On 28/12/2008 00:28, James Knott wrote:
Harold Fuchs wrote:
On 27/12/2008 20:38, James Knott wrote:
Harold Fuchs wrote:
2008/12/27 Web Kracked <[email protected]>
James Knott wrote:
Web Kracked wrote:
I have a question about the "portableapps"?
Do you install them on a pc and the run from the pc's drive or from
the portable drive? Do they "parts" on the computer your plug your
portable drive into?
As you see, I never used any portable apps.
The portable apps are generally installed on a USB flash drive and
then
can be used on any Windows computer even those that don't have the app
installed.
Thanks James;
I never used these portable applications and most of the people
that I deal
with
have policies stating they cannot use USB or flash drives. There is a
privacy and
security issues. They think if you plus in the portable drives
(USB or
flash), you
can/will give them viruses or take private information from their
computers.
The portableapps stuff doesn't have to run from a USB drive. It's
just as
happy running from a CD or from a hard disk (see below). I doubt
there are
many security policies that ban those :-(
You can "install" the portable apps stuff. Instructions are on their
web
site but basically you just run the "installer" and tell it to put the
application(s) on the system's hard disk. It still doesn't touch the
registry and the user doesn't have to be an administrator to do it.
So, if
you want several portable apps you could make a directory, for example
"c:\PortableApps" and put everything there. This directory then
becomes the
analogue of "c:\Program Files" but without any of the associated
security
restrictions.
On a properly "locked down" system, a user shouldn't be able to write
anywhere, other than his home directory or where specifically
authorized. I know that's hard to do in Windows, but it's common in
Linux & Unix. Also, many computers have the USB port disabled for
storage devices. A CD version might be useful there. IIRC the portable
app version of OOo can be run from a CD.
If you want you can install the portable apps stuff in "the user's
home directory". As I said, you can install the portable apps
*anywhere* and you don't need administrative privileges to do it.
"Anywhere" means what it says; it's a useful word. In this context it
specifically *includes* the "My Documents" folder on a Windows system.
Thus any user can install any application offered by
www.portableapps.com on *any* device/folder/directory to which s/he
has write access and can run it from that device/folder if s/he has
execute access to that device/folder/directory.
I don't believe there is any "defence" against the portable apps
software; the only way to lock down a Windows system against portable
apps is to
a) Bar execution of software from any and all removable media
explicitly including CDs. I don't think this is possible if the
machine has a CD drive to which the user has physical access
b) Make any directory other than the user's "My Documents" folder
non-writeable and
c) Convince Windows that anything in "My Documents" or its sub-folders
is not executable. Perhaps you can do this in Windows; I don't know
nut I don't think so.
I'd be interested to see a *working* procedure for locking down a
Windows system against these programs. I can't decide whether or not I
hope such a procedure doesn't (can't) exist. On balance I think I do
hope that.
Check the permissions:
You have the basics, such as:
Read
Write
Read and execute
Modify
If you set the permissions to allow Read and deny the rest, you can't
write anything or execute anything. Allow write and you'll be able to
read & write, but not execute anything. Limiting where a user can read,
write, execute etc., can go a long way to reducing the problems caused
by malware.
You can find some info on permissions here:
http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html
You can find properly locked down computers in many large companies and
some small ones.
If the user has physical access to a CD drive I don't believe you can
prevent execution of software from that CD. If you can, please explain how.
Also, the user "owns" the My Documents folder. Is it therefore possible
to restrict what the user can do with this folder *without* the user
being able to change those restrictions?
If the user can create a directory then s/he can run software from that
newly created folder. Or ???
--
Harold Fuchs
London, England
Please reply *only* to [email protected]
