Re: Why are the good old security advices gone


"Jesper Ravn" <jesper_ravn@xxxxxxxxxxx> wrote in message
news:3780BC19-7E32-4B42-B852-892797A4AF8A@xxxxxxxxxxxxxxxx
Hello

What happend to basic security advices. You nearly don't hear about
them anymore.

I try to inject basic and/or general security measures into
conversations from time to time. This, of course, runs the risk of
annoying the people coming here for specific help. It is especially so
for those that proclaim proudly that they have UAC disabled and can't
figure out why something doesn't work as expected.

Im talking about Limited User Account (LUA) and Software Restriction
Policy
(SRP).
Today its all about IE features + big security suites, comodo
firewall and
fancy removal tools.
With LUA and SRP all your family desktop/laptops, will newer get
infected.

Wrong, these measures are effective against trojans and other malware
that presents itself as a trojan. You can be "infected" by a "virus"
even with those measures in place. Worms also can circumvent any
barriers these measures provide. When it comes to a person making a
decision to run a trojan, LUA limits its scope and SRP has already
failed.

Why has Microsoft and most of the Security MVP's given up on these
security
principles.

I can't speak for them, but it seems to me that they haven't.

They are not even listed here:
http://www.microsoft.com/protect/computer/default.mspx

Probably there implicity, haven't read it yet myself.
They are mentioned elsewhere - Google results are numerous.

Please also remember that UAC in Vista was not ment to be a security
boundary, from what I have read.

This is why the user should not run day to day as 'protected admin' but
as a limited user instead.

Any comments?.

Sure. The fact that the default (protected) admin account actually has
the user running limited, makes people think it is okay to run in this
account for their day to day activities. It should be pointed out that
even in Vista you should create a standard user account for yourself and
everyone else that uses the computer. For the occasional administrative
task you can supply credentials at the consent prompt. If you are going
to do alot of admin stuff - use whatever admin account suits you.


.

Relevant Pages

  • RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
    ... USER) and then let you configure the Admin account on start. ... > Please run some unix or at least read about the unix ... > default user of the MS computer is made an administrator. ... If they really did target security, ...
    (Full-Disclosure)
  • Re: Gpedit.msc
    ... log off and back in with an admin account. ... again access the Security dialog ... of the same GroupPolicy folder and remove the Deny ... > "Ace" wrote in message ...
    (microsoft.public.windowsxp.security_admin)
  • Re: terminal command to save the Lion Help Please!
    ... the admin group is not good from a security perspective. ... And beyond security, the admin account is more pristine, so doesn't perhaps have a bunch of accumulated junk gunking it up. ... But it is a bit of a PITA to recall two passwords. ... This is really important in a Windows environment where this added blanket of protection might save one from a system wide infection. ...
    (comp.sys.mac.system)
  • Re: domain admin account impersontating
    ... simply see this as a major security issue, well, there ... i guees that the bottom line is that the domain admin account can be ... with the same username and password. ... Starting with Windows XP this became less simple, ...
    (microsoft.public.windows.server.security)
  • Re: Why are the good old security advices gone
    ... What happend to basic security advices. ... With LUA and SRP all your family desktop/laptops, ... these measures are effective against trojans and other malware ...
    (microsoft.public.windows.vista.security)