Re: possible regedit bulk key deletion vulnerability (Revised)
From: k levinson (levinson_k_at_YAHOO.COM)
Date: 11/16/04
- Previous message: Russ Cooper: "MajorRev: v3.0 Microsoft Security Bulletin MS04-039 - Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)"
- Maybe in reply to: support_at_maedata.net: "possible regedit bulk key deletion vulnerability (Revised)"
- Next in thread: Ron Parker: "Re: possible regedit bulk key deletion vulnerability (Revised)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Nov 2004 07:03:12 -0800 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I'm sorry, but I must beg to differ.
Only Administrators and System have permission to the
root of HKLM. Administrators, and malware run by
administrator, can do pretty much anything to the
system. Anything you can do to inhibit
administrators, another admin can undo.
As the old saying goes, "garbage in, garbage out."
Since the OS is basically there to do what the user
tells it to do, there is only so much the OS can do to
protect you from yourself. Note that global deletion
of important system files and objects is a problem for
all OSes and is not a Microsoft-only issue.
Microsoft has given you two ways to help protect
against this: have your users log in as
non-administrator [I know, there are some issues
around this], and back up your registry from time to
time, especially before making changes to the
Registry. The latter is mentioned in every MS KB
article involving registry edits. The third way
around this is to test any new changes on one system
first, but there's little Microsoft can do to force
you to do this.
If you're truly worried about what malware run by your
users can do, there's little you or Microsoft can do
about this until you have your users log in as
non-administrators. Your suggestion to lock away
regedit [which is not the only safeguard, by the way]
won't really work in your situation, unless you deny
Administrators the ability to run Regedit, which is
probably not a very good idea.
kind regards,
karl levinson
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com
-- Editor's Note: The 43rd Most Powerful Person in Networking says... Register today to take the TruSecure ICSA exam by 12/31/04 at <http://www.2test.com> , use promo code "CT1204" and you will pay just $221.25 US Dollars for domestic exam delivery and $296.25 US Dollars for international delivery. Visit <https://ticsa.trusecure.com> for complete details regarding the TICSA credential and to take the free sample exam. --
- Previous message: Russ Cooper: "MajorRev: v3.0 Microsoft Security Bulletin MS04-039 - Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)"
- Maybe in reply to: support_at_maedata.net: "possible regedit bulk key deletion vulnerability (Revised)"
- Next in thread: Ron Parker: "Re: possible regedit bulk key deletion vulnerability (Revised)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
