posted on Tuesday, May 03, 2005 11:11 PM by bradley

The buzz on nothing new

I hate to be a “me too” but two of the guys in Australia who went to the Asian MVP summit came back and said a presentation on Rootkits scared them.  And while Rootkits [which is software that is no different than trojans or backdoors but typically silently hides on your system] is something bad there's comments from folks [including a few MS'ers I know] that this isn't really anything new and it's something the on the ball admin could see happening.  Like Harlan says..they still have to get ON your system. And how do they do that?  You click [admin rights] or you don't patch [unpatched vulns].

The on the ball admin watching his traffic logs and firewall logs should spot this activity.  Now mind you, we probably don't do this in SBSland like we should, but the point is, this isn't 'more bad' than the next 'bad thing', it's just another 'bad thing'.  What we need to take away from this is better protection so that the 'bad thing' won't get on there in the first place.  And that's where LUA... aka least privilege user account ... comes into play.

I was pinged the other day asking about the impact on software vendors and least user privilege in Longhorn and here's the annoying .... really annoying... thing I constantly jump up and down about here on the blog.  This LUA isn't anything new either.  We COULD do it now if our stupid vendors would just code so they get the “Made for XP logo”. 

But here's the kicker....they don't... they don't have to... because we don't care.  When you go to Office Depot to buy software are you even thinking about it's security features when you flip the empty box over?  Of course you aren't.  You want it to pay your payroll, or recap your sales, or widget your widgets.  You could care less about whether it runs in the least amount of privileges to therefore keep you safe.

Tonight I went to a NT user group meeting in Fresno where a patch/inventory/software deployment vendor and the funny thing is while their software was very interesting, it was basically a GUI interface over WMI scripting and what not.  I mean it was cool, but at the same time I was thinking...hey... we can do that with what we have...it's really not that new... it's just we don't know we can do it. 

Anyway, I'll still harp that I think the emphasis we have is still too much on patching and hardening servers and not enough on protecting workstations.  I honestly don't think I've met a non-wacko SBSer who has deployed the XP sp2 firewall inside their network...yet here I am down here with it running just fine.

Comments

# Re: The buzz on nothing new

Wednesday, May 04, 2005 3:58 PM by alunj@microsoft.com
On the topic of LUA, I'll note that LUA is a significantly old concept, and that the "Designed for Windows XP" logo, while a great guide, doesn't cover all programs that work under LUA. If the logo isn't present, be sure to ask the developers whether the program will run under a restricted user account.

On the topic of "how old" the LUA idea is, the earliest reference I can remember that urges developers to progress from "my user is the administrator" to "my user is just a user" is in http://www.microsoft.com/technet/archive/ntwrkstn/support/trblshoot/apint95.mspx, as part of an article describing differences between Windows 95 and Windows NT that might make it difficult to take a Windows 95 application and develop it to work well on Windows NT 4.0.

Windows 95 ... Windows NT 4.0... How old _is_ this article, and the message is still new to developers?