Re: Questions Regarding Workable SOHO Windows Installation / Configuration, Diagnostics, & Security Options ver. 2.01 ~ several Kb Please follow up in comp.security.misc or if necessary microsoft.public.windowsme.setup
From: Ron Martell (ron@onlinehelp.bc.ca)Date: 04/12/02
- Next message: Unix Guy: "Re: Choosing secure passwords - Feedback solicited"
- Previous message: Security Alert: "Security Vulnerability in SNMP (rev. 7)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Ron Martell <ron@onlinehelp.bc.ca> Date: Fri, 12 Apr 2002 20:11:38 GMT
"wlhaught" <fridaythe13th@ameritech.net> wrote:
>Questions Regarding Workable SOHO Windows Installation / Configuration,
>Diagnostics, & Security Options ver. 2.01 ~ several Kb
>
>Please follow up in comp.security.misc or if necessary
>microsoft.public.win95.filediskmanagement
>
Asked here. Answered here.
>
>WORKABLE I am wondering about workable options concerning installation,
>configuration, diagnostics, and security in a Windows environment that are
>practical for the typical home networking environment. An AS/400 or other
>real hardware and software isn't an option, and then I wonder if there is a
>Windows emulator that can handle the ActiveX controls (and how much would
>even be gained securitywise if that can be done).
What specific level of security are you looking for?
>
>I am wondering if there is a program or combination of programs that works
>in a way I have faith in at a reasonable cost.
That is highly subjective and therefore impossible to answer. What do you
have faith in? What cost do you consider reasonable?
>
>BARELY WORKS It seems to me that Windows just barely works (if you are
>lucky enough to get it up and running) before/even without worrying about
>security.
This is where you and I have some significant differences. Can you
substantiate your "barely works" assertation? I have been in the
computer business full time for the past 10 years. I sell computers with
Windows exclusively (starting with Windows 3.x, gone through 95, 98, 98SE,
Me and now with XP). I provide 2 years of on-site warranty coverage for
these computers and I do not spend a lot of time on warranty work. I also
get lots of repeat customers. This would not be the case if, as you
stated, Windows "barely works".
Not saying that it is perfect, and some versions are considerably less
perfect than others, but the use of "barely works" implies a negative
attitude that is simply not justified based on any objective assessment of
the real world Windows environment.
>
>PACKED EXES Let's see if I understand this: You are supposed to run
>antivirus software to keep from getting a virus, yet you are supposed to
>turn the antivirus software off when you need it most to prevent conflicts
>with self-installing executables that (as far as I know) cannot be checked
>for viruses *packed in the archive.*
Which antivirus does this? All you need to do is to swich to a decent
antivirus. My AVG scans everything, including packed executables, and I
have never turned it off when I am installing new programs or program
updates.
The only possibly relevant concern that I am aware of has to do with the
antivirus protection built into the BIOS of some computers. This
basically protects against modifications to the hard drive boot sector and
that must be turned off for some repeat some installs and upgrades,
especially when upgrading the operating system.
But with any of the popular antivirus programs the BIOS antivirus setting
is basically redundant and I never use it with any of my customers.
>
>ENOUGH TROUBLE WITHOUT As far as memory resident, real time installation
>tracking and antivirus scanning goes, it seems to me that I am asking for
>more trouble than I've already got. Sure, my system may become quite
>secure, assuming for example that it gets so jacked up I cannot reach the
>net (or anything other than a blue screen, for example).
As I said before, AVG, eTrust, and a number of other antivirus programs
are fully adequate for this level of protection while Windows is running.
>
>There are inherent limitations such as user, system, and GDI resources in
>Win9X/Me.
Yes. And an awareness of these limitations is pretty much all that is
needed in order to operate successfully within these constraints. Plus,
of course, an understanding of just exactly what is meant by "System
Resources" in the Windows 95/98/Me context.
>
>VIRUS ALREADY LOADED Furthermore, virus scanning (at least solely) from
>Windows is especially an issue to me, since by the time the operating system
>loads (let alone the anti-virus software) a competently written virus would
>be in stealth mode anyway. Perhaps if the antivirus companies use VxDs,
>they can make it difficult, but this carries with it risks of conflicts. I
>guess so far we've been lucky the only people who would be both willing and
>able to write such viruses fall into one or more of three extremes: 1) too
>busy doing real work, 2) can't afford the time or money to pull it off for
>one reason or another, 3) smoked or shot-up too much of something.
Yes. An already existing virus can SOMETIMES evade detection, which is
why there are DOS based antivirus programs available that can be run from
a write-protected bootable diskette. Or from a bootable CD-ROM
>
>BORROWED TIME I think time is runninng out the way 1) attacks are on the
>rise, 2) it is difficult to tell if all patches are installed & working
>correctly, 3) the time lag from discovery to recognition to patch, etc. I
>no longer view the following as sufficient:
A regular visit to the Windows Update site will usually suffice for the
updates.
>
> 1) downloading from "trustworthy" sources and CDs
>
> 2) constantly patching Windows and Internet Explorer
>
> 3) running Outlook Express in Restricted Sites zone
>
> 4) avoiding dangerous extentions or using viewers (ex. Word Viewer)
>
> 5) Note: loading a *.jpg or *.txt into a program that cares about format,
>not extention such as Word thinking it is safe is a good way to get bit.
>
>Besides to error is human.
>
>
>INTEGRITY AND OVERLAP It seems to me that since integrity checking and
>keeping track of changes are needed both from various points of views:
>anti-virus / trojan security and installation / configuration diagnostics,
>the best program would do both. In fact the program should create databases
>from write-protected floppies (preferably using a real OS such as Linux and
>bus mastering 32-bit IDE, SCSI, or USB 2 access if possible for decent
>scanning speed, although DOS programs built with a 32 bit extender will
>probably do if it gives fast IDE access too) and compare results with copies
>made by a companion Windows program. Of course, the databases need to be
>stored on the hard drive(s).
>
>
>DOES GOOD PICTURE TAKING EXIST? I have more faith at taking snapshots at
>system startup (less likelihood of conflicts), yet the only three programs I
>know of don't meet my needs. ZDNet's INCTRL5 and ArkoSoft's System Snapshot
>are too simplistic, while Lanovation's PictureTaker is steaply priced and
>probably doesn't have the relevant features I'm looking for. I'd want to be
>able to get reports between any two of periodic snapshots, get lists of
>frequently changed items to mark ignore or generally ignore, etc.
>
>What do you think? Comments appreciated. Thanks in advance.
You have the specs and seem to be quite knowledgeable. Why don't you
write the program yourself? Or develop a fully detailed specification and
hire a programmer to write it for you.
If your concerns are as substantial as you believe them to be then there
should be a good market for the finished product, allowing you to recover
the costs.
Good luck
Ron Martell Duncan B.C. Canada
-- Microsoft MVP On-Line Help Computer Service http://onlinehelp.bc.ca"The reason computer chips are so small is computers don't eat much."
- Next message: Unix Guy: "Re: Choosing secure passwords - Feedback solicited"
- Previous message: Security Alert: "Security Vulnerability in SNMP (rev. 7)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
