Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!

2013-08-24 Thread Stefan Kanthak
Jeffrey Walton wrote: > Hi Stefan, > >> ... administrative rights for every user account This WAS the default for user accounts back then, and still IS the default for user accounts created during setup. > Hmmm... XP/x64 appears to have a bug such that the second user also > needs to be admin (

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!

2013-08-24 Thread Jeffrey Walton
Hi Stefan, > ... administrative rights for every user account Hmmm... XP/x64 appears to have a bug such that the second user also needs to be admin (perhaps XP/x86, too). XP does not recognize the first account as admin, so the second account cannot be limited (at least on my test box). Vista and

[Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!

2013-08-24 Thread Stefan Kanthak
Hi, since it's start about 20 years ago Windows NT supports (fine grained) ACLs, including the permission "execute file". In their very finite wisdom Microsoft but decided back then to have this permission set on EVERY file a user creates (and assumes it is set on local and remote file systems wh