Robert Downey
News
About Me
My Thoughts
Resume
Code
Contact Me

The FUDing of Windows Vista - Part 3

by RMD 21. February 2007 12:21

Sorry for the delay of part 3 of my series (Part 1, Part 2) on The FUDing of Windows Vista, but I've been pretty busy.

Today, however, I simply couldn't stop myself. The Register decided to write a "review" of Windows Vista's security features. Needless to say, it's a prime example of the FUD I'm talking about.

So, point by point:

While referring to IE's Protected Mode feature:

However, there is a brokering mechanism that enables users to download files to any location they have access to, or to install browser plugins and extensions, and the like. So users are still invited to make a mess of their systems, and no doubt many will, while Microsoft has a chance to shift blame away from itself.

Uh huh. First, you can't install plugins/extensions (with the exception of signed ActiveX) without admin privs. Period. Second, how, exactly, would you propose the user be able to save files to their Documents folder, or do any other file operation in their profile (or basically anyplace on the system) without this brokering mechanism? Would you prefer that Microsoft not allow users to download *any* files via the browser? Ya, that would work out well.

However, IE7 on Vista does still write to parts of the registry in protected mode.

IE7 is running as an extremely low-rights user. This does *not* mean that it doesn't have the ability to write to any part of the registry. It means that the registry's ACLs must explicitly allow write access to the IE's low-rights user. Certain locations have been explicitly marked as write-safe for the low integrity process. The example given by The Register is one of them. In other words, it's not an issue.

However, DEP, when full on, may cause a number of applications to crash, or interfere with their installation. I'm betting that a majority of users will opt for the more conservative setting, and this of course means less defense for everyone.

DEP Dialog You're betting that the majority of users, most of whom think "DEP" is an actor's last name, will go and hunt down the DEP setting and turn it off because it will supposedly cause lots of applications to crash? Really? You mean they won't selectively turn it off via the dialog box that comes up after a DEP-related crash that asks if you want to turn it off just for this application? Oh, and what quantitative study are you citing that shows that lots of commonly used applications will crash because of DEP? Give me a break.

User Account Control (UAC) is another good idea, because it finally, finally, finally allows the machine's owner to work from a standard user account, and still perform administrative tasks by supplying admin credentials as needed on a per-action basis. You know, the way Linux has been doing it forever.

Windows has supported running individual processes as admin (or any other account) since NT4. It was integrated into the GUI in Windows 2000. That is not the point of UAC, and it's not how Linux does it at all. If you try and run an application or perform an operation on Linux or Unix that requires admin access, it will fail. It doesn't prompt you. It's a subtle, but big difference. And it's a critical difference in the Windows world where that vast majority of applications won't work without admin privs.

Of course, it only works if everyone stays out of the admin account as much as possible, and if everyone with an admin password knows better than to install a questionable program with admin privileges. And there's the catch: "Windows needs your permission to install this cleverly-disguised Trojan nifty program. Click Yes to get rooted continue."

Wrong. It works regardless of what user you *think* you're running as. An admin account on Vista (with UAC enabled) is NOT AN ADMIN ACCOUNT. It's a limited user. The *only* difference is that an admin account isn't prompted to type in credentials in the UAC prompt, where as a limited user is.

So you see that, here again, MS's security strategy involves shifting responsibility to the user.

Ok, smart ass. What's a better solution? Get rid of admin accounts entirely? Don't allow any programs to run at all? Never allow a user to connect to the net? Oh, how about only allowing signed, Microsoft approved applications to be installed on Vista. Ya, that would go over well. What would you say about "The Vole", then?

And the reason why it's never going to work is because MS still encourages the person who installs Vista (the owner presumably) to run their machine with admin privileges by default....Until MS gets it through their thick skulls that a multi-user OS needs a separate admin account and a user account for the owner, and that the owner should be encouraged to work from a regular user account as much as possible, UAC will never work as intended.

Wow. Ok. Imagine this scenario: A person installs/buys Vista and sets up the machine. Vista does what you want so badly and first asks for an admin account password, but then asks the user for the login/password for their limited account. Having an admin account on the machine is unavoidable if you ever want to do anything on the machine past checking your e-mail and reading high-quality publications like The Register.

So now the user has the admin account (that they're not using as their primary account), and they have their limited user account. Now anytime they need to do something that does require admin privs they will be prompted via UAC for the admin password. Since they're the ones who setup the machine, they'll type in the admin password. For all the other users on the machine, they'll have to go get the person who setup the machine to type in the admin password, exactly as they'll have to do right now in Vista.

So, how is this any better? Now, instead of the occasional annoying OK button, you'll have an OK button and be required to type in admin credentials. If you're the guy who setup the machine, you know the password. If you're not, then it works just like it does now.

Or perhaps you would rather have it just like it is in Linux, and have all operations simply fail with access denied errors? See, it works fairly well for Linux because all Linux applications were designed from the ground up with a multi-user system in mind. But Microsoft *must* support as many legacy applications as possible. That legacy application support is one big reason why Linux on the desktop has failed to defeat Windows.

Furthermore, if you want UAC to always prompt for credentials even as the "admin" user, there is a policy setting to make that the case.

UAC is, in my opinion, a good solution to a problem that exists only on Windows. Saying that Windows should operate its elevation system like Linux simply shows that you don't understand the problems at hand.

In fact, UAC is the most complained-about new feature of Vista, and most people are disabling it as soon as possible.

It's the most complained about by people like you, and by a few vocal power users. But guess what, you're all in the minority. Most people will fairly rarely encounter UAC. As a person actually using Vista on a daily basis at both work and at home, I don't find UAC annoying at all. There ya go.

And when you're running in an admin account, UAC is nothing but a bother.

And when you're running as a non-admin account, UAC is nothing but a time consuming bother? Give me a break.

And once UAC is disabled, all of its security enhancements are lost. Yes, the basic idea is good, but the implementation has been completely bungled.

So what's the better solution?

And since it's very likely that you will still be running your Windows box as an admin, if you're going to open a file with Windows Explorer, you'd better look to see whether or not it's an executable, because it will run with your privileges. So, at a minimum, the folder view should default to showing file extensions.

I kind of agree with this, but the chances that you'll run an application without knowing it's an application are fairly small. If you downloaded this application from the net, Windows will flag it as potentially unsafe. When you try and run it, Windows will ask you to confirm that you really want to run this application and that you trust it. (And yes, you can turn this off by unchecking a box in the properties dialog of the file.)

As usual, Windows enables far too many services by default.

Examples? Oh, that's right... we don't need examples. This is The Register.

It's a little craplet with a stereotypical icon that looks like a shield, and it simply informs you of whether or not the firewall is on, whether or not you've got anti-virus software installed, and so on.

One major hurdle for users security their system is that they don't know all the things they need to secure. The Security Center provides a single place where they can check their most important security settings. Seems like a good idea to me, and it seems to work pretty well. But I guess because The Register thinks it's a "craplet", I must be wrong.

We have got, instead, a slightly more secure version than XP SP2.

Uh huh. And if I took this "review" at face value, I might have to agree with you. Except luckily, I don't usually take things at face value. The "review" ignores many of Vista's security features, and it gives an extremely biased and unfair assessment of the ones it does touch on.

Only time will tell as far as how security Vista will be against the onslaught of hackers that will undoubtedly be attacking it, but it's a helluva lot better than The Register gives it credit for.

Tags: , , , , ,

General Computing

My First Windows Vista (RTM) Bug

by RMD 23. November 2006 13:23

I installed Windows Vista Ultimate on my laptop on the 17th and have been very, very happy. I'm running it on an IBM T42P (1.8Ghz Pentium M, 1GB of ram, 5400rpm disk) and it has been smooth as silk. The UI is extremely pretty and responsive, the various interface improvements are excellent, and I've encountered no bugs whatsoever... until today.

One of my favorite applications is called Notepad2. It's a free replacement for the tired old Notepad application that has come with Windows since the days of Windows 3.x. It has a lot of great features, include syntax highlighting for a wide variety of programming languages.

Notepad2's developers take the minimalist approach to almost everything. The application itself is only 540KB and it doesn't even ship with an installer. Alas, the lack of an installer exposed a bug in Vista. 

After extracting Notepad2.exe into a new folder in c:\Program Files\, I attempted to run it. I was presented with the dialog to the right. It's the same dialog you get on XP SP2 when you try to run an EXE that came from another computer. Pretty standard and expected.

Obviously having that dialog popup every time I open a txt file is not exactly what I'm looking for, so I unchecked the "Always ask before opening this file" check box, figuring that would be the end of that.

Just to make sure, I closed Notepad2 and tried opening it again. Damn. The dialog is back. How annoying. Ok, this must have something to do with User Account Control (UAC). I remembered that XP had an "Unblock" button in the File Properties dialog that allowed you to get rid of this warning as well, so I opened up the dialog and clicked the "Unblock" button you see in the screen capture on the left.

I was surprised to not see any UAC confirmation dialog, but I figured that ought to do it. I clicked OK and tried opening the program again.

Guess what. The same security warning is still there. Ok, this is getting silly.

I looked around online for a few minutes to see if anybody had similar issues, but I only found a couple of unanswered forum posts that were of no help. I then tried to run explorer.exe as Administrator, only to realize that the Administrator account was disabled. This makes sense, however, as a dedicated admin account isn't (or shouldn't be) necessary in Vista thanks to UAC.

I then tried to see if I could get the properties dialog of the file to run as admin, but I couldn't figure that out either. I'm sure there is a dll I can run as admin to get this to work, but I couldn't find any documentation.

Then I realized that the reason I am unable to unblock the file is because that button modifies the file itself. When I had extracted the files into c:\Program Files\Notepad2\, Vista had prompted me via UAC to perform the action. This means that the file permissions only allowed administrators to modify the file, and since Vista was not prompting me with UAC when I clicked "Unblock", the permissions changes were silently failing. That, my friends, is a bug.

Vista should be prompting me with a UAC dialog anytime I try to do something that I don't have permission to do. With the exception of certain compatibility redirections, there should be no silent failures due to permissions.

The fix was simple once I realized what was going on. I simply edited the file permissions of Notepad2.exe to give me full control and then unblocked the file. This permissions change caused a UAC dialog to appear, just as it should have.

Admittedly, this bug won't come up a whole lot as the vast majority of programs include an installer. But I have to wonder how this bug was missed. I know for a fact that many people inside Microsoft use Notepad2. I'm fairly sure I heard about it for the first time on Channel9. The only thing I can think of is that many people inside Microsoft don't follow their own advice and end up turning off UAC.

Sigh... oh well. Vista still rocks.

Tags: , , ,

General Computing

Why Windows (pre-Vista) Has Admin Users as Default

by RMD 13. July 2006 20:43

I recently responded to a particularly annoying post on slashdot regarding Windows and the fact that before Vista, the default user created was always an administrator. You can read the comment I was responding to here. Below is my response.

I know it's hard sometimes, but please try and actually read the post you're responding to before ranting:

Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer.



As far as Windows being the only OS where the user is admin by default, you're correct. Of all modern operating desktop systems, Windows XP is the only one to make the first user admin by default. But did you ever ask yourself why?

You claim it's a simple matter of "twenty years of fraudulent marketing bullshit trying to claim it wasn't a problem". Find me a single example of this. You can't, because you just made it up.

The fact of the matter is that Windows has a very long history on the desktop, and for a large percentage of that history they haven't even had memory isolation or a permissions system. (Read: Win X.XX, Win 9x, Win ME.) In Microsoft's defense, the Internet took them a bit by surprise. Until the Internet, desktop security wasn't an issue for anybody except businesses, and that's why they used NT.

Over those years many, many, many applications were written for those flavors of Windows. These applications all assumed they were running as admin, and for good reason... they were! It wasn't until just 5 years ago that Microsoft finally made the push to get consumers on to the NT kernel, with all its nice security features and the new world of multiple users with varying permissions. Ut oh. There in lies the problem. Microsoft couldn't simply make users non-admin by default because now almost all existing desktop applications, the very thing people buy Windows for in the first place, would break.

So Microsoft had to make a hard choice... break all existing applications and go out of business, or have the users run as admin by default. Tough choice.

Admittedly, Microsoft should have done a MUCH better job over the past 5 years to get people to develop Windows applications the correct way. Aside from their "Logo Certification", they've done almost nothing.

Vista's UAC is a huge step forward for Windows, and it solves a very difficult technical problem that is absolutely unique to Windows: a massive legacy software library dating back 20+ years that *must* run flawlessly on every new version of Windows. Microsoft does not have the luxury of breaking every existing application like Apple does (thanks to their extremely small, yet insanely loyal user base), nor do they have the pleasure of having a software library written with multi-user systems in mind from the get-go, like Unix/Linux.

Cleary this isn't as simple as Microsoft being "fraudulent", nor is it "marketing bullshit", and they certainly have never claimed it wasn't a problem.

Tags: , , ,

General Computing