With all the visibility on the security holes in Microsoft’s products, one underlying problem seems to always get missed in the discussions. I still believe that it’s possible to have a fully secure system running all Microsoft products. That’s a bold statement coming from me today because I heard the most amazing story.
Chad, one my best developers, hadn’t turned on his computer at home for a few weeks as he was doing some remodeling. So, he turns on the computer intending to go immediately to Windows Update and apply the latest patches. But…. the rpc faeries were lying in wait for him. No problem, stop the rpc service. Hmmm, no stop button. Aha, take it off the network. Hmmm, hard to get updates like that. I think I may finally able to convince him of the wonders of a hardware based firewall 😉
OK, so the rpc vulnerability was just nasty, and that was the first time. But most of these vulnerabilites are happening on client workstations. The vulnerabilites are in Outlook, IE, Office or apis these programs depend on. I am writing this blog on my Linux computer, and I have an update service for that system as well. I get patches almost every week, not a surprise since my distro has both OS and hundreds of software packages included. But it doesn’t matter very much. Even though I could run as root, I, like most good linux users, run as a normal user for almost everything. For those things I can’t do as a normal user, I simply run in the context of the root user. So, if my Mozilla would get nailed by a malicous page, it would barely matter. I don’t have rights to anything other than what’s in my personal directories.
Windows can do the same thing. When I mentioned this to a MS Security expert and a windows event, she nodded her head and gave me list of different ways to acomplish the same thing. RunAs. Shortcuts that prompt for credentials. Services running as low priviledged users. Sounds perfect except for one problem. Almost no programs actually run on windows unless they have local admin rights.
Honestly, I have been able to get some of our more vanilla workstations running as a non-priviledged user. These workstatins have mostly just MS software installed and IE, Office XP Pro all work just fine as a “normal user”. But that’s about it. Most of our canned applications will not run correctly unless they are run as local admin. We have worked our way through some of the problems with heavy use of the Winternals tools like filemon, regmon, netmon to try and figure out just what the heck these programs need. The sad truth is that most of them seem to need nearly full rights to the windows system folders and lots of registry settings. So if I make them runnable, I have pretty much opened up the computer to everything a local admin could do. There is of course the massive amounts of time it takes to track down all of the settings that need to be changed and for that MS could really help by having better tools to report on failed permissions. Just what is the failed object access auditing supposed to do anyway?
The biggest problem with all this is that the company everybody is pointing at, isn’t the one that needs to make the fix. There is a whole generation of software, and the developers that created the software, that pretty much expects users to have full access to their computers. The Windows 95, single user model still rules. Developers barely understand what their installers actually do. Developers that rely on components, with their own installers, that they also don’t understand. And then there is the “if it ain’t broke, don’t fix it” attitude which these days translates to “your computer is broke and now is now trying to break mine.”
Everyone has to take a really deep breath and say, “it’s broke, fix it.” With that, hopefully a lot of these security holes could be in the deep dark history they deserve to be in.