mailing list archives
Re: MS Windows Screensaver Privilege Escalation
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 28 Nov 2004 21:41:23 +1300
Pavel Kankovsky wrote:
Moreover, it is pretty stupid to give users rights to modify critical
system directories just to let them install new software.
That's because it is (more than) pretty stupid to let users install
software at all. The job of system administrators is to "manage" the
systems they are responsible for. With Windows systems that requires
that "ordinary users" (i.e. everyone whose job is not officially
"system administrator") _MUST NOT_ be allowed to install new software.
Sadly, extraordinarily few Windows system admins actually have enough
nouse to realize this, and most of the few who do cannot get enough
management muscle to back such a "draconian" policy.
This all, directly and indirectly, stems from the "personal computer"
focus of all preceding Windows-related development _AND_ the crushing
banality that "backwards compatibility" imposes on any truly
significant improvement that a Windows developer at MS may suggest for
Of course, the considerations of the first paragraph above don't map at
all well onto the SOHO market (on which MS significantly depends for
its quite undeserved and largely unjustified stranglehold on the
corporate desktop market), as your typical SOHO computer user has, by
now, bought the marketing BS line (lergely fuelled by MS) that "anyone"
can setup and manage a SOHO computer system, despite the fact that your
typical SOHO computer user has no idea that there may even be such
things as different privilege levels, let alone why the heck anyone
would ever bother with the hassle of trying to implement and use them.
Of course, it is just this user experience that so many of today's
larger corporate "managers" have already had outside the corporation
with Windows that makes so many of them hamper the proper development,
deployment and support of Windows desktop systems within their
And, I'm sure that the marketing and PR folk at MS are not unaware of
this, so it is little surprise that so much of the "Security
Initiative" talk, starting with Bill's infamous letter a couple of
years back, is seen as just so much more marketing and spin.
Full-Disclosure - We believe in it.
RE: MS Windows Screensaver Privilege Escalation Stuart Fox \(DSL AK\) (Nov 25)