Re: Admin rights, UAC, etc. (was: WTF? Fake AV)
Laugh it up, fuzball. On Wed, Apr 28, 2010 at 10:51 PM, Ben Scott mailvor...@gmail.com wrote: On Wed, Apr 28, 2010 at 4:55 PM, Ziots, Edward ezi...@lifespan.org wrote: Define “Properly Secured” because what is secured from one users prospective is totally different than what another user thinks ... Properly secured would mean the accounts used for day-to-day operations do not have permission to modify the system. Principle of least privilege. A well-known and widely-recommended best practice since roughly the 1960s. As I went on to detail in my message. ... no ... computer for that matter can be 100% protected. I never claimed otherwise. I wrote properly secured, not perfectly secured. Did reading comprehension just drop sharply or something? What is it about this topic that makes people unable to follow a line of reasoning? It's like attack of the strawmen. What next, Macs are more secure because Chewbacca is a Wookie? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Admin rights, UAC, etc. (was: WTF? Fake AV)
I don't know where you get your delusions, laser brain. On Thu, Apr 29, 2010 at 11:00 AM, Jonathan Link jonathan.l...@gmail.comwrote: Laugh it up, fuzball. On Wed, Apr 28, 2010 at 10:51 PM, Ben Scott mailvor...@gmail.com wrote: On Wed, Apr 28, 2010 at 4:55 PM, Ziots, Edward ezi...@lifespan.org wrote: Define “Properly Secured” because what is secured from one users prospective is totally different than what another user thinks ... Properly secured would mean the accounts used for day-to-day operations do not have permission to modify the system. Principle of least privilege. A well-known and widely-recommended best practice since roughly the 1960s. As I went on to detail in my message. ... no ... computer for that matter can be 100% protected. I never claimed otherwise. I wrote properly secured, not perfectly secured. Did reading comprehension just drop sharply or something? What is it about this topic that makes people unable to follow a line of reasoning? It's like attack of the strawmen. What next, Macs are more secure because Chewbacca is a Wookie? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Admin rights, UAC, etc. (was: WTF? Fake AV)
Hey, I'm in it for the money. From: Richard Stovall [mailto:rich...@gmail.com] Sent: Thursday, April 29, 2010 3:31 PM To: NT System Admin Issues Subject: Re: Admin rights, UAC, etc. (was: WTF? Fake AV) I don't know where you get your delusions, laser brain. On Thu, Apr 29, 2010 at 11:00 AM, Jonathan Link jonathan.l...@gmail.com wrote: Laugh it up, fuzball. On Wed, Apr 28, 2010 at 10:51 PM, Ben Scott mailvor...@gmail.com wrote: On Wed, Apr 28, 2010 at 4:55 PM, Ziots, Edward ezi...@lifespan.org wrote: Define Properly Secured because what is secured from one users prospective is totally different than what another user thinks ... Properly secured would mean the accounts used for day-to-day operations do not have permission to modify the system. Principle of least privilege. A well-known and widely-recommended best practice since roughly the 1960s. As I went on to detail in my message. ... no ... computer for that matter can be 100% protected. I never claimed otherwise. I wrote properly secured, not perfectly secured. Did reading comprehension just drop sharply or something? What is it about this topic that makes people unable to follow a line of reasoning? It's like attack of the strawmen. What next, Macs are more secure because Chewbacca is a Wookie? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Admin rights, UAC, etc. (was: WTF? Fake AV)
But the real hard problem here is home lusers who don't understand security. They consider security a problem, something to be removed. And they will install whatever a web page tells them to. I don't have a good solution for that. I suspect nobody does. I have a good solution for them. Charge them double next time to clean up. Or they can take it to someone else if they don't like it. Whether they be business or home users, when something starts to accumulate a monetary penalty, they usually wise up a bit. But I agree, there is a general feeling that security is an annoyance - until it bites them in the arse. And then they wonder why we didn't do more to save them from themselves :-) On 28 April 2010 16:13, Ben Scott mailvor...@gmail.com wrote: On Wed, Apr 28, 2010 at 10:18 AM, greg.swe...@actsconsulting.net wrote: Are there any reports out there that show Windows 7 running with UAC that its minimizes the infections of spyware. I too would be interested in seeing hard data on this. I've seen lots of marketing claims, and the occasional anecdote, but I remain unconvinced that UAC (as typically configured, and for the SOHO user) will do anything more than train lusers to click Allow when they see it. I've certainly got my own anecdotal evidence that lusers do just that. To me, the chief advantage to UAC is FRV (filesystem and registry virtualization). It lets software which thinks it needs to write to protected locations run anyway. *That's* a big win. Lets people who understand security cope with software vendors who don't. The ability for UAC to use the GUI to prompt for alternate admin credentials for privilege elevation is very convenient, but it's not compelling to me. You can achieve similar results using RUNAS. Not as convenient, but gets the job done. While I am not a huge fan of MACS ... It took me a minute to figure out you meant Macintoshes and not Mandatory Access Control System. Mac -- the computer from Apple -- is not an acronym. :) (It wouldn't have been so confusing except that MACS and DACS are the two common models used for describing access control/permissions. Windows mostly uses DACS (hence, DACL, Discretionary Access Control List), but the Integrity Levels features in Win 6.x are heading in the direction of MACS.) .. their security model is obviously much better than Windows. While Windows is often shipped with a default no-security admin account, Windows fully supports creating a user without admin rights. It's what we do for *everybody* here at %WORK%. We've been doing it for *years*, and it works very well. The only hard part is convincing software vendors that admin rights are not required to do things like word processing. More generally, one problem is the many PC builders who ship their computers configured to run users as admins by default. Even if UAC works as advertised, that's not a good thing. But the real hard problem here is home lusers who don't understand security. They consider security a problem, something to be removed. And they will install whatever a web page tells them to. I don't have a good solution for that. I suspect nobody does. Even with users not in admin group in Windows XP, Vista I have seen malware get right on and hose a machine. With the exception of exploitation of unpatched vulnerabilities, I've never seen malware lead to a system compromise on a properly-secured Win XP machine. I've seen it screw up a user account pretty well, to the point where it's easier to erase and reset the user profile than it is to repair the registry wreckage. Most of the time, though, all we have to do is login as an admin and delete *.EXE *.DLL *.OCX under their user profile folder. Are you using a proper set of ACLs on the filesystem? My strategy is that users should only be able to create/modify under their own user profile folder. Nothing else. Well, the default C:\WINDOWS\TEMP permissions are okay. In particular, by default, users can create files and folders under C:\ and C:\Documents and Settings\All Users\Application Data\. This is a very bad idea on Microsoft's part. Malware gets in, compromises All Users, admin logs in, Explorer or something else trips over something in All Users, malware now compromises system. Way to go Microsoft! -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Admin rights, UAC, etc. (was: WTF? Fake AV)
With the exception of exploitation of unpatched vulnerabilities, I've never seen malware lead to a system compromise on a properly-secured Win XP machine Sorry but how many (l)users know how to this? How many home owners even know this is possible. I would much rather see a Windows Vista with UAC turned on or Windows 7 in one of their hands than the typical XP box. You can teach people not to click Okay or Yes and then call and ask or just go on with out allowing the security holes. Yes it is hard to do and no you sometimes have to make it hurt to get their attention but like James says charge them more each time they bring in a corrupted system and they pain will cause them to start using their heads. On Wed, Apr 28, 2010 at 11:13 AM, Ben Scott mailvor...@gmail.com wrote: On Wed, Apr 28, 2010 at 10:18 AM, greg.swe...@actsconsulting.net wrote: Are there any reports out there that show Windows 7 running with UAC that its minimizes the infections of spyware. I too would be interested in seeing hard data on this. I've seen lots of marketing claims, and the occasional anecdote, but I remain unconvinced that UAC (as typically configured, and for the SOHO user) will do anything more than train lusers to click Allow when they see it. I've certainly got my own anecdotal evidence that lusers do just that. To me, the chief advantage to UAC is FRV (filesystem and registry virtualization). It lets software which thinks it needs to write to protected locations run anyway. *That's* a big win. Lets people who understand security cope with software vendors who don't. The ability for UAC to use the GUI to prompt for alternate admin credentials for privilege elevation is very convenient, but it's not compelling to me. You can achieve similar results using RUNAS. Not as convenient, but gets the job done. While I am not a huge fan of MACS ... It took me a minute to figure out you meant Macintoshes and not Mandatory Access Control System. Mac -- the computer from Apple -- is not an acronym. :) (It wouldn't have been so confusing except that MACS and DACS are the two common models used for describing access control/permissions. Windows mostly uses DACS (hence, DACL, Discretionary Access Control List), but the Integrity Levels features in Win 6.x are heading in the direction of MACS.) .. their security model is obviously much better than Windows. While Windows is often shipped with a default no-security admin account, Windows fully supports creating a user without admin rights. It's what we do for *everybody* here at %WORK%. We've been doing it for *years*, and it works very well. The only hard part is convincing software vendors that admin rights are not required to do things like word processing. More generally, one problem is the many PC builders who ship their computers configured to run users as admins by default. Even if UAC works as advertised, that's not a good thing. But the real hard problem here is home lusers who don't understand security. They consider security a problem, something to be removed. And they will install whatever a web page tells them to. I don't have a good solution for that. I suspect nobody does. Even with users not in admin group in Windows XP, Vista I have seen malware get right on and hose a machine. With the exception of exploitation of unpatched vulnerabilities, I've never seen malware lead to a system compromise on a properly-secured Win XP machine. I've seen it screw up a user account pretty well, to the point where it's easier to erase and reset the user profile than it is to repair the registry wreckage. Most of the time, though, all we have to do is login as an admin and delete *.EXE *.DLL *.OCX under their user profile folder. Are you using a proper set of ACLs on the filesystem? My strategy is that users should only be able to create/modify under their own user profile folder. Nothing else. Well, the default C:\WINDOWS\TEMP permissions are okay. In particular, by default, users can create files and folders under C:\ and C:\Documents and Settings\All Users\Application Data\. This is a very bad idea on Microsoft's part. Malware gets in, compromises All Users, admin logs in, Explorer or something else trips over something in All Users, malware now compromises system. Way to go Microsoft! -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Admin rights, UAC, etc. (was: WTF? Fake AV)
Define Properly Secured because what is secured from one users prospective is totally different than what another user thinks, and no XP machine or computer for that matter can be 100% protected. I also second the notion about UAC, that is what it was built for, if you turn it off because you don't like the prompts when you run items, then you have just defeated a major security control in the OS, and its only going to be time before you get 0wned.. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Wednesday, April 28, 2010 4:46 PM To: NT System Admin Issues Subject: Re: Admin rights, UAC, etc. (was: WTF? Fake AV) With the exception of exploitation of unpatched vulnerabilities, I've never seen malware lead to a system compromise on a properly-secured Win XP machine Sorry but how many (l)users know how to this? How many home owners even know this is possible. I would much rather see a Windows Vista with UAC turned on or Windows 7 in one of their hands than the typical XP box. You can teach people not to click Okay or Yes and then call and ask or just go on with out allowing the security holes. Yes it is hard to do and no you sometimes have to make it hurt to get their attention but like James says charge them more each time they bring in a corrupted system and they pain will cause them to start using their heads. On Wed, Apr 28, 2010 at 11:13 AM, Ben Scott mailvor...@gmail.com wrote: On Wed, Apr 28, 2010 at 10:18 AM, greg.swe...@actsconsulting.net wrote: Are there any reports out there that show Windows 7 running with UAC that its minimizes the infections of spyware. I too would be interested in seeing hard data on this. I've seen lots of marketing claims, and the occasional anecdote, but I remain unconvinced that UAC (as typically configured, and for the SOHO user) will do anything more than train lusers to click Allow when they see it. I've certainly got my own anecdotal evidence that lusers do just that. To me, the chief advantage to UAC is FRV (filesystem and registry virtualization). It lets software which thinks it needs to write to protected locations run anyway. *That's* a big win. Lets people who understand security cope with software vendors who don't. The ability for UAC to use the GUI to prompt for alternate admin credentials for privilege elevation is very convenient, but it's not compelling to me. You can achieve similar results using RUNAS. Not as convenient, but gets the job done. While I am not a huge fan of MACS ... It took me a minute to figure out you meant Macintoshes and not Mandatory Access Control System. Mac -- the computer from Apple -- is not an acronym. :) (It wouldn't have been so confusing except that MACS and DACS are the two common models used for describing access control/permissions. Windows mostly uses DACS (hence, DACL, Discretionary Access Control List), but the Integrity Levels features in Win 6.x are heading in the direction of MACS.) .. their security model is obviously much better than Windows. While Windows is often shipped with a default no-security admin account, Windows fully supports creating a user without admin rights. It's what we do for *everybody* here at %WORK%. We've been doing it for *years*, and it works very well. The only hard part is convincing software vendors that admin rights are not required to do things like word processing. More generally, one problem is the many PC builders who ship their computers configured to run users as admins by default. Even if UAC works as advertised, that's not a good thing. But the real hard problem here is home lusers who don't understand security. They consider security a problem, something to be removed. And they will install whatever a web page tells them to. I don't have a good solution for that. I suspect nobody does. Even with users not in admin group in Windows XP, Vista I have seen malware get right on and hose a machine. With the exception of exploitation of unpatched vulnerabilities, I've never seen malware lead to a system compromise on a properly-secured Win XP machine. I've seen it screw up a user account pretty well, to the point where it's easier to erase and reset the user profile than it is to repair the registry wreckage. Most of the time, though, all we have to do is login as an admin and delete *.EXE *.DLL *.OCX under their user profile folder. Are you using a proper set of ACLs on the filesystem? My strategy is that users should only be able to create/modify under their own user profile folder. Nothing else. Well, the default C:\WINDOWS\TEMP permissions are okay. In particular, by default, users can create files and folders under C:\ and C:\Documents and Settings\All Users\Application Data\. This is a very bad idea on Microsoft's part. Malware gets in, compromises All Users
Re: Admin rights, UAC, etc. (was: WTF? Fake AV)
On Wed, Apr 28, 2010 at 4:46 PM, Jon Harris jk.har...@gmail.com wrote: With the exception of exploitation of unpatched vulnerabilities, I've never seen malware lead to a system compromise on a properly-secured Win XP machine Sorry but how many (l)users know how to this? None. I never claimed otherwise. The statement I was responding to was, Even with users not in admin group in Windows XP, Vista I have seen malware get right on and hose a machine. You can teach people not to click Okay or Yes ... Heh. Maybe *you* can. When it comes to lusers, I haven't had much luck with that. Especially for children or teenagers. But then, I've been working mainly in corporate IT for a number of years now. Maybe if it's a home luser who pays by the hour for fixing it's a different story. http://www.bynkii.com/archives/2009/01/for_new_sysadminsit_types.html -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Admin rights, UAC, etc. (was: WTF? Fake AV)
On Wed, Apr 28, 2010 at 4:55 PM, Ziots, Edward ezi...@lifespan.org wrote: Define “Properly Secured” because what is secured from one users prospective is totally different than what another user thinks ... Properly secured would mean the accounts used for day-to-day operations do not have permission to modify the system. Principle of least privilege. A well-known and widely-recommended best practice since roughly the 1960s. As I went on to detail in my message. ... no ... computer for that matter can be 100% protected. I never claimed otherwise. I wrote properly secured, not perfectly secured. Did reading comprehension just drop sharply or something? What is it about this topic that makes people unable to follow a line of reasoning? It's like attack of the strawmen. What next, Macs are more secure because Chewbacca is a Wookie? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~