[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WinXP registry security



Dan Fleischer <dan.fleischer@banktr.com> wrote:
> I have a question re: windows xp registry security best
> practices.
> For background we're running:
> 1. samba-ldap backend
> 2. everyone runs with user or power user rights as needed
> by their job's software requirements

This in itself is an excellent achivement.  Yes, "Power User"
gives all sorts of rights users shouldn't have, but without
it, 90% of Windows software today wouldn't run (not even
looking at the ones that require "Administrator").

> 3. OpenOffice installed on all PC's, MS Office installed
> only where required for 3rd party compatibility
> Here's the scenario:
> At the request of one of our departments I've installed
> some trial software on one of our PC's running WinXP fully
> patched.  It is a stand-alone application which never
accesses
> network resources except for printing and package updates.
> The software required the installation of a Microsoft
> Access 2000 runtime and the .net framework as well.

Danger Will Robinson!

I've had my fill of MS Access-based solutions and they are
almost entirely _crap_.  If a vendor cannot provide a _good_
design with at least MSDE (which has its own issues) or MS
SQL (let alone a _real_ "enterprise" SQL), then you're
getting some _kludge_ software that _will_ be a _nightmare_
to administer.

> The most disturbing aspect of this process was that I had
> to give this individual 'Full Control' permissions on the
> software's keys in the registry which are actually in
> HK_LOCAL_MACHINE\SOFTWARE\...

You're lucky it's not any worse.  Most vertical application
software in the MS Access 8.0 (97) days _required_ you to
give "Administrative" level system-wide.  But yes, most
vertical apps based on MS Access 9.0 (2000) have steep system
access requirements.

I would make it a point to the vendor that they need to
develop a _corporate-ready_ piece of software, and not such a
kludge.  I was at a small company and fought left and right
to spend 60% more on a _real_ ERP software package, and lost
because the alleged Access-based solution was "cheaper."  We
ended up spending a lot of time fixing and dealing with other
solutions, let alone add-ons, that ended up costing 200%
more.

> This is not the way I was raised.  I thought that non-admin
> windows users should never have access to anything outside
> HKLM\CURRENT_USER .

Welcome to the world of kludgy MS Access-based solutions.

> Any comments?  Can anyone cite security papers on the
> topic?

Forget even security, you're going to be fixing the tables
and DBs regularly -- let alone have other support issues.


-- 
Bryan J. Smith     Professional, Technical Annoyance                      b.j.smith@ieee.org      http://thebs413.blogspot.com
----------------------------------------------------
*** Speed doesn't kill, difference in speed does ***

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.