Winstep

Software Technologies


 Winstep Forums


Print view
Board index : Winstep Forums : Articles  [ 1 post ]
Author Message
 Post subject: Windows Vista 32bit: Security Rants (PART 5)
PostPosted: Fri Feb 15, 2008 8:49 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Thu Feb 26, 2004 8:30 pm
Posts: 11930
Vista Security Rants

Vista is supposed to be a more secure Operating System, and one way it accomplishes this is by enforcing the security rules defined by Microsoft - shoving them down the user's throat whether he likes it or not.

This is why you get the UAC prompt whenever you want to run software that requires Admin privileges to perform some function. Now, annoying as it is, the UAC is still a pretty simple affair: you either allow the application to proceed or not. The REAL problem only becomes evident after you've used Vista for a while.

You see, the user, because he is no longer running as an all powerful administrator, is also no longer comfortably isolated from the security aspects of the OS. And understanding security in Vista is a REAL nightmare, even for technical people! You have users, group policies, permission rights, privileges, security descriptors, ACLs, DACLs, you name it!

Let me give you an example: you install Vista on your brand new PC and connect it to your Home LAN. You then want to share your C: drive with the rest of the network... ooops, except Vista won't let you. You get Access Denied errors left and right, and, even if you manage to figure that one out (you have to add the 'Everyone' permission to that folder), you still cannot share the root of a drive. In truth you can, but have a look HERE at all the steps that must be taken in order to accomplish this! Scary, isn't it?

Let me give you another example of how completely screwed up Vista's relationship with the user is (in relation to security): you download an executable file from the Internet (which you know is perfectly safe) and double click to run it. First you get a 'The Publisher could not be verified. Are you sure you want to run this software?' prompt. You click ok. Then you get the familiar UAC prompt: 'An unidentified Program wants to access you computer'. You click allow and the program runs.

But wait a minute, isn't that one too many prompts? Well, at least the first prompt had a 'Do not ask again for this program' checkbox. So you run the application again and this time you make sure the box is selected. Fine. Think that is the end of the story? No, next time you try to run the application, you still get the two prompts!!! But didn't you check that 'Do not ask again' box? Yes, you did. And you can click on it until you are blue in the face, Vista will pretend to accept your choice and then proceed to ignore it. You can even right click on the executable, select Properties and then click on the 'Unblock' button on the General tab. Same result, your own computer is ignoring you! How annoying is that?!

It doesn't even bother telling you that you can't do that, much less why and what you need to do in order to solve the problem.

The solution is to run something called gpedit.msc from the Run prompt. GpEdit.msc is the Group Policy Editor. So, you

Run gpedit.msc

Go to User Configuration > Administrative Templates > Windows Components > Attachment Manager

and add "*.exe" to the "Inclusion list for moderate risk file types" setting.

Simple, isn't it? Not! Well, maybe if you already knew the answer.

But now get this: Neither Windows Vista Home Basic nor Home Premium (the later probably the most used Vista version) have a Group Policy Editor!!! Yes, Microsoft crippled the OS in order to get you to pay more for the Ultimate and Business versions - and I say crippled because even XP has a Group Policy Editor!

Not to mention that this is Microsoft's way to try and force developers to digitally sign their applications, because signed applications do NOT generate the above prompt. Think it's in the user's best interest? Think again. Digital Signatures cost money (from $200 to $700 a year) and are only valid for a period of time, which means the developer is from then on effectively paying 'rent' to Microsoft.

So, what is the solution if you are running Home Basic or Home Premium? Well, I'm sure there must be a Registry entry you can set somewhere, but I don't know which one it is. The solution I found was to temporarily move the file to a hard disk/partition with a FAT32 file system and then back again. This works because the flag that marks the file as having been downloaded from the Internet is stored in a NTFS extended attribute. When you move the file to a FAT32 partition this attribute is lost.

Now, the above is just a couple of examples... And I'm not even going to refer to what an incredible nightmare security in Windows Vista is from a developer's perspective! I must have spent the most frustrating 12 hours of my life trying to figure out what ACLs, DACLs, etc, are and how they work when I was trying to get the new WsxService to communicate with Winstep Xtreme via a Memory Mapped File. Documentation is simply appalling to non-existent, as usual...! :cry:

(END OF PART 5)

_________________
Jorge Coelho
Winstep Xtreme - Xtreme Power!
http://www.winstep.net - Winstep Software Technologies


Back to top
 Profile WWW 
 
Post new topic Reply to topic Board index : Winstep Forums : Articles  [ 1 post ]
Display posts from previous:  Sort by  

Who is online

Users browsing this forum: No registered users and 14 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron