Linux vs Windows, obscure security features (was: Quarantining an account...)

[Benjamin Scott]

On Tue, Aug 17, 2010 at 9:46 PM, Bill Sconce <sconce at in-spec-inc.com> wrote:
>  "The tools to make user-privilege separation usable day to day,
>  e.g., the ability to run programs with/without the net and to
>  switch among working environments/desktops/user accounts with
>  a single keypress, and so on just aren't available on Windows."
>
> Or perhaps Windows users can do these things ...

  Well, you can definitely run different programs in different user
contexts on the same desktop.  The "RUNAS" command (introduced in Win
2000) is more-or-less equivilent to su(1) from *nix.  I use it just
about every day at $WORK (or should that be %WORK%, since we're mostly
a doze shop?).

  There's no native equivalent to sudo(8), but there's a freeware
third-party tool that does it.

  "Fast User Switching" lets you run multiple simultaneous separate
desktops under different user accounts.  It was introduced with XP,
but didn't work if you were on a Windows domain, which made it rather
useless for most organizations.  Vista fixed that.

> I've never seen ACLs used, including in the largest/most
> professional Windows shop I've worked in, 4000+ desktops.

  I find that sufficiently hard to believe that I suspect we have a
semantic discontinuity.  I mean, even if we dismiss the default ACLs
as "doesn't count" , you're telling me a 4000 person company had all
files on all their file servers accessible to everyone?  Payroll,
personnel, the boss's stuff, everything?

> I've never seen a Vista system at all.

  Keep in mind that XP was released in 2001.  Its contemporaries are
OpenOffice 1.0 and Red Hat Linux 7.x.  This was before Firefox or
Fedora or Ubuntu even existed.  We're talking about a nine year old
major release.  While I'm far from a fan of Vista/Win7, even I have to
admit that's a very long time in computer years.

  It's certainly your right to refuse to look at anything new from
Microsoft, but if so, you shouldn't be making sweeping pronouncements
about what Microsoft's stuff can and can't do.

> All Vista shops could be doing security right and I wouldn't know.

  Vista certainly does not equate to automatically "doing security
right".  The biggest problem in computer security is people.  Most
home/SOHO users are their own worst enemy.  Most of them don't really
"get" why they should care about security.  Most don't understand the
concepts even if they do care.  People are far too eager to install
whatever software they stumble across on the net, or to believe what
an email tells them.  Vista can't protect against an admin without a
clue, any more than Linux can.  "Security is a process, not a
product."  Blah blah blah, the usual sermon.

  With that understood: Vista did introduce a large number of
significant improvements.  (And a number of problems, too.  It sure
ain't all roses and sunshine.  But we're talking security features.)

  I mentioned "Mandatory Integrity Control" previously.  That is
heading towards what I think the future of computer security really
has to be.  Whether we call it "capabilities" or "integrity levels" or
"security contexts", we need fine-grained controls.  Maintaining a
different user account for every program is simply not practical.
Instead, we need fine-grained controls which allow and deny specific
things to specific programs.  This is what SELinux can do.  This also
begins to appear in Vista, although it's woefully incomplete.  Vista
allows one to mark certain programs (such as Internet Explorer or
Adobe Reader) as less trusted.  User files are marked as more trusted.
 A less trusted program cannot write/modify a more trusted file.  MEIE
does this by default; executables downloaded via MSIE also get marked
as less trusted.  However, less trusted programs can still *read* more
trusted files.  There's no way to implement read restrictions (to
protect confidentiality), even going beyond the defaults.  I see this
as Microsoft missing an obvious opportunity.  As usual, they don't get
it right on the first try.

  The Vista firewall is also much more capable.  By default, it
permits all outbound traffic, but that can be changed.  Go into the
Group Policy Editor and change the default Outbound policy from
"Allow" to "Block", and then select the programs you want to be able
to use the Internet.  You've got what you asked for -- Adobe Reader
can't touch the 'net.  (At least, in theory.  I admit I haven't tried
this.)  You don't even need another user account.

  Finally, it's worth noting explicitly that I'm not a fan of Windows
or Microsoft.  But they see significant use in the real world, so I
make it my business to know their stuff.  I am a professional; I am
paid to do what's best for the customer, not what best tickles my
sense of aesthetics.  I'm not advocating Vista/Win7 as a "better"
solution than $any_other_thing here.

  But I detest FUD, even if it's FUD in support of a cause I favor.
Repeatedly invoking "Sorry, Windows users. The tools you need just
aren't available on Windows." isn't anything but a smear campaign.  I
decry Microsoft when they engage in such tactics.  It's not Microsoft
using them that makes the tactics wrong; it's Microsoft's use of such
tactics that makes Microsoft wrong.  Don't stoop to their level, Bill.

-- Ben