Linux vs Windows, obscure security features (was: Quarantining an account...)
Benjamin Scott
dragonhawk at gmail.com
Tue Aug 17 17:01:50 EDT 2010
On Tue, Aug 17, 2010 at 2:31 PM, Bill Sconce <sconce at in-spec-inc.com> wrote:
> (*) Sorry, Windows users. The tools you need just aren't
> available on Windows.
Windows NT certainly has user accounts. Always has, since the first
version (Version 3.0). (NT is today called "Windows 7", and has also
been called "Vista", "XP", and "2000".) (It's still Microsoft; they
love playing name games.)
Vista also introduces a number of features along the lines of
privilege isolation.
One I find particularly interesting is "Integrity Levels" (also
called "Mandatory Integrity Control" (again, still Microsoft)). For
example, you can assign an ACL to your web browser binary which result
in that process having reduced access to other things, such as your
user files. So in addition to having user accounts, you can actually
get into fine-grained controls below the user level. Vaguely similar
to SELinux.
Vista also uses multiple "desktops" for privilege separation. Those
poorly-implemented "User Account Control" dialogs actually appear on a
separate desktop and are overlaid with the user desktop (in theory, to
prevent malware from attacking them directly). Vista also supports
running simultaneous virtual desktops in support of multiple user
sessions ("Fast User Switching", in Microsoft parlance).
And unlike your stuff, the above is all in wide use today, even by
"grandma". (How well it works is another matter, of course. Too many
users act like they *want* to install malware. Including "grandma",
as you note.)
Before you go throwing around FUD, you might want to check your
facts. If you go into a vendor-neutral or pro-Microsoft environment
saying things like that, you're going to get ripped to shreds by the
Microsofties, and rightly so.
-- Ben
More information about the gnhlug-discuss
mailing list