Define "Properly Secured" because what is secured from one users prospective is totally different than what another user thinks, and no XP machine or computer for that matter can be 100% protected.
I also second the notion about UAC, that is what it was built for, if you turn it off because you don't like the prompts when you run items, then you have just defeated a major security control in the OS, and its only going to be time before you get 0wned.. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Wednesday, April 28, 2010 4:46 PM To: NT System Admin Issues Subject: Re: Admin rights, UAC, etc. (was: WTF? Fake AV) " With the exception of exploitation of unpatched vulnerabilities, I've never seen malware lead to a system compromise on a properly-secured Win XP machine" Sorry but how many (l)users know how to this? How many home owners even know this is possible. I would much rather see a Windows Vista with UAC turned on or Windows 7 in one of their hands than the typical XP box. You can teach people not to click Okay or Yes and then call and ask or just go on with out allowing the security holes. Yes it is hard to do and no you sometimes have to make it hurt to get their attention but like James says charge them more each time they bring in a corrupted system and they pain will cause them to start using their heads. On Wed, Apr 28, 2010 at 11:13 AM, Ben Scott <mailvor...@gmail.com> wrote: On Wed, Apr 28, 2010 at 10:18 AM, <greg.swe...@actsconsulting.net> wrote: > Are there any reports out there that show Windows 7 running with UAC that > its minimizes the infections of spyware. I too would be interested in seeing hard data on this. I've seen lots of marketing claims, and the occasional anecdote, but I remain unconvinced that UAC (as typically configured, and for the SOHO user) will do anything more than train lusers to click "Allow" when they see it. I've certainly got my own anecdotal evidence that lusers do just that. To me, the chief advantage to UAC is FRV (filesystem and registry virtualization). It lets software which thinks it needs to write to protected locations run anyway. *That's* a big win. Lets people who understand security cope with software vendors who don't. The ability for UAC to use the GUI to prompt for alternate admin credentials for privilege elevation is very convenient, but it's not compelling to me. You can achieve similar results using RUNAS. Not as convenient, but gets the job done. > While I am not a huge fan of MACS ... It took me a minute to figure out you meant "Macintoshes" and not "Mandatory Access Control System". "Mac" -- the computer from Apple -- is not an acronym. :) (It wouldn't have been so confusing except that MACS and DACS are the two common models used for describing access control/permissions. Windows mostly uses DACS (hence, DACL, Discretionary Access Control List), but the "Integrity Levels" features in Win 6.x are heading in the direction of MACS.) > .. their security model is obviously much better than Windows. While Windows is often shipped with a default no-security admin account, Windows fully supports creating a user without admin rights. It's what we do for *everybody* here at %WORK%. We've been doing it for *years*, and it works very well. The only hard part is convincing software vendors that admin rights are not required to do things like word processing. More generally, one problem is the many PC builders who ship their computers configured to run users as admins by default. Even if UAC works as advertised, that's not a good thing. But the real hard problem here is home lusers who don't understand security. They consider security a problem, something to be removed. And they will install whatever a web page tells them to. I don't have a good solution for that. I suspect nobody does. > Even with users not in admin group in Windows XP, Vista I have > seen malware get right on and hose a machine. With the exception of exploitation of unpatched vulnerabilities, I've never seen malware lead to a system compromise on a properly-secured Win XP machine. I've seen it screw up a user account pretty well, to the point where it's easier to erase and reset the user profile than it is to repair the registry wreckage. Most of the time, though, all we have to do is login as an admin and delete *.EXE *.DLL *.OCX under their user profile folder. Are you using a proper set of ACLs on the filesystem? My strategy is that users should only be able to create/modify under their own user profile folder. Nothing else. Well, the default C:\WINDOWS\TEMP permissions are okay. In particular, by default, users can create files and folders under <C:\> and <C:\Documents and Settings\All Users\Application Data\>. This is a very bad idea on Microsoft's part. Malware gets in, compromises "All Users", admin logs in, Explorer or something else trips over something in "All Users", malware now compromises system. Way to go Microsoft! -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
