lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 27 Aug 2009 15:24:47 -0500
From: Rohit Patnaik <quanticle@...il.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Fwd: Re:  windows future]

While running as a user (as opposed to root) does help, it doesn't 
obviate the need for education and good computer hygiene. After all, all 
of the information and most of the programs your users are running 
manage to go just fine without root access. Unless you've really 
strictly locked down the workstations, its still quite possible for 
malware to gain access to data or computing resources (e.g. CPU time, 
network bandwidth) without completely "owning" the computer.

The one big advantage of non-privileged accounts is that they're easier 
to clean up if they do get infected with malware. After all, its a lot 
easier to backup and wipe a single account than it is to wipe and 
restore an entire system. However, I'm not sure how much of an advantage 
that is to someone whose goal is to *prevent* infection, rather than 
mitigate them after they occur.

--Rohit Patnaik

Peter Besenbruch wrote:
>>> I'm not sure this is a solution. Most of the people I work with will
>>> unquestioningly click every UAC prompt. Knowing what to whitelist requires
>>> a fair degree of technical skill beyond most users' ability.
>>>       
>
> On Thursday 27 August 2009 08:34:54 Thor (Hammer of God) wrote:
>   
>> If they can just "unquestionably click" the UAC prompt, then they are
>> already running as administrators, or your DA has changed the default
>> setting for UAC, which requires "normal users" to enter the admin username
>> and password to run code with escalated permissions.
>>
>> In either case, it's not Vista's fault.
>>     
>
> It is somewhat Vista's (or Windows') fault if the default user is also the 
> administrator by default. Yes, knowledgeable people will know to set up a 
> separate user account, but in a home environment such people are few and far 
> between.
>
> In my own "business" situation, I am the computer goto guy. Our equipment 
> isn't capable of Vista. When I arrived it ran XP Home. It took about a year, 
> but we migrated to something more open source, and to an OS that insists on 
> regular user accounts by default.
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ