Re: Here is my advice for microsoft/windows
From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: 11/18/04
- Next message: David H. Lipman: "Re: userinit security"
- Previous message: Doug Knox MS-MVP: "Re: userinit security"
- In reply to: Skybuck Flying: "Here is my advice for microsoft/windows"
- Next in thread: Jack Wang [MSFT]: "RE: Here is my advice for microsoft/windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Nov 2004 20:56:09 -0500
Much of what you point out is already in the works. The biggest issue now, is compatibility. For example, some Lexmark drivers (and others) like to stick their stuff in the Windows\System32 folder. Very, very bad practice in my opinion, but that's the way they're coded. A limited user would not be able to install these drivers, only an Administrator. The same is true with other programs. They were never "updated" from the 9x world to the NTFS world. They expect to be able to write to parts of the file system and registry that were formerly unprotected. This causes many apps to break when not run as an Administrator. The down side is that many users run as an Administrator, even when they don't need to. This exposes them to virus, trojan and other malware infections that write themselves to locations that you have to have Administrator credentials to write to.
A large part of the focus is for the future in a process called Least Privileged User Access. The full mechanism isn't defined yet, but it will answer a lot of your issues. I for one, hope that they require programs to not write to Windows, System32 or any of the subfolders (with the possible exception of drivers) or protected portions of the Registry, in order to receive "logo" certification.
Hopefully, some of this will come about before Windows Longhorn, but there are no guarantees.
-- Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display Win 95/98/Me/XP Tweaks and Fixes http://www.dougknox.com -------------------------------- Per user Group Policy Restrictions for XP Home and XP Pro http://www.dougknox.com/xp/utils/xp_securityconsole.htm -------------------------------- Please reply only to the newsgroup so all may benefit. Unsolicited e-mail is not answered. "Skybuck Flying" <nospam@hotmail.com> wrote in message news:cngsfq$52j$1@news2.zwoll1.ov.home.nl... > Microsoft should do the following: > > The operating system is a critical component of any PC so: > > 1. Make everything that belongs from microsoft and windows "write > protected". > > Even third party drivers can be installed in seperate folders. > > That means everything in the windows folder will be "clean" from microsoft > only. > > This is in big contrast with the current reality... the windows folder is a > big mess because all kinds of programs install junk into it. > > Note: *** There is absolutely no reason why a program should ever need to do > this expect from microsoft updates... even these could be installed in > seperate folders *** > > Programs can simply create registry entries etc to their folders... and keep > everything together. > > My advice to microsoft... and I would really like to see this happen in a > next version of windows is to be *** very strict *** about how an > application should install itself. > > *** everything *** that belongs to an application should be installed in the > application folder. > > This would make it easy to delete an application which is mis behaving etc > or causing annoyances like spyware. > > All other folders should be write protected. > > Only the folder designated by the user as valid for that application should > have write access for the installation program or something like that. > > If this would be possible to implement securely this could make a hell lot > of a difference in fighting bad programs :) > > One last improvement might be a big change... instead of a file system.. it > would be more like a database... with transactions... everytime a program > installs etc.. or the user adds many files... or something like... > > It is "logged" as an "transaction" > > The idea is that individual "transactions" can be rolled back incase they > wreck havoc. > > Bye, > Skybuck. > >
- Next message: David H. Lipman: "Re: userinit security"
- Previous message: Doug Knox MS-MVP: "Re: userinit security"
- In reply to: Skybuck Flying: "Here is my advice for microsoft/windows"
- Next in thread: Jack Wang [MSFT]: "RE: Here is my advice for microsoft/windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
