> -----Original Message-----
> From: Michael Kintzios [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 09, 2006 9:12 AM
> To: gentoo-user@lists.gentoo.org
> Subject: RE: [gentoo-user] antivirus
>
> > -----Original Message-----
> > From: Bob Young [mailto:[EMAIL PROTECTED]
> > Sent: 08 March 2006 21:05
> > To: gentoo-user@lists.gentoo.org
> > Subject: RE: [gentoo-user] antivirus
> >
> [snip]
> > As to <insert App Name here> not running without Admin
> > rights, most of those
> > cases can be taken care of with RunAs. It's better to run a
> > single App with
> > Admin privledges rather than have all apps including email
> > and browsers
> > running with Admin rights.
>
> Actually, it would be better to troubleshoot the particular application
> and allow it write/execute or modify rights *only* to the files it needs
> to access for the particular plain user (typically some files or a
> folder under C:\Program Files).

In most cases it's not blocked file writes that cause these apps to fail,
it's blocked access to registry keys. In many cases, I'm convinced it's
simply a matter of the app incorrectly specifying read/write access to a
value or key that it really only needs read access to. It would be
inappropiate and dangerous to grant registry write permissions to regular
users, even just for certain keys or subsections, just to fix one or two
badly designed apps.

If it were just a matter of writing to files under the "Program Files"
directory, then the apps would work under a PowerUser account, and yet there
are indeed badly designed apps that fail to run as a PowerUser, but work
fine when executed with Admin rights.


> It may take some time to set up access rights for all such badly written
> apps, but it'll keep your M$Windoze box as safe as it will ever be.  If
> in addition you shut down all the open by default Windoze ports
> (135-139, 445, 500, 1900, 4000 + remote admin) and disable

I agree that a properly configured firewall is important to system security
on any machine with a public IP address, that's true regardless of what
operating system is running on it.

> unnecessary/dangerous services and also stop using OE and IE (or at
> least stop using them with their default settings) you should be safe
> enough going about your normal business.

I've never used OE under Windows, I consider it a throw away app, I find the
full version of Outlook much more capable. As to the defaults for it and IE,
I'd agree that it's possible to choose more "lockedown" settings. I'm less
concerned about this if they are running under a non Admin account and are
behind a decently configured firewall. Personally I find html email much
more readable and expressive than bland ASCII text, that being said, neither
I nor my wife open unknown/untrusted attachments. WRT IE, I enable/disable
scripting/ActiveX depending on what I'm doing and what I know about my
destination(s).

Regards,
Bob Young





-- 
gentoo-user@gentoo.org mailing list

Reply via email to