lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <40343A83.4040006@tux.obix.com>
From: phil at tux.obix.com (Phil Brutsche)
Subject: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5
 remote code execution

Bill Royds wrote:
> Last time I was at my doctor's medical clinic, I noticed all the shiny new
> LCD monitors showing the Windows logon prompt with account Administrator. I
> asked the receptionist why. She said so that anyone could sing on any
> machine when they needed it, since individual machines lock out so only
> signed user or administrator can sign on. They did have the screensaver
> timeout so people off the street couldn't sign on. But the only way to make
> the multiple workstations usable from for anybody was to use administrator
> account on all of them.
>   This is a bit of a design flaw in the Windows network that means security
> is much less than it ought to be.

You're giving too much credit for Windows security problems to Windows 
itself and not enough to the "administrators" of the machines or the 
programs the machines need to run.

Even in this day and age there are numerous *niche market* (and even 
many non "niche market") programs that simply will *not* work right 
without write access to someplace under C:\Program Files or some other 
location outside of the user's login profile.  It's like Mozilla on 
Linux trying to save your preferences to someplace under /usr/bin.  Most 
  end-user oriented programs fall into this category.

The "administrators" setting up these environments a) aren't paranoid 
enough b) don't know enough or c) really don't care as long as it works. 
  "It works when I have them use Administrator and that's good enough 
for me!"

-- 

Phil Brutsche
phil@....obix.com
who has spent many hours cursing Office 97 and Winamp trying to make 
them work properly for restricted users under Win2k/XP

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ