posted on Tuesday, May 03, 2005 11:11 PM
by
bradley
The buzz on nothing new
I hate to be a “me too” but two of the guys in Australia who went to the Asian MVP summit came back and said a presentation on Rootkits scared them. And while Rootkits [which is software that is no different than trojans or backdoors but typically silently hides on your system] is something bad there's comments from folks [including a few MS'ers I know] that this isn't really anything new and it's something the on the ball admin could see happening. Like Harlan says..they still have to get ON your system. And how do they do that? You click [admin rights] or you don't patch [unpatched vulns].
The on the ball admin watching his traffic logs and firewall logs should spot this activity. Now mind you, we probably don't do this in SBSland like we should, but the point is, this isn't 'more bad' than the next 'bad thing', it's just another 'bad thing'. What we need to take away from this is better protection so that the 'bad thing' won't get on there in the first place. And that's where LUA... aka least privilege user account ... comes into play.
I was pinged the other day asking about the impact on software vendors and least user privilege in Longhorn and here's the annoying .... really annoying... thing I constantly jump up and down about here on the blog. This LUA isn't anything new either. We COULD do it now if our stupid vendors would just code so they get the “Made for XP logo”.
But here's the kicker....they don't... they don't have to... because we don't care. When you go to Office Depot to buy software are you even thinking about it's security features when you flip the empty box over? Of course you aren't. You want it to pay your payroll, or recap your sales, or widget your widgets. You could care less about whether it runs in the least amount of privileges to therefore keep you safe.
Tonight I went to a NT user group meeting in Fresno where a patch/inventory/software deployment vendor and the funny thing is while their software was very interesting, it was basically a GUI interface over WMI scripting and what not. I mean it was cool, but at the same time I was thinking...hey... we can do that with what we have...it's really not that new... it's just we don't know we can do it.
Anyway, I'll still harp that I think the emphasis we have is still too much on patching and hardening servers and not enough on protecting workstations. I honestly don't think I've met a non-wacko SBSer who has deployed the XP sp2 firewall inside their network...yet here I am down here with it running just fine.