funsec mailing list archives

Re: Administrator Accounts

From: Matthew Murphy <mattmurphy () kc rr com>
Date: Wed, 22 Feb 2006 16:02:57 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Larry Seltzer wrote:

No question the auto-prompting for admin credentials is important and
Windows is years behind on this, but as long as the user really does have
these credentials they are open to social engineering attack for it. A home
user has to have their own admin credentials available, but in a
properly-administered system I don't see why an enterprise user needs them,
even on a notebook.


It's not just a properly-administered system that comes into play here,
but a system running properly-developed software.  Such software is in
far shorter supply than it should be.

Many enterprises run apps that were written for Windows 95, 98 or Me.
These applications were written in a single-user world where there was
no concept of multi-user systems or rights limitation.  Users in this
environment could do things like write to the software's install
directory instead of their own profile hives, etc.

Some of these apps needlessly require admin rights (or more limited
privileges that pose an equivalent danger).  This is one of the things
Vista will alleviate with Application Impact Management (AIM) is the
scenario whereby a non-admin user whose software attempts to write to
protected directories/registry hives will have their own copy of that
data (instead of being denied access/altering the global copy) from that
point forward.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFD/N+Rfp4vUrVETTgRA96MAKCh8Ja86+qyMmDrvEaxfECzi28+zQCfRe/X
5UjAId/anb/70u6a44PEs1c=
=NbT5
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: Administrator Accounts Todd Towles (Feb 22)
- Re: Administrator Accounts Blue Boar (Feb 22)
  - Re: Administrator Accounts Mike Owen (Feb 22)
    - RE: Administrator Accounts Larry Seltzer (Feb 22)
    - Re: Administrator Accounts Matthew Murphy (Feb 22)
    - Re: Administrator Accounts Valdis . Kletnieks (Feb 22)
- <Possible follow-ups>
- RE: Administrator Accounts Todd Towles (Feb 22)
  - RE: Administrator Accounts Larry Seltzer (Feb 22)
- RE: Administrator Accounts Todd Towles (Feb 22)
  - RE: Administrator Accounts Nick FitzGerald (Feb 22)
    - Re: Administrator Accounts Valdis . Kletnieks (Feb 22)
    - RE: Administrator Accounts Larry Seltzer (Feb 23)
    - Re: Administrator Accounts Dude VanWinkle (Feb 23)
    - Re: Administrator Accounts David Lodge (Feb 23)
- RE: Administrator Accounts Todd Towles (Feb 22)

(Thread continues...)