with 'nix and mac's so get
used to it before Vista's admin isn't admin anymore) you get less
malware.
So why aren't we doing what we can to lower the attack surface of what
we have ... especially when we can't rip out IE as our .. yeah you
guessed it... crappy line of business applications depend on it? Why is
it that according to stats that about 80% of us are running as admin?
Yeah I know it's 'cause it's easy and it's the way we've always done it
about Windows...but why are we still doing it this way?
Does the stupid-est user in the office really need to be able to
download malware-de-jour?
So how do you run as non admin?
Log into that system, add another user as a 'normal' user and log in
with those 'normal user' rights.
Okay how many applications of your won't work?
Lemme guess.. beancounter ones (accounting software)... along with many
line of business applications.
So how do you deal with applications that won't 'do LUA'?
Aaron's blog has some suggestions..
Aaron Margosis' WebLog : Fixing "LUA bugs", Part I:
http://blogs.msdn.com/aaron_margosis/archive/2006/02/16/533077.aspx
Aaron Margosis' WebLog : Fixing "LUA Bugs", Part II:
http://blogs.msdn.com/aaron_margosis/archive/2006/03/27/562091.aspx
Jesper's Blog : Malware and administrative rights:
http://blogs.technet.com/jesper_johansson/archive/2005/11/30/415328.aspx
Use filemon/sysmon to figure out the ACL issues....
Use RunAs.
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=102
Want to really fix it though? Yell. Yell at those vendors to fix it.
And make sure your folks that are making the purchasing decisions know
that this needs to be a requirement...because in this day and age of
computer technology there is NO EXCUSE for a vendor to code like we are
running Windows 98 around this place.
As to restricting Active X to only those you need..harness the power of
group policy on that one...
Outlook Web Access and Small Business Server Remote Web Workplace do not
function if XP Service Pack 2 Add-on Blocking is enabled via group policy:
http://support.microsoft.com/kb/555235/en-us
How to manage Internet Explorer add-ons in Windows XP Service Pack 2:
http://support.microsoft.com/?id=883256
How's that Milos?
Milos Puchta wrote:
Susan,
give please more info instead of clipped style letter.
It would be nice if you cold give it a little more time
to educate those who can accept it. ( For those who
feel lost without being administrator there are at
least two tools that change the rights ....)
TIA
Rgds
Milos
----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz - SBS
Rocks [MVP]" <[EMAIL PROTECTED]>
To: "bkfsec" <[EMAIL PROTECTED]>
Cc: "Murad Talukdar" <[EMAIL PROTECTED]>;
<[email protected]>
Sent: Saturday, April 01, 2006 1:07 AM
Subject: Re: New IE flaw and exploit sites/migration to non-MS browser
How many of you are running as non admin? Used the Group policy to
adjust and allow approved active X?
Now I'm no coder...but from threads I've seen.... Firefox's
Extensions are ripe for fun and excitement.
Is it IE that's insecure? Or how the workstations are setup in the
first place?
bkfsec wrote:
Murad Talukdar wrote:
On a related note--how many people have initiated a move away from
IE to
Firefox/Opera etc in a corporate environment, due to the
perception(is it
JUST a perception or reality based?) that IE is less secure/more
prone to
exploits?
We have in certain areas. It's very much reality-based that IE is
less secure and more prone to exploit than other browsers, for a
number of reasons, not the least of which is IE's architectural
tie-in with the MS Windows operating system.
-bkfsec
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
