[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WinXP registry security

To: silug-discuss@silug.org, luci-discuss@luci.org
Subject: Re: WinXP registry security
From: "Bryan J. Smith" <b.j.smith@ieee.org>
Date: Wed, 11 Jan 2006 11:53:32 -0800 (PST)
In-Reply-To: <43C5505E.2050206@banktr.com>
Organization: Southern Illinois Linux Users Group
Reply-To: b.j.smith@ieee.org
Sender: silug-discuss-owner@silug.org

Dan Fleischer <dan.fleischer@banktr.com> wrote:
> I have a question re: windows xp registry security best
> practices.
> For background we're running:
> 1. samba-ldap backend
> 2. everyone runs with user or power user rights as needed
> by their job's software requirements

This in itself is an excellent achivement.  Yes, "Power User"
gives all sorts of rights users shouldn't have, but without
it, 90% of Windows software today wouldn't run (not even
looking at the ones that require "Administrator").

> 3. OpenOffice installed on all PC's, MS Office installed
> only where required for 3rd party compatibility
> Here's the scenario:
> At the request of one of our departments I've installed
> some trial software on one of our PC's running WinXP fully
> patched.  It is a stand-alone application which never
accesses
> network resources except for printing and package updates.
> The software required the installation of a Microsoft
> Access 2000 runtime and the .net framework as well.

Danger Will Robinson!

I've had my fill of MS Access-based solutions and they are
almost entirely _crap_.  If a vendor cannot provide a _good_
design with at least MSDE (which has its own issues) or MS
SQL (let alone a _real_ "enterprise" SQL), then you're
getting some _kludge_ software that _will_ be a _nightmare_
to administer.

> The most disturbing aspect of this process was that I had
> to give this individual 'Full Control' permissions on the
> software's keys in the registry which are actually in
> HK_LOCAL_MACHINE\SOFTWARE\...

You're lucky it's not any worse.  Most vertical application
software in the MS Access 8.0 (97) days _required_ you to
give "Administrative" level system-wide.  But yes, most
vertical apps based on MS Access 9.0 (2000) have steep system
access requirements.

I would make it a point to the vendor that they need to
develop a _corporate-ready_ piece of software, and not such a
kludge.  I was at a small company and fought left and right
to spend 60% more on a _real_ ERP software package, and lost
because the alleged Access-based solution was "cheaper."  We
ended up spending a lot of time fixing and dealing with other
solutions, let alone add-ons, that ended up costing 200%
more.

> This is not the way I was raised.  I thought that non-admin
> windows users should never have access to anything outside
> HKLM\CURRENT_USER .

Welcome to the world of kludgy MS Access-based solutions.

> Any comments?  Can anyone cite security papers on the
> topic?

Forget even security, you're going to be fixing the tables
and DBs regularly -- let alone have other support issues.

-- 
Bryan J. Smith     Professional, Technical Annoyance                      b.j.smith@ieee.org      http://thebs413.blogspot.com
----------------------------------------------------
*** Speed doesn't kill, difference in speed does ***

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

References:
- WinXP registry security
  - From: Dan Fleischer <dan.fleischer@banktr.com>

Prev by Date: WinXP registry security
Next by Date: BreadCo tonight in CWE (was: CWE-LUG meeting this Saturday, January 7th)
Prev by thread: WinXP registry security
Next by thread: Windows XP and the SID on old HDD moving to new computer.
Index(es):
- Date
- Thread