Re: Disable programmatically the "Fast User Switching"
From: Ivan Brugiolo [MSFT] (ivanbrug_at_online.microsoft.com)
Date: 05/04/04
- Next message: Victor I. Zaslavsky: "How to obtain the user name of network credentials?"
- Previous message: pak: "RE: SignedXML, References and "Malformed reference element" error"
- In reply to: Viviana Vc: "Re: Disable programmatically the "Fast User Switching""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 4 May 2004 09:03:35 -0700
Maybe they could not work in a Terminal Server environment.
The isolation provided by the TS-Session on top of the traditional
WindowStatio\Desktop is something many application developer had never
planned for.
Fortunately Longhorn will remove the ambiguity of having
the services TS-session to be the same as the interactive session.
This way all the broken applications can be eventually fixed to work in a TS
environment
without relaying on some by-chance detail to work.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of any included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Viviana Vc" <vcotirlea@hotmail.com> wrote in message news:c77mb9$kf0c$1@ID-78102.news.uni-berlin.de... > As I read from the NGs the Cisco VPN client, PCAnywhere and Client > Services for Netware are doing the same ... They probably also have a > reason for this ... > > Also if you look at: > http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAnPQpmkc/vBG8Jfb3ldblgcKAAAAQAAAApHIMXER7Y0e2bLmfbZMqcAEAAAAA%40012.net.il&rnum=1&prev=/groups%3Fq%3Dkill.exe%2B%2522Fast%2BUser%2BSwitching%2522%26ie%3DUTF-8%26oe%3DUTF-8%26hl%3Den > you'll see that somebody complain to MS about some security issue and he > posts there the answer from MS: > "[...] > It's focus is on > this separation of settings to provide personalization, it is not > explicitly designed to provide complete security separation of users. It > does not make any promises about explicitly keeping sessions secure from > each other. > [...] > However, given the consumer oriented usage scenario for FUS, it is > likely that there is a very high degree of trust between each user, as > they will be part of the same household etc. > [...]" > > So, in my application case I have MyProxy that is listening on a port > and the email clients that connect to MyProxy. Now, MyProxy is started > for each user with it's specific settings. If user A log in he will have > MyProxy running with the settings for user A. For FUS scenario I could > think about 2 scenario: > - when user B logs in by FUS-ing from user A, MyProxy for user A could > be killed and MyProxy for user B could be started on the same port like > MyProxy of user A that was just killed. But the email clients for user A > might still be opened and they will connect to MyProxy of user B which > is a security problem. I could of course in MyProxy to check that the > connection is coming from the Active Session, and to refuse the other > connections, but in this case user A can have an exploit to use user's B > MyProxy by somehow faking the session ID. > - when user B logs in, MyProxy will start on another port than user's A > MyProxy. Again B could exploit the MyProxy of user A if he knows the > port where MyProxy for user A is running > > And yes, MyProxy has to be started with the settings of a specific user. > I won't get into details, but MyProxy can not serve 2 different users in > the same time. > > So, because my product is a security product I can not just assume that > the people that are using FUS trust each other ... > > > Thanks, > Viv > > > On Mon, 3 May 2004 18:10:45 +0100, "Tim Robinson" > <tim.at.gaat.freeserve.co.uk@invalid.com> wrote : > > >Viviana Vc wrote: > >>>> I would like programmatically to disable "Fast User Switching" > >>>> (FUS). > >>> > >>> Why? I, for one, would write numerous flames to the trade press > >>> about your application if I installed it and discovered that it had > >>> disabled FUS. > >> > >> Because I read on newsgroups that FUS should be used between people > >> that trust each other as it's not that safe from the security point > >> of view. As my app is security related I would like to have this > >> option .... > > > >Regardless of how safe FUS might be (got any firm evidence? The separation > >between FUS sessions is much greater than the separation between programs > >within a session), your program will also fail on a Terminal Server system. > >Fast User Switching is a special case of Terminal Services. I would hope > >that a lot of your potential users would be very upset if you broke their > >terminal server. >
- Next message: Victor I. Zaslavsky: "How to obtain the user name of network credentials?"
- Previous message: pak: "RE: SignedXML, References and "Malformed reference element" error"
- In reply to: Viviana Vc: "Re: Disable programmatically the "Fast User Switching""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
