Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
kenw at kmsi.net
kenw at kmsi.net
Thu Jan 29 14:47:00 UTC 2004
On Thu, 29 Jan 2004 07:41:20 -0500 (EST), you wrote:
>...
>When NTFS came out an ordinary user could not write the system directory
>tree Hence most users are running as Administrator or equivalent so that
>they can write into the system tree. This was a bad design decision by
>MS _and_ application developers. This _is_ fixable by MS by simply not
>allowing apps to write into the system tree. This of course is a "small
>matter of programming" but it would really improve the overall security
>posture of Windows.
>
>Now there are well written applications which do install their DLL's into
>their own tree these apps can usually be recognized by _not_ requiring a
>reboot after installation.
>...
Actually, it's more of an issue in the registry than the file system; older
apps tend to want to write the global HKLM, rather than the user-specific
HKCU.
But, regardless, Win2K and WinXP do have restricted-user modes that tie
this stuff down quite well. They tend to be used in corporate
environments. But for home users, it gets to be a pain in the butt,
because it prevents a lot of things users want to do, like installing
games, multimedia apps and spyware.
You can't really have it both ways; if you can install apps, you can
install viruses and trojans. I don't see this being much different
regardless of the OS you run. And until you have earned some battle scars,
you're not afraid of the pretty toys.
It would be nice, though, if there were a legitimate 'su' analog in Windows
-- sorry, "runas" doesn't cut it. Makes it hard to normally run
restricted, and explicitly enable temporary privs sometimes...
/kenw
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535
kenw at kmsi.net
www.kmsi.net
More information about the NANOG
mailing list