A recent spate of virus-ridden computers has left me feeling philosophical about the state of desktop management. Fortunately for me, these computers were not part of my corporate network, instead they were personal computers or servers maintained by other systems administrators. The cases come from all over. Family, friends, …
Users are the weak link in the security chain? I would not have guessed.
I'm sure it's a very insightful article, but it's a rehash of the past 20 years of industry experience. Granted I was only 6 years old 20 years ago, but by 12 (first time I'd encountered networked computers) I could tell you that ultimately, users are stupid and will cause you problems.
@The Original Ash
Oh come on now...
...I just got that sarcasm meter replaced.
XP thrives on herpes...
The articles killer point is that now, there is no OS that gets ignored when it comes to anti MW. All are equal. The days of saying buy a Mac or use Linux have actually been redundant for a while.
The final point about XP says it all really. Why anyone bothers even sticking up for the this POS is beyond me. Vista never gave me half the headaches that XP ever did. I Often wonder as to how much XP fanbois have really been thrashed by it to still like it so much...
I think a lot of people might be surprised how easy it is to run with least-privilege on XP. Undeniably there are apps galore available for XP that rely on the user being Admin, but there are very few that are irreplaceable, and still a good chunk of the remainder can be brought into line with a couple of crafty hacks easily found via a quick google.
MSOffice 97 is a case in point. Hardly surprising that Win9x-era software, even from MS, doesn't play well with non-admin, but after loosening a few file and registry perms on first-run, then re-tightening afterwards, problem solved.
Note I'm not denying 7 and Vista are streets ahead, especially on the sheer usability of the way they handle elevation, but XP *can* be made just as secure with only the same level of commitment as most of the suggestions in the article.
Your statement: "there are apps galore available for XP that rely on the user being Admin, but there are very few that are irreplaceable” is false.
This may be true with home systems, or even a business that does little more than MS Office and Quicken. For the rest of the business world, this is flat out false. In my case alone, on 7 different networks there are 12 applications I can not replace that /require/ administrative privs to run. On Windows XP, or Windows 7. Fortunately, on Windows 7, I can run the applications in an elevated privilege mode without running the entire user context as one. This is simply not possible in Windows XP.
I'll be honest with you: the company that provides me with my day job is investing a lot of money right now working with developers to create replacements for 4 of these 12 applications. The others, insofar as I know, simply have no sponsors or developers trying to replace them. I would like to say my experience is unique, that I am simply working with "cheap bastards" or that the company "isn't stumping up for the replacement software," but the reality is that these applications have no replacements.
Talking with fellow systems administrators at enterprises and educational facilities all over the globe I hear the same story repeated over and over. There are seminars held on this fact; books galore have been written and sold.
Your statement is so dismissive and false that to those of us who have to deal with these applications and their associate problems every single day this statement is simply offensive. I would place it next to statements like “well, just use Linux; there’s an open source application for /anything/ you want to do, and they are /all/ better than the closed-source ones.”
How do you even respond to something like that? You would think that after decades of it, I would be immune, but each and every time I read something like this I am absolutely floored. Flaberghasted. Shocked to my very core. Is this trolling? Are these statements made by people trying to get the goat of real folks who have to work with this stuff? Are the statements made from a lack of knowledge, or simply a very narrow worldview?
With the open source folks, I can at least write off their statements as a sort of fanaticism based on their philosophical belief in the rightness and purity of open source. When you want something to be true bad enough, and you believe in your cause...I can understand how it is possible to tune out the bits of reality you don’t want to see or hear. As a systems administrator and a massive nerd I can even understand why they believe what they believe. There is a not insignificant part of me that wants all applications to have open source variants...good open source variants that are stable, usable and truly competitive with what’s out there. Hell, I’d even settle for “can do all the things required to get the job done.” In the real world though, there aren’t open source variants of 90% of bespoke or industry specific software.
So this is where your statement runs me against a wall. We’re talking about Windows here. I can’t see how there can be fanaticism, or a desire to believe something so hard that you are blinded to the truth. There is an absolutely incomprehensible amount of software is so badly written that it absolutely does require being run with elevated privileges. Companies all over the world are utterly dependant on them. So I have to ask you this honestly, and I hope you give an honest answer: Were you trolling sir? Because if you were then I would like to give you an internet award for it; your statement hurt my mind.
If you weren’t, then please, I would very much so love to see some (any) form of proof to back it up. If for no other reason…
…than that I want to believe.
Sorry, missed a bit
I forgot to put "...in my experience" or words to that effect. I voiced my opinion on the Internet about something I'm not a leading authority on - sorry if it inflames you so but, jeez man, people do it all the time.
You certainly have a point as I mercifully have never encountered any bespoke (apart from my own) or industry-specific (unless you count Sage, which is soon to have to be dealt with - any advice?) applications to speak of. However, you know what? Neither do most other people who use computers every day (in my purely experience-based opinion). A hell of a lot of people, who perhaps you don't encounter much in your work by its very nature, get through their working (and personal, let's not forget) life with an eclectic but relatively modest stack of apps.
I'm not saying I'm right and you're wrong - I'd certainly have worded my post more carefully in hindsight - but without knowing exactly what you actually do, I ask you: is it not possible that your perspective on this is a wee bit skewed too?
Well, as to what I “do,” I actually made a post about that to another commenter here:
http://forums.theregister.co.uk/post/776699 . My apologies for not rewriting the information in this comment, but it will be of sufficient length as it is.
As to what trigged my comment…your “opinion” was expressed not as an opinion, but as though it was solid, irrefutable, undeniable FACT. Two statements in particular that, if taken seriously, could lead junior systems administrators to make critical mistakes.
“Fact” number 1: “Undeniably there are apps galore available for XP that rely on the user being Admin, but there are very few that are irreplaceable, and still a good chunk of the remainder can be brought into line with a couple of crafty hacks easily found via a quick google.”
“Fact” number 2: “XP *can* be made just as secure with only the same level of commitment as most of the suggestions in the article.”
These are statements that aren’t merely opinion. They can be verified. You can measure it, test it, there are quantative and qualitative ways to determine the validity of these statements.
I will address “Fact” number 2. It is false. When I say this statement is false, I am not going to claim to be expressing an opinion. I state outright that it is a provable fact that Windows XP can not be made as secure as Windows 7. (The sole exception being if you were to remove both the power supply and network card from the computer.)
If you do not believe I have the relevant experience to make that claim, I would respectfully point you at the many and varied security companies around the world. There are whitepapers galore, as well as scientific papers published in IT security and cryptographic journals. NT6 is simply more secure than NT5. In fact, configured properly, (and if you stay the hell away from IE,) then NT6 compares favourably with both Linux and OSX for security.
If you choose to disbelieve the scientific evidence available to you, then I would strongly recommend you read this article http://arstechnica.com/science/news/2010/05/when-science-clashes-with-belief-make-science-impotent.ars at Ars Technica on the topic of Scientific Impotence. Even if you do believe the evidence, read the article anyway. It is both a completely excellent article, and relevant to the conversation.
Please don’t get me wrong; I am not a Windows 7 evangelist. In fact, I hate the blessed thing. I find the interface unbelievably irritating; like the ribbon bar, I prefer things “the way they were.” I resist the idea of “change for the sake of change (or new for the sake of new.)” I require a strong business case before I alter my ways. That said, there are an increasing number of reasons to upgrade to Windows 7, enough that unfortunately this year even I have to make the jump on my networks.
You have your personal experience with Bespoke and Industry-Specific Software (BISS), I of course cannot speak to that. If you have not had to deal with them much, then in my opinion, you are an exceptionally lucking individual.
As to “Fact” number 1, I must also claim it to be false. Given that I have not the resources to perform proper scientific studies with appropriate employed staticians, I must rely on the information provided me by those systems administrators with whom I maintain contact. While I recognise that my polling methodology is not completely randomised, (like individuals do have a tendency to congregate,) I have taken the time to collect my information such that I am comfortable relying on it, despite the partial lack of scientific rigour.
Here is the information on the BISS poll I conducted informally amongst the groups of systems administrators which whom I maintain contact. (This poll was conducted ten days ago as part of the research I did before writing this article.)
Group of sysadmins polled:
312 unique systems administrators responded to my inquiries.
These administrators are responsible for 542 unique networks.
Network size varies from 2 nodes to an estimated 15,000 nodes.
Respondents represent 12 different countries*
Respondents represent a wide cross section of industries**
Results of poll:
Of 542 networks, 218 ran BISS.
316 unique BISS applications were identified.
292 were identified as requiring administrative privilege.
93 were under active redevelopment or upgrade.
53 were from developers that could no longer be contacted.
All 316 BISS apps were considered critical.
All 316 BISS apps had no known alternative application.
275 were considered a threat to network stability.
*There is a disproportionate weighting towards the following countries: The USA, Canada, Sweden. (These three countries represent 48% of respondents.)
**There is a disproportionate weighting towards the private sector. (83% of respondents.)
This poll was run informally; I maintain contact with individual primarily through IRC, e-mail and instant messaging networks. There is a bias towards small and medium enterprise systems administrators. To get a proper poll and more importantly a truly proper analysis of the information provided, you would need to have it run by someone like freeform dynamics. This poll was conducted merely as an information gathering exercise so that I would not feel like I was talking out of my ass when I was writing my article.
So sir, if my perspective is skewed; there is all the information I can present to you about exactly how skewed, and what factors are skewing it.
I apologise if you felt that I was attacking you personally...I have no reason to attack you personal as I don’t know you. I do however have reason to attempt to correct false statements like that, as the articles I write, (and the comments I leave in my articles sections) are written with the hope that the information, ideas and opinions provided will help other systems administrators build better networks.
Normally an opinion expressed would not matter much; it’s just an opinion. In this case however two factors combined to cause me to respond, (admittedly perhaps too harshly.) The first being that your statements were made as statements of irrefutable fact. The second being that if anyone took your advice, (Windows XP is as secure as Windows 7, you can replace almost any BISS application with newer alternative,) then based on all the information I can obtain on the topic those systems administrators would very likely be sacrificing either a great deal of time looking for a BISS replacement that statistically isn’t likely to exist, or compromising their network security believing that Windows 7 offers no security advantages over XP.
For the record, I don’t work for Microsoft, or a company that makes any money selling Microsoft products to others. I am a freelancer for El Reg, not a full blown regular. To my knowledge have received zero information from my contact there about treating any topic lightly, talking up any product, company or organisation. I haven’t even been yelled at yet for running around the comment section taking the piss out of everyone and everything I encounter. (Somethign which I have been doing for years around here.)
So there you have it; this is every stitch of information I have available on the topic; you, and anyone else reading this article and comments thread can make your own decisions.
And just in case you forgot, you really should read this:
Limited accounts and user chains (as in "metal")
I barely run any firewall or antivirus software, but always - ALWAYS - set up unprivileged accounts. Even in XP, because although XP doesn't have the nice feature of "hey, would you like to run this as root?", it does have "right click -> Run As Administrator", and if that doesn't work, switch user to "Administrator" for the operation and the log out and switch back to your user isn't THAT much of a pain.
So far, my own user got infected (I'm the last person expected to get a virus in my household, yet I was the one to get it :P), but my limited account prevented it from wreaking havoc. My antivirus didn't see it, even though it had the latest updates, and the virus had been on the system for quite a while). One day, the Russian website it was connecting to went down and the virus started hogging my CPU, and that's when I ran MBAM (AM in your article) and found the bitch (which was claiming to be svchost btw, and Windows happily verified its claims to be true).
Ever since I discovered the magic of limited accounts, and the magic of setting a password for the "Administrator" account (which doesn't show in the Welcome screen, and most users tend to leave unpassworded, mainly because they're unaware of its existence), I hadn't had to install Windows. It's been ages since I had to install Windows on my system, and it's happily running to this day. When it breaks, it's because I did something stupid, and I know what I did, rather than "surprise rape".
I also tried this technique on a dumb user's system. She's a school teacher. And she's old. Her machine would always succumb within a month of installation. Then, I created her a limited account, put a password on the admin account, I made her write it down and keep it in a safe place (so safe that she forgot where she put it, so I always kept a copy of the password), and her system has been up 6 years running (that's an estimate btw). I only get the occasional phone call when she gets a new printer or something like that, and the "tech guy" she gets to install it gets blocked by my setup. But that's it.
It's not that users shouldn't be allowed on the Internet. It's that users should be allowed on the Internet only after they've been chained nicely. They get to like their chains when their support bills drop because of said chains. They'll ask for heavier chains too, if they'll be safer as a result. Whip 'em? Sure, as long as their safety is guaranteed.
Admin or not?
"With XP, you are running as administrator or you are not."
You're wrong there. You can run in general as a non-admin and choose to run any installed application with admin rights via the right click menu.
Actually, you are technically correct. Though this doesn't work nearly as well in XP as it does in Windows 7. Under XP, if that application calls sub-apps to do something, then for some reason about half the time the sub apps get called in the restricted user context. It causes all sorts of bizarre behaviour that I just don’t see under 7.
I also find it eternally odd that with some applications I just don’t *get* the option to “run as” in XP. (I notice it more on XP64, but it still does occur on XP32.) I can for example run my games as whomever I choose, even some JAVA apps or Google earth. Evolution on the other hand stubbornly refuses to give such an option, no matter how many ways I try to make the shortcut. (I have more examples on either side, but you get the idea.)
Even if you are lucky enough that your applications will behave in the FrankenAdmin mode under XP, the bigger issue is that as far as I know this can't be built into the "shortcut" or in some other way setup such that Windows remembers this setting. If you think that you are going to get folks to use something as clunky as that, well...I really do wish you luck.
So for all intents and purposes, though can “technically” use “run as” in Windows XP, in practice I have found it to be so buggy and clumsy as to be utterly worthless. Thus you in essence are forced to run your applications under the context of the running user.
Your milage may vary, and I hope you never run into apps that require you to experiment with this on a practical level. :D