Full Disclosure mailing list archives
Re: Windows user privileges
From: James Tucker <jftucker () gmail com>
Date: Sun, 21 Nov 2004 14:51:22 +0000
1. XP would be more suitable to run as a user if the runas service and windows installers were developed to add more complete and easy to use privilege elevation techniques outside of active directory and the default group policy that gets applied. 2. Due to the above, the power users group is more appropriate (for home / business laptop travelers(local machine only)). 3. Inside of a domain, or using the local users and groups snap in, the default user group for account creation is "users". 4. The windows install creates the first user account as an administrator so that they may install programs and hardware without allot of hassle. This is in fact good for business over the alternative (which is to hassle most end users beyond their point of no return), no matter what the security implications, remember end users don't care (even if they should). 5. Considering that XP is run with admin privileges all over the world, it does quite well. Out of interest, I suspect that many of the people involved in this conversation, unless operating within a domain, are running as local administrators anyway. You don't really have any special reason to be doing so that makes you better than the end users you talk about; you do it because it is more convenient (and your an admin) than keeping runas sessions up of mmc, cmd, and control. (the equivalent to what would be more common on *nix systems with su). Thus is the more important point in the conversation, what is really required is the ability to use all the functionality without adding too many authentication processes. Most *nix configuration apps now ask for elevated credentials, which, in windows, only occurs inside of a AD Domain when using an Install Shield program along with a few other limited areas which successfully prompt the user for admin rights, but certainly not all things that should. There may be a group policy object which can make the install authentication rear its head at any install outside of a domain, but I have had no reason to look so far. Hardware operations authentication would also be necessary for an appropriate solution. For the end user, such a setup is still a pain even if it does prompt correctly. File and folder permissions are bewildering to most users, that is problem #1 when users install applications without setting the folder permissions correctly. The next problem is the running of applications inside of a runas service. A small nause of the process is that windowed applications do not get polled for refresh, so for example using an explorer instance in a runas will not update the file listing until you press "F5" I have witnessed bad things come of this property already. As for fast user switching, that is not really appropriate either, as for a start it is a high system load process, and windows' caching routines are quite abusive when you start switching users alot (mass unnecessary paging effects on low memory systems). I see the problem as not so much a "fault" but more of an area which has not had enough development. Certainly end users should be more aware, but they never will be so some other solution should be saught. Nay, we are the people who are paid to produce such a solution. In this case, you should blame the user, you should fix their issue and produce a bill. a little more than my 2c. On Sat, 20 Nov 2004 19:28:13 -0600, Paul Schmehl <pauls () utdallas edu> wrote:
--On Saturday, November 20, 2004 8:19 AM -0500 Mike Hoye <mhoye () neon polkaroo net> wrote:On every XP install that I've seen from every major OEM (Dell, Compaq, Gateway, etc) fast user switching is on by default and every user is an administrator. Not "on most"; on every single one. Furthermore, these machines don't have actual XP OS install CDs, they usually come with "restore" CDs that just return the PC to this same initial state if they're used, which they almost never are. I have never seen a home user, that is to say change that setting or create a user who is actually just a "User". Not once, ever.And this is a flaw of the *OS*? Or of the *OEM*? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: joe the "expert" (was Re: IE is just as safe as FireFox ), (continued)
- Re: joe the "expert" (was Re: IE is just as safe as FireFox ) Micheal Espinola Jr (Nov 20)
- Re: joe the "expert" (was Re: IE is just as safe as FireFox ) Georgi Guninski (Nov 21)
- Re: joe the "expert" (was Re: IE is just as safe as FireFox ) ASB (Nov 21)
- RE: joe the "expert" (was Re: IE is just as safe as FireFox ) joe (Nov 21)
- Re: joe the "expert" (was Re: IE is just as safe as FireFox ) john morris (Nov 21)
- RE: joe the "expert" (was Re: IE is just as safe as FireFox ) joe (Nov 21)
- RE: [in] Re: IE is just as safe as FireFox Paul Schmehl (Nov 20)
- Windows user privileges Mike Hoye (Nov 20)
- Re: Windows user privileges Paul Schmehl (Nov 20)
- Re: Windows user privileges Dennis Mowers (Nov 21)
- Message not available
- Re: Windows user privileges James Tucker (Nov 21)
- RE: Windows user privileges Phillip R. Paradis (Nov 23)
- RE: Windows user privileges joe (Nov 21)
- Re: [in] Re: IE is just as safe as FireFox devis (Nov 21)
- RE: [in] Re: IE is just as safe as FireFox Phillip R. Paradis (Nov 23)
- Re: [in] Re: IE is just as safe as FireFox devis (Nov 21)
- Re: [in] Re: IE is just as safe as FireFox GuidoZ (Nov 20)