Hi, Kurt! Good to see you're alive and well! At Tuesday, April 04, 2006 10:44 AM:, Kurt Dillard wrote:
> I agree with Susan that logging into Windows without administrator > privileges is doable today, especially for well-managed networks. Note that I haven't ever disagreed; I have acknowledged that it is doable. > but its not > overwhelmingly difficult for most organizations today if you plan > ahead and properly test your applications. The way you phrased this ties back to one of the points I was making, which is that it's not hard *today*. A few years ago, when XP was released, was a different story. > It only becomes impossible > on networks with thousands of applications, but organizations with > that many unique apps deployed tend to not have any kind of > centralized management going. It's also much more difficult in small shops where the person doing the management of the network doesn't know much more than their users, or only gets to do network management part-time, or whose owners don't understand the value of LUA and thus don't allow their admins to take the time to set it up (or who cave in after the bookkeeper complains the first time QuickBooks won't start up). The time required to research applications, test them out, and make sure they work under LUA doesn't scale well for smaller companies. So for them, it *is* "too hard" -- not because of the technical difficulty involved, but because the process is involved and appears to take away too much productive time. > Devin, you compare the level of awareness about LUA in the Windows > community with that in the Linux and Unix communities. Its not a > reasonable comparison to make because the percentage of users who are > not computer professionals in the Linux and Unix communities is > miniscule <thinks back to own experiences as a UNIX admin> Oh, if only that were true! Okay, okay, you have a point there that the ratio of professionals is higher in the *nix community. However, I wasn't directly comparing the communities so much as I was comparing *installation processes*. There are some flavors of *nix (Solaris, I'm looking at you) that assume the box is part of a larger directory service such as NIS, NIS+, or LDAP and thus don't prompt you to create additional user accounts during the first installation -- but many of the free *nix distributions I've used do precisely that. Let's compare that with Windows XP. If you're using Home, or Pro without joining a domain, you get asked to input your name. The account that XP creates is given local admin privileges by default even though there is still a separate Administrator account. (If you're using Pro and join a domain, then it does what Solaris does -- ask for the password to give the local Administrator account and not worry about users. I stipulate that this is the most useful route to take in the presence of some sort of directory service.) > Last time I checked > Linux that was being marketed to home users was configured to logon > as root by default too. Depends on the distro. The ones that do tend to get a lot of abuse, precisely because they're teaching bad habits to the people who use them. > Devin, you switched the discussion to home users. Not exactly. First, I wasn't aware that the original discussion was limited to just business users, so home users are valid cases of Windows users. With so many home machines compromised by malware (in many cases was installed because the user was running with admin privs even when they have anti-spam, anti-virus, and anti-spyware applications installed) they constitute a significant source of threat. I spend a lot of personal time helping people with their home machines, and in the last couple of years, I don't think I've even seen an XP machine where people didn't have anti-malware utilities installed. Most of them, to my surprise, were actively updating through Windows Update instead of relying passively on default Windows Update behavior. However, you could make the same statement of many business users on laptops. A lot of companies buy laptops pre-configured with Windows and don't ever bother to join them to a domain. Many of them allow the end user to run through the initial installation process. Boom -- the user now has local admin privs. And we're back to where we started. Sue asked a question that kicked this part of the discussion off: "Is it IE that's insecure? Or how the workstations are setup in the first place?" My point all along -- which is one that apparently Sue isn't happy with -- is while LUA does dramatically reduce the number of vulnerabilities (in most user-space applications) that can actually hurt your machine when they get through, IE is a special case. It has a history of having far more vulnerabilities than other browsers, and because a lot of the code in IE is so tied in with the rest of Windows, you cannot guarantee (like I can with Firefox, etc.) that only non-admin code will ever be affected by those vulnerabilities. The rest of this was just rat holing. > Technology can only do so much, users who make bad decisions will be > exploited regardless of what browser (or email client, or P2P app, > etc) they are using. Absolutely. -- Devin L. Ganger Email: [EMAIL PROTECTED] 3Sharp LLC Phone: 425.882.1032 x 109 15311 NE 90th Street Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.702.8455 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------
