As Vista nears launch there are some things you will want to know. Will it support your hardware? Where are the secret buttons that make it usable?
Today’s post helps answer that second one.
By all reports UAC (User Account Control) can drive even the most security minded user insane with death of a thousand dialogs.
While I don’t recommend just shutting off any feature that is designed to increase security in the OS (as UAC is), still we have to get work done and it might help you navigate so that you can reenable it once your system is as you like it.
Having said that, Steven Smith of ASPAlliance.com pointed me at this article that shows several ways to shut UAC off.
Category Archives: security
Mandatory Integrity Control in Vista
Steve Riley had a good long post on his blog about Mandatory Integrity Control as it is implemented in Vista that drew even longer comments.
Great concept, as you will see from several of the comments, this isn’t the first implementation, but I expect it will be the first to get nearly universal distribution 
The big concern is whether the bugs will be worked out for release. I am betting yes, though I expect a Service Pack will come someday to bring the real value of this home.
Do you believe everything you read?
My prolific friend Phil forwarded me a story about Chinese hackers trying to do in the US Commerce Department.
There are a couple of interesting points in this story:
1. Why would you need to take Internet access away from users? Aren’t they behind firewalls? Were the hackers luring them to specific sites to hack them?
2. With over 1,100 laptops missing, I just buy that no data was compromised. Even if it was an ex-employee the data is compromised. And if the theft occurred in 2001 then I find it even harder to believe.
I hope the CIO at the Commerce Department isn’t gullable enough to believe this obvious spin.
Command Prompts and other security nightmares
The topic of the AT command and the command prompt came up on an internal list I am on with Microsoft the jist of which was, “How do I securely turn this junk off”.
The answer is that to some degree the command prompt and especially when coupled with the Task Scheduler is a security hole that is closable, but not trivially. You can patch it using things like this http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93465.mspx?mfr=true
and you if you really want to wipe out the user’s option you should reset the task scheduler service to use a low / no priv account and disable it (I am paranoid, but I have my reasons). The problem is that the perspective of most that come up against this is that you shouldn’t have to do this, but the reality is that you do.
For a scary look at why simply taking the RUN command off the Start menu is not enough try the following:
Open up “Help and Support” from the Start menu and seach for “command”.
Select the entry that describes how to “Test a TCP/IP configuration using the ping command”
You will see that there is a link that will open up a command prompt (it doesn’t run as System, but it runs).
That is the XP version.
The Windows 2003 Server one takes more searching, but it is there.
The issue is not that the functionality exists, we all want functionality. The problem is when it is hard (or impossible) to shut something off effectively it is maddening and often leaves people dismayed.
Time for an analogy:
I have doors on my house that I leave unlocked all the time. The dogs and other things in the house keep it secure (if you know me then you know what I mean), but if I wanted to secure those doors and found that I could lock them, but the manufacturer set them up so that the hinges were on the outside and manipulatable by an intruder then I would be unhappy. Most security outrage and dismay comes from features that just didn’t take security into consideration for the times when I don’t want the user to do anything except what the user is told they can do.
This will always be an arms race. If one of our professional security gurus such as Duane Laflotte wants to get in and has physical access to a workstation or server then he can get in, but there is a point where I will say, yes I accept that there are some things I can’t defend against. If you use a tank to blow in my front door, I won’t moan to the manufacturer about them not being tank proof, that is what the mines are for
Is Vista the solution to all security problems? I doubt it. I expect that there will be improvement based on features I already know are in the most recent builds, but I won’t judge the security of Vista until after it ships (and won’t pay all that much attention to it until then either) since the devil is in the details and the truth is in the final bits. Submarines either leak or they don’t. The OS will be judged in much the same way in regards to security.
Ultimately information is power. Nowhere is that more true than in the realm of security. I suggest that you learn all you can and I will do what I can to help.
Phishing getting worse
If you want to keep track of how prevelent phishing attacks are from month to month (and I do) then you should check AntiPhishing.org. The site is pretty meager in most regards, but the front page has a bar chart that is pretty staggering when you realize that they are only measuring people who have actually figured out that there is a phishing attack in progress (a fraction of the population I am sure) and further restricted by the fact that those astute people had to know about and be willing to take the time to report it to AntiPhishing.org.
I find these statistics interesting to have as spin seems to creep into everything nowadays. I like to lay my hands on hard numbers and make up my own mind.
Considering Compliance implications…
There are many varying opinions on almost everything, but Compliance is one of those topics like economics, everyone has a different opinion it seems.
I was reading an article by one of the Systems Engineers at Network Appliance entitled, “Six Tips for Archive and
Compliance Planning” and while I agree with most of the points Mike Riley makes, I had to think a bit about his words on Encryption.
He isn’t saying not to use encryption, on the contrary, he is saying that encryption is a must, but the advice is sound. Be careful what you do and the ramifications. With compliance systems, often search and rapid retrieval are key and these are some of the most plausible arguements against specific applications of encryption.
As always, look before you leap. I guarentee that if you think about where you should be using encryption you are already ahead of most.
Patch or die
It seems that even though we all know we need to patch our system, we are now having to do it faster and faster to avoid the vulnerable time between patch availability and exploit. In an article on ZDNet there are details of how the latest exploit is being used, but soon you should see a post by Duane Laflotte on his security blog about how it isn’t just being used on sites you might expect. Even the super computer savvy gamers are getting hit and I have to think that in many cases we just know about this because they realize. How many never figure out that they are maintaining a drone in the hacker army of some malcontent 15 year old with a grudge…
Hardware Hacking
I am sure it is reported elsewhere, but I found an article on a proof of concept virus that targets AMD processors on a magazine site in Australia. The article dismisses the threat of such an item and pretty much holds it up as just a curiosity in the fight against hackers, but I see it differently.
In order to win, eventually security has to be hardware based. The whole Palladium (now known by the horrible NGSCB acrynym) effort is just the most public manifestation of this realization and even it has gone dark. Hacking the hardware is hard, hacking the software is easy. Software provides the security of a screen door while hardware security done well can be like a steel cage. Watch as this develops. Like gas prices driving the frantic (and belated) search for alternative fuels, it will be a mind blowing security threat that finally forces us to invest in security via hardware in real terms.
If the barrier to enter the hardware market in a significant way weren’t so large, I expect this problem might already be solved…
ASP.Net 2.0 Information Disclosure bug…
I was just thinking about one of the bugs listed in the latest hotfix from MS and realized that while aspx and config files are not at risk since they are mapped to aspnet, the express database if stored in App_Data probably is.
We don’t typically use SQL Express, but my bet is that this is the greatest risk factor for this bug. Thoughts?
Mining for Malware
When I see an article like this one in eweek, I always wonder about how the people doing this cool thing will make enough money (or any money) so they can continue to do these cool things.
Basically they are using the Google Search APIs to ferret out sites on the Internet that are hosting malware. I think this is great, but the article didn’t say how this cool thing would be actually used to benefit the world. If they notified site owners that they had malware and pointed out exactly what was where then there is no profit in this (Do I sound like a Ferengi here?) which means it isn’t likely to be sustainable. But what if they notified sites the first time (civil minded) and offered to keep them updated in the future for a nominal annual fee.
I find that many great ideas languish and die because people want to hold onto the open source kind of dream and for some reason either don’t see how to help the community in a self sustaining way or are just worried about being accused of just being out to make a buck.