Group policy setting to restrict user access to change registry

Discussion in 'Computer Security' started by Also None, Mar 30, 2006.

  1. Also None

    Also None Guest

    Hi all,

    I checked google on this subject and can't seem to find a simple
    article on what to set.

    I want to set policy to stop the registry from being changed while
    users are logged on. (Mainly to restrict installs while my teenagers
    are logged on) Any other suggestions are appreciated.

    The setting for "always install with elevated privileges" is
    confusing. Should it be disabled or enabled to prevent them from
    installing?

    Hope you can help me to regain my sanity.

    Regards,
    George
    --
    NewsGuy.Com 30Gb $9.95 Carry Forward and On Demand Bandwidth
     
    Also None, Mar 30, 2006
    #1
    1. Advertising

  2. Also None wrote:

    > I want to set policy to stop the registry from being changed while
    > users are logged on. (Mainly to restrict installs while my teenagers
    > are logged on)


    Changes to anything but HKCU cannot be made with restricted rights. If
    you want a HKCU that is discarded after usage, you should use the Guest
    account.

    > The setting for "always install with elevated privileges" is
    > confusing. Should it be disabled or enabled to prevent them from
    > installing?


    There is nothing confusing about it. When enable, MSI installer runs
    with evelated privileges (means: more privileges than the user has) to
    install things that need administrative access. You should leave it
    disabled.
     
    Sebastian Gottschalk, Mar 31, 2006
    #2
    1. Advertising

  3. Also None

    Also None Guest

    On Fri, 31 Mar 2006 01:34:34 +0200, Sebastian Gottschalk
    <> wrote:

    >Also None wrote:
    >
    >> I want to set policy to stop the registry from being changed while
    >> users are logged on. (Mainly to restrict installs while my teenagers
    >> are logged on)

    >
    >Changes to anything but HKCU cannot be made with restricted rights. If
    >you want a HKCU that is discarded after usage, you should use the Guest
    >account.
    >
    >> The setting for "always install with elevated privileges" is
    >> confusing. Should it be disabled or enabled to prevent them from
    >> installing?

    >
    >There is nothing confusing about it. When enable, MSI installer runs
    >with evelated privileges (means: more privileges than the user has) to
    >install things that need administrative access. You should leave it
    >disabled.



    Thanks for your reply,
    If I understand the guest account, everything that is entered into
    HKCU will dissappear including trojan entries.

    Is there any way to completely shut off the installer for the user or
    the guest? I tested this from a user account and some things accually
    installed even though there was a warning that it might not work
    correctly.

    I am interested in shutting out things like kaaza, etc.

    Thanks again,
    George

    --
    NewsGuy.Com 30Gb $9.95 Carry Forward and On Demand Bandwidth
     
    Also None, Mar 31, 2006
    #3
  4. Also None

    nemo_outis Guest

    Also None <> wrote in news:limo221okds8dgaa3u95otcufstp1udkoc@
    4ax.com:

    > Hi all,
    >
    > I checked google on this subject and can't seem to find a simple
    > article on what to set.
    >
    > I want to set policy to stop the registry from being changed while
    > users are logged on. (Mainly to restrict installs while my teenagers
    > are logged on) Any other suggestions are appreciated.
    >
    > The setting for "always install with elevated privileges" is
    > confusing. Should it be disabled or enabled to prevent them from
    > installing?
    >
    > Hope you can help me to regain my sanity.
    >
    > Regards,
    > George



    If someone has direct access to the computer (i.e., is an unobserved user)
    it is child's play to elevate privileges and subvert/bypass any
    restrictions whatsoever on the local machine, including restrictive group
    policy settings.

    As one throwaway example a process run as a child of "task scheduler" runs
    with system privileges.

    Regards,

    PS Just run task scheduler for some time in the future (1 minute?) with
    the process you wish to execute at higher privilege.

    There are, of course, more elaborate ways, but this demonstrates how
    trivial the problem is on most Windows boxes.
     
    nemo_outis, Mar 31, 2006
    #4
  5. Also None wrote:

    > If I understand the guest account, everything that is entered into
    > HKCU will dissappear including trojan entries.


    It will disappear after logoff from such an account.

    > Is there any way to completely shut off the installer for the user or
    > the guest?


    Since Windows XP you can use Software Restriction Policies to create a
    whitelist for executables.

    > I am interested in shutting out things like kaaza, etc.


    Did you mean KaZaA? "kaaza" is the japanese word for "mother".

    Well, for network related stuff you might use a proxy for the relevant
    protocols.
     
    Sebastian Gottschalk, Mar 31, 2006
    #5
  6. Also None

    Also None Guest

    On Fri, 31 Mar 2006 03:07:08 +0200, Sebastian Gottschalk
    <> wrote:

    >Also None wrote:
    >
    >> If I understand the guest account, everything that is entered into
    >> HKCU will dissappear including trojan entries.

    >
    >It will disappear after logoff from such an account.
    >
    >> Is there any way to completely shut off the installer for the user or
    >> the guest?

    >
    >Since Windows XP you can use Software Restriction Policies to create a
    >whitelist for executables.
    >
    >> I am interested in shutting out things like kaaza, etc.

    >
    >Did you mean KaZaA? "kaaza" is the japanese word for "mother".
    >
    >Well, for network related stuff you might use a proxy for the relevant
    >protocols.


    Thank you,
    Sebastian for President or PM, whichever is appropriate.

    Thanks again

    George
    --
    NewsGuy.Com 30Gb $9.95 Carry Forward and On Demand Bandwidth
     
    Also None, Mar 31, 2006
    #6
  7. nemo_outis wrote:

    > If someone has direct access to the computer (i.e., is an unobserved user)
    > it is child's play to elevate privileges and subvert/bypass any
    > restrictions whatsoever on the local machine, including restrictive group
    > policy settings.


    Sure? Try it at my PC. Either Windows Server 2003 or FreeBSD, whatever
    you think being easier.

    > As one throwaway example a process run as a child of "task scheduler" runs
    > with system privileges.


    This has been fixed on SP4 for Windows 2000, SP2 for Windows XP and SP1
    for Windows Server 2003. Actually this was only true for "AT" tasks,
    which need admin rights to add anyway. Normal "Task Scheduler" tasks
    were not supsctible to that problem, as they were always started with
    CreateProcessAsUser() with the supplied credentials.

    > PS Just run task scheduler for some time in the future (1 minute?) with
    > the process you wish to execute at higher privilege.


    | # sudo net start schedule
    | Password:
    | The Task Scheduler service is starting.
    | The Task Scheduler service was started successfully.
    |
    | # time /t
    | 03:34
    |
    | # schtasks /create /SC ONCE /TR "%systemroot%\system32\cmd.exe /k /t
    4f" /ST
    | 03:35 /IT /TN foo
    | The task will be created under current logged-on user name
    | ("LAPTOP\work").
    | Please enter the run as password for LAPTOP\work:
    | New task "foo" created.
    |
    | # schtasks /create /ru "SYSTEM" /SC ONCE /TR
    | "%systemroot%\system32\cmd.exe /c copy \x \y" /ST 03:35 /TN bar
    | Error: Access is denied
    | # at 03:35 "cmd /k"
    | Access is denied

    Short time later, in a white-red box (4f):

    | # whoami
    | LAPTOP\work

    > There are, of course, more elaborate ways, but this demonstrates how
    > trivial the problem is on most Windows boxes.


    So far the biggest problems are third-party services running with the
    SE_CHANGE_CONFIG flag, executing programs through WinExec() without
    quotation marks or running with SE_INTERACTIVE and receiving WM_TIMER at
    DefaultWndProc().
    I've also seen some stupid drivers and especially a lot of so-called
    security software leaving registry keys or even files world-writeable.

    However, this is easily detected and fixed.
    That's why I'm pretty sure that even my Windows installation has no
    privilege escalation path through either misconfiguration or generic
    program errors (w.r.t. the NT security model).
     
    Sebastian Gottschalk, Mar 31, 2006
    #7
  8. Also None

    nemo_outis Guest

    Sebastian Gottschalk <> wrote in
    news::

    > nemo_outis wrote:
    >
    >> If someone has direct access to the computer (i.e., is an unobserved
    >> user) it is child's play to elevate privileges and subvert/bypass any
    >> restrictions whatsoever on the local machine, including restrictive
    >> group policy settings.

    >
    > Sure? Try it at my PC. Either Windows Server 2003 or FreeBSD, whatever
    > you think being easier.



    You say your Windows box is hard. Maybe it is. But pride goeth before a
    fall. And pride in a "fully hard" Windows box is folly: "secure Windows"
    is an epitomic oxymoron!

    However, putting your box and your ego aside for the moment and speaking
    more generally, an overwhelming number of user boxes out there are XP or
    under - and it's child's play to root them if one has access.

    Regards,

    PS Every trick has a lifespan. The throwaway one I described is coming
    to the end of its cycle (although it still works on many boxes). But as
    older ones fade, new ones arise.

    As an example of a "mid-life" hack I've had excellent results using dma to
    bypass the cpu and inject direct to memory. Yes, usb can be closed off,
    but very few boxes do so.

    And I have a few "early-life" tricks that I expect to be useful
    sufficiently long that I'm not eager to disclose them yet.

    PPS FreeBSD, I'll concede, is much more difficult, and OpenBSD even more
    so (and they're not my metier). But Windows? Bah!
     
    nemo_outis, Mar 31, 2006
    #8
  9. Re: Group policy setting to restrict user access to change

    Sebastian Gottschalk wrote:

    > nemo_outis wrote:
    >
    >> If someone has direct access to the computer (i.e., is an unobserved
    >> user) it is child's play to elevate privileges and subvert/bypass any
    >> restrictions whatsoever on the local machine, including restrictive
    >> group policy settings.

    >
    > Sure? Try it at my PC. Either Windows Server 2003 or FreeBSD, whatever you
    > think being easier.


    Piece of cake. Boot to an alternate media, null passwords, enjoy. BSD,
    *nix, Win2X/XP..... all irrelevant if you have physical access and a few
    minutes alone.

    >> As one throwaway example a process run as a child of "task scheduler"
    >> runs with system privileges.

    >
    > This has been fixed on SP4 for Windows 2000, SP2 for Windows XP and SP1
    > for Windows Server 2003. Actually this was only true for "AT" tasks, which
    > need admin rights to add anyway. Normal "Task Scheduler" tasks were not
    > supsctible to that problem, as they were always started with
    > CreateProcessAsUser() with the supplied credentials.
    >
    >> PS Just run task scheduler for some time in the future (1 minute?)
    >> with the process you wish to execute at higher privilege.

    >
    > | # sudo net start schedule
    > | Password:
    > | The Task Scheduler service is starting. The Task Scheduler service was
    > | started successfully.
    > |
    > | # time /t
    > | 03:34
    > |
    > | # schtasks /create /SC ONCE /TR "%systemroot%\system32\cmd.exe /k /t
    > 4f" /ST
    > | 03:35 /IT /TN foo
    > | The task will be created under current logged-on user name
    > | ("LAPTOP\work").
    > | Please enter the run as password for LAPTOP\work: New task "foo"
    > | created.
    > |
    > | # schtasks /create /ru "SYSTEM" /SC ONCE /TR
    > | "%systemroot%\system32\cmd.exe /c copy \x \y" /ST 03:35 /TN bar Error:
    > | Access is denied
    > | # at 03:35 "cmd /k"
    > | Access is denied
    >
    > Short time later, in a white-red box (4f):
    >
    > | # whoami
    > | LAPTOP\work
    >
    >> There are, of course, more elaborate ways, but this demonstrates how
    >> trivial the problem is on most Windows boxes.

    >
    > So far the biggest problems are third-party services running with the
    > SE_CHANGE_CONFIG flag, executing programs through WinExec() without
    > quotation marks or running with SE_INTERACTIVE and receiving WM_TIMER at
    > DefaultWndProc().
    > I've also seen some stupid drivers and especially a lot of so-called
    > security software leaving registry keys or even files world-writeable.
    >
    > However, this is easily detected and fixed. That's why I'm pretty sure
    > that even my Windows installation has no privilege escalation path through
    > either misconfiguration or generic program errors (w.r.t. the NT security
    > model).
     
    George Orwell, Mar 31, 2006
    #9
  10. Also None

    Guest

    Re: Group policy setting to restrict user access to change

    George Orwell:
    >Piece of cake. Boot to an alternate media, null passwords, enjoy. BSD,
    >*nix, Win2X/XP..... all irrelevant if you have physical access and a few
    >minutes alone.


    Hi George,

    Can't you in the example of this thread boot and then install the
    software without resetting the password? That would be more stealth.

    Kind regards
    Ludovic Joly
     
    , Mar 31, 2006
    #10
  11. Also None

    Guest

    Re: Group policy setting to restrict user access to change

    nemo_outis:
    >And I have a few "early-life" tricks that I expect to be useful
    >sufficiently long that I'm not eager to disclose them yet.


    Please if one day you are in the mood feel free to email me some of
    them, you are sure to get a thank you message in return.
     
    , Mar 31, 2006
    #11
  12. nemo_outis wrote:
    > "secure Windows" is an epitomic oxymoron!


    Then I wonder why Windows 2000 achieved both NSA C2 and CC EAL4+.
    Windows NT's architecture is very secure, if you can use it correctly.

    > However, putting your box and your ego aside for the moment and speaking
    > more generally, an overwhelming number of user boxes out there are XP or
    > under - and it's child's play to root them if one has access.


    This is because most users are running with admin rights or, if running
    as restricted users, don't know how to effectively handle and audit
    security settings.

    > As an example of a "mid-life" hack I've had excellent results using dma to
    > bypass the cpu and inject direct to memory. Yes, usb can be closed off,
    > but very few boxes do so.


    The only hardware that allows DMA without driver invocation is FireWire,
    and that's where is disabled Busmaster/DMA even before the connector got
    broken.

    > And I have a few "early-life" tricks that I expect to be useful
    > sufficiently long that I'm not eager to disclose them yet.


    So?
     
    Sebastian Gottschalk, Mar 31, 2006
    #12
  13. Re: Group policy setting to restrict user access to change

    George Orwell wrote:

    >> Sure? Try it at my PC. Either Windows Server 2003 or FreeBSD, whatever you
    >> think being easier.

    >
    > Piece of cake. Boot to an alternate media,


    You'll need the BIOS password or scram out the harddisk.

    > null passwords


    That would change the checksums of SAM (and my bootloader sitting on a
    SD card would easily notice).

    > all irrelevant if you have physical access and a few minutes alone.


    Which I'll take care to not give you.
     
    Sebastian Gottschalk, Mar 31, 2006
    #13
  14. Also None

    nemo_outis Guest

    Sebastian Gottschalk <> wrote in
    news::

    > nemo_outis wrote:
    >> "secure Windows" is an epitomic oxymoron!

    >
    > Then I wonder why Windows 2000 achieved both NSA C2 and CC EAL4+.
    > Windows NT's architecture is very secure, if you can use it correctly.



    An OS alone does not achieve C2 certification, a complete platform
    including specific requirements on hardware does. Moreover, Windows
    2000 could only be configured as C2 **if it was not attached to a
    network!** Doesn't sound like Also None's situation to me (or that of
    very many others).

    You say Windows NT's architecture is very secure, if you can use it
    correctly. If your aunt had balls, she'd be your uncle - "if" is a very
    big word. Windows can only be fully secured if its utility is crippled
    to near non-functionality or if it is used for only the narrowest of
    applications (e.g., a server). And even then it takes extraordinary in-
    depth knowledge and inordinate effort. So while there may be a way to
    secure Windows fully, and while you may be the fellow who has found it,
    there are literally thousands of ways of configuring Windows so it isn't
    secure.

    As an "existence proof" of how difficult and uncommon it is to achieve a
    secure but still productive Windows system (especially a general use
    system as opposed to a one-trick-pony server with limited apps) consider
    the thousands (millions?) of boxes and systems which have been hacked.
    Oh yes, you can wail and bemoan that they didn't take advantage of
    Windows' marvellous security features, but I have a counter-proposition
    for you: an OS that no one ever manages to configure securely (except
    you, of course) is an insecure OS!

    Even as we speak there is yet another *unpatched* vulnerability floating
    around in Windows (its IE adjunct) which allows arbitrary code to run
    (i.,e., the box is fully cracked). Yes, there are workarounds and third-
    party patches, but this is hardly an isolated incident. For Windows this
    is the norm, not the exception.

    My original post was a warning to Also None that securing a Windows box
    where others have extended periods of uninterrupted use, control and
    custody of it is a losing proposition. I stand by that assertion. In
    fact I reiterate it with even greater force.

    I have no wish to get in a pissing contest with you, or a spy versus spy
    recounting of attacks and countermeasures. Perhaps you have indeed
    managed to square the circle and achieve a secure Windows box, but that
    doesn't detract one whit from the accuracy of my warning to Also None.

    Regards,
     
    nemo_outis, Mar 31, 2006
    #14
  15. Re: Group policy setting to restrict user access to change

    Sebastian Gottschalk wrote:

    > George Orwell wrote:
    >
    >>> Sure? Try it at my PC. Either Windows Server 2003 or FreeBSD, whatever
    >>> you think being easier.

    >>
    >> Piece of cake. Boot to an alternate media,

    >
    > You'll need the BIOS password or scram out the harddisk.


    Jumpers.... shorted/removed batteries.... trivial to get around.

    >
    >> null passwords

    >
    > That would change the checksums of SAM (and my bootloader sitting on a SD
    > card would easily notice).


    Blow away the boot loader and/or install another. <shrugs>

    >
    >> all irrelevant if you have physical access and a few minutes alone.

    >
    > Which I'll take care to not give you.


    Then you've changed the scenario the poster was asking about, and
    demolished your own argument in the process.
     
    George Orwell, Mar 31, 2006
    #15
  16. nemo_outis wrote:

    > An OS alone does not achieve C2 certification, a complete platform
    > including specific requirements on hardware does.


    Right. However, for C2 certification you need security mechanisms that
    fulfill the demands of C2. Got the point?

    > Moreover, Windows 2000 could only be configured as C2 **if it was not
    > attached to a network!**


    Wrong. It was only certified for such a configuration. I guess it could
    have achieved the same with a network, but that would be way more
    complicated. Networks are generally complicated.

    > You say Windows NT's architecture is very secure, if you can use it
    > correctly. If your aunt had balls, she'd be your uncle - "if" is a very
    > big word. Windows can only be fully secured if its utility is crippled
    > to near non-functionality or if it is used for only the narrowest of
    > applications (e.g., a server).


    Wrong, and C2 is already a pretty high level of security that is usually
    not needed for a pretty high demands. F.e. it's usually not a problem to
    allow users to shutdown the workstation.

    > And even then it takes extraordinary indepth knowledge and inordinate
    > effort.


    Not true either, pretty much can be accomblished by automation.

    > So while there may be a way to
    > secure Windows fully, and while you may be the fellow who has found it,
    > there are literally thousands of ways of configuring Windows so it isn't
    > secure.


    May I state that you can already achieve a lot by using restricted user
    right?

    > As an "existence proof" of how difficult and uncommon it is to achieve a
    > secure but still productive Windows system (especially a general use
    > system as opposed to a one-trick-pony server with limited apps) consider
    > the thousands (millions?) of boxes and systems which have been hacked.
    > Oh yes, you can wail and bemoan that they didn't take advantage of
    > Windows' marvellous security features, but I have a counter-proposition
    > for you: an OS that no one ever manages to configure securely (except
    > you, of course) is an insecure OS!


    Conter-count-proposition: Most people just don't know about these
    security mechanisms.

    > Even as we speak there is yet another *unpatched* vulnerability floating
    > around in Windows (its IE adjunct) which allows arbitrary code to run
    > (i.,e., the box is fully cracked). Yes, there are workarounds and third-
    > party patches, but this is hardly an isolated incident.


    Who cares? One should use IE only as a Windows Update client and not
    misuse it as a webbrowser. Doing so is provably unsafe.

    > For Windows this is the norm, not the exception.


    It's for IE and all its ancestors, which I consider as addons, not as
    parts of Windows.
     
    Sebastian Gottschalk, Mar 31, 2006
    #16
  17. Re: Group policy setting to restrict user access to change

    George Orwell wrote:
    > Sebastian Gottschalk wrote:
    >
    >> George Orwell wrote:
    >>
    >>>> Sure? Try it at my PC. Either Windows Server 2003 or FreeBSD, whatever
    >>>> you think being easier.
    >>> Piece of cake. Boot to an alternate media,

    >> You'll need the BIOS password or scram out the harddisk.

    >
    > Jumpers.... shorted/removed batteries.... trivial to get around.


    Well, try that with me sitting at your side and not noticing it.

    BTW, this is also true for companies - install a lock at the case, have
    other works being able to note if someone is trying to break it, camera
    surveillance...

    But there isn't much more security from software than a running system
    protecting itself

    >>> null passwords

    >> That would change the checksums of SAM (and my bootloader sitting on a SD
    >> card would easily notice).

    >
    > Blow away the boot loader and/or install another. <shrugs>


    That's why it is on a SD-card instead of the harddisk.

    >>> all irrelevant if you have physical access and a few minutes alone.

    >> Which I'll take care to not give you.

    >
    > Then you've changed the scenario the poster was asking about,


    The scenario was only about software configuration measures, not
    physical security. Physical access is much broader than just normal
    account login, either physicalls sitting on the workstation or remote.
     
    Sebastian Gottschalk, Mar 31, 2006
    #17
  18. Re: Group policy setting to restrict user access to change

    nemo_outis wrote:

    > PPS FreeBSD, I'll concede, is much more difficult, and OpenBSD even more
    > so (and they're not my metier). But Windows? Bah!


    And NetBSD even more hard than FreeBSD or OpenBSD as a default install, if
    I'm not mistaken. I believe NetBSD 3.0 is the ONLY consumer operating
    system at this time with no known security issues. Ever.

    Of course a huge number of vulnerabilities are attributable to third party
    packages, which at least in this respect makes almost all *nix variations
    and clones pretty much equal. Which is still light years beyond anything
    even a moderately well maintained Windows installation can offer in the
    way of "hardness". :(
     
    George Orwell, Mar 31, 2006
    #18
  19. Also None

    nemo_outis Guest

    Sebastian Gottschalk <> wrote in
    news::

    > nemo_outis wrote:
    >
    >> An OS alone does not achieve C2 certification, a complete platform
    >> including specific requirements on hardware does.

    >
    > Right. However, for C2 certification you need security mechanisms that
    > fulfill the demands of C2. Got the point?
    >
    >> Moreover, Windows 2000 could only be configured as C2 **if it was
    >> not attached to a network!**

    >
    > Wrong. It was only certified for such a configuration. I guess it
    > could have achieved the same with a network, but that would be way
    > more complicated. Networks are generally complicated.



    Your weaseling and backpedalling is duly noted. C2 is a certification -
    that certification only applied to a standalone platform, not a networked
    one. Any application to a networked box is only "C2-ish" - a gross
    extension and even grosser misinterpretation of the certification Win2000
    actually got. Maybe you want to soften your claim to just saying that
    Windows can be made "secure-ish"?


    >> You say Windows NT's architecture is very secure, if you can use it
    >> correctly. If your aunt had balls, she'd be your uncle - "if" is a
    >> very big word. Windows can only be fully secured if its utility is
    >> crippled to near non-functionality or if it is used for only the
    >> narrowest of applications (e.g., a server).

    >
    > Wrong, and C2 is already a pretty high level of security that is
    > usually not needed for a pretty high demands. F.e. it's usually not a
    > problem to allow users to shutdown the workstation.



    It was you who brought up C2 - now you're eager to back away from it.
    Make up your mind.


    >> And even then it takes extraordinary indepth knowledge and inordinate
    >> effort.

    >
    > Not true either, pretty much can be accomblished by automation.



    See below!


    >> So while there may be a way to
    >> secure Windows fully, and while you may be the fellow who has found
    >> it, there are literally thousands of ways of configuring Windows so
    >> it isn't secure.

    >
    > May I state that you can already achieve a lot by using restricted
    > user right?
    >
    >> As an "existence proof" of how difficult and uncommon it is to
    >> achieve a secure but still productive Windows system (especially a
    >> general use system as opposed to a one-trick-pony server with limited
    >> apps) consider the thousands (millions?) of boxes and systems which
    >> have been hacked. Oh yes, you can wail and bemoan that they didn't
    >> take advantage of Windows' marvellous security features, but I have a
    >> counter-proposition for you: an OS that no one ever manages to
    >> configure securely (except you, of course) is an insecure OS!

    >
    > Conter-count-proposition: Most people just don't know about these
    > security mechanisms.



    Amazing! Here you directly contradict yourself and corroborate the point
    I made above: without in-depth knowledge, extraordinary effort, and
    gutting of the scope of the OS and its uses, Windows can not be made
    secure by and for the ordinary mortals who use it.

    A general-purpose OS for mainstream public consumption which, after a
    decade and more of use, is still widely and regularly misconfigured to
    leave gaping security holes and which has had a steady stream of security
    breaches and patches, is not secure. That one or two gurus may -
    allegedly! - have succeeded where everyone else fails (largely by gutting
    the OS and restricting it as you now blatantly admit) does not weaken
    this point.


    >> Even as we speak there is yet another *unpatched* vulnerability
    >> floating around in Windows (its IE adjunct) which allows arbitrary
    >> code to run (i.,e., the box is fully cracked). Yes, there are
    >> workarounds and third- party patches, but this is hardly an isolated
    >> incident.

    >
    > Who cares? One should use IE only as a Windows Update client and not
    > misuse it as a webbrowser. Doing so is provably unsafe.



    You have invented your own highly-restrictive definition of what the
    Windows OS comprises - a definition no one else shares. IE is a bundled,
    integrated part of the Windows OS - so bundled that that Microsoft has
    been involved in worldwide litigation to unbundle it!


    >> For Windows this is the norm, not the exception.

    >
    > It's for IE and all its ancestors, which I consider as addons, not as
    > parts of Windows.



    It doesn't matter a fig what you consider - you are attempting to define
    the real world problem away. This gutting of the question under
    discussion is apparently equivalent to how you gut the scope and
    application of the OS in actual use to falsely declare it secure. It's at
    best an unrealistically narrow strategy, at worst a dishonest one.

    No, despite your protestations, the question is far more general than
    considering only a gutted OS performing highly limited and constrained
    functions under the constant care and vigilance of an expert who has
    studied the OS in depth and who devotes inordinate effort, care and
    attention to maintaining it.

    Once again, with feeling:

    My original post was a warning to Also None that securing a Windows box
    where others have extended periods of uninterrupted use, control and
    custody of it is a losing proposition. I stand by that assertion. In
    fact, I reiterate it with even greater force.

    Regards,


    PS Let me direct you once again to the original context, to the
    questions that Also None originally posed. Now try to tell me with a
    straight face that, from the tone and tenor of his postings, you think he
    has the knowldege and ability to fully secure a Windows box, even with
    kibbitzing and coaching here.
     
    nemo_outis, Mar 31, 2006
    #19
  20. nemo_outis wrote:
    > Maybe you want to soften your claim to just saying that
    > Windows can be made "secure-ish"?


    The correct term is "C2 security mechanism".

    > It was you who brought up C2 - now you're eager to back away from it.
    > Make up your mind.


    C2 is a claim that the mechanisms are already much beyond what you'll
    need, f.e. extensive logging.

    >> Conter-count-proposition: Most people just don't know about these
    >> security mechanisms.

    >
    > Amazing! Here you directly contradict yourself and corroborate the point
    > I made above: without in-depth knowledge, extraordinary effort, and
    > gutting of the scope of the OS and its uses, Windows can not be made
    > secure by and for the ordinary mortals who use it.


    No. If you know about out, you can handle it pretty well. F.e.
    permission inheritance helps a lot.

    > A general-purpose OS for mainstream public consumption which, after a
    > decade and more of use, is still widely and regularly misconfigured to
    > leave gaping security holes and which has had a steady stream of security
    > breaches and patches, is not secure.


    The OS itself is secure, the default configuration is not. And yes, you
    should blame Microsoft for that. But with Vista they're also showing
    that they really understand the issue.

    > You have invented your own highly-restrictive definition of what the
    > Windows OS comprises - a definition no one else shares. IE is a bundled,
    > integrated part of the Windows OS - so bundled that that Microsoft has
    > been involved in worldwide litigation to unbundle it!


    And still the problem is using IE on the intarweb. This is even
    documented to be wrong.

    >>> For Windows this is the norm, not the exception.

    >> It's for IE and all its ancestors, which I consider as addons, not as
    >> parts of Windows.

    >
    > It doesn't matter a fig what you consider - you are attempting to define
    > the real world problem away.


    No. Windows is the kernel, the API, the GUI and the core services.

    > My original post was a warning to Also None that securing a Windows box
    > where others have extended periods of uninterrupted use, control and
    > custody of it is a losing proposition.


    It's an extensive and hard-to-accomblish, but not impossible task.
     
    Sebastian Gottschalk, Mar 31, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tino

    Setting WPA using a Windows 2003 Group Policy

    Tino, Aug 9, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    3,310
    Joshua Teague [MSFT]
    Sep 9, 2004
  2. JoeF

    Trusted publisher lockdown group policy setting

    JoeF, May 12, 2004, in forum: Computer Information
    Replies:
    1
    Views:
    5,687
    ALittleSLow
    Feb 18, 2009
  3. Jani

    Group Policy - Registry

    Jani, Jul 15, 2004, in forum: Computer Information
    Replies:
    0
    Views:
    429
  4. Mauricio Freitas
    Replies:
    0
    Views:
    486
    Mauricio Freitas
    Jul 9, 2005
  5. Exporting registry / group policy etc

    , Nov 10, 2009, in forum: Computer Support
    Replies:
    5
    Views:
    855
Loading...

Share This Page