lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <41AA4603.15900.FB4D851@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: MS Windows Screensaver Privilege Escalation

Pavel Kankovsky wrote:

<<snip>>
> Moreover, it is pretty stupid to give users rights to modify critical
> system directories just to let them install new software.

That's because it is (more than) pretty stupid to let users install 
software at all.  The job of system administrators is to "manage" the 
systems they are responsible for.  With Windows systems that requires 
that "ordinary users" (i.e. everyone whose job is not officially 
"system administrator") _MUST NOT_ be allowed to install new software. 
Sadly, extraordinarily few Windows system admins actually have enough 
nouse to realize this, and most of the few who do cannot get enough 
management muscle to back such a "draconian" policy.

This all, directly and indirectly, stems from the "personal computer" 
focus of all preceding Windows-related development _AND_ the crushing 
banality that "backwards compatibility" imposes on any truly 
significant improvement that a Windows developer at MS may suggest for 
the OS.

Of course, the considerations of the first paragraph above don't map at 
all well onto the SOHO market (on which MS significantly depends for 
its quite undeserved and largely unjustified stranglehold on the 
corporate desktop market), as your typical SOHO computer user has, by 
now, bought the marketing BS line (lergely fuelled by MS) that "anyone" 
can setup and manage a SOHO computer system, despite the fact that your 
typical SOHO computer user has no idea that there may even be such 
things as different privilege levels, let alone why the heck anyone 
would ever bother with the hassle of trying to implement and use them.

Of course, it is just this user experience that so many of today's 
larger corporate "managers" have already had outside the corporation 
with Windows that makes so many of them hamper the proper development, 
deployment and support of Windows desktop systems within their 
corporate networks...

And, I'm sure that the marketing and PR folk at MS are not unaware of 
this, so it is little surprise that so much of the "Security 
Initiative" talk, starting with Bill's infamous letter a couple of 
years back, is seen as just so much more marketing and spin.


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ