[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [Fwd: Re: windows future]
- To: Peter Besenbruch <prb@xxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] [Fwd: Re: windows future]
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- Date: Fri, 28 Aug 2009 15:29:48 -0300
> On Friday 28 August 2009 03:39:14 Thor (Hammer of God) wrote:
> > If the entire argument is around the default escalation behavior
> being
> > "enter a password" (which they already know) vs clicking OK because
> you
> > assume entering the password is more of a deterrent, then OK, but the
> > premise of "the people I work with are too stupid to know the
> difference"
> > kind of takes away from that. And one should also note that in a
> domain
> > environment, the default behavior is indeed username and password.
> Just
> > thought I'd throw that in as well.
>
> It is entirely what the escalation behavior is. My objection to Vista
> is
> two-fold: Clicking OK instead of entering a password. As I have argued
> before, there really is a difference between clicking OK and entering a
> password.
Maybe I'm not saying it properly... (and I won't belabor the point anymore).
If you want a password instead of a click, then set it to "prompt for
credentials" rather than "prompt for consent" for *administrators*. But
understand that normal users ARE required for administrator name and password
to execute escalated functions BY DEFAULT. Only if you are *already running as
admin* does the dialog come up by default, but that behavior is changeable too.
Just set everything to require username and password. Argument solved.
>That brings me to my second objection. Vista puts up more
> escalations than Ubuntu, further exacerbating that difference.
"Vista puts up more escalations than Ubuntu" is not a qualifiable statement. It
all depends on what you are doing. For me, I have to su just about everything
do in Ubuntu, but that has nothing to do with Ubuntu- it has to do with what
I'm typically using Ubuntu for... I rarely have to escalate in Vista/Win7 as I
only escalate when I have to administrative stuff on my box, which is rare
(loading software, changing fw rules, admin users, manage system, etc). If you
see more escalation requests on Vista, it's probably for the same reason --
you're doing stuff that requires admin all the time.
If so, (really doing all admin all the time) then turn the damned thing off -
that's what I do on servers (and is actually the default for the "real"
administrator account). I log on, do my business unfettered, and log off.
Simple.
> Your point
> about using a password to log into domains might be valid, but only in
> limited instances, as I would hope that the department that set up the
> domain
> would have its users not running as administrators.
Of course they aren't running as admin. That's the whole point. There's
nothing one has to do when users are not running as admin, they get the prompt
for admin username and password by default. It's not a "limited instance" it
is a "default instance."
>
> We basically agree on the main point: Separate user and administrator
> accounts
> are better. I wonder if Micosoft will start enforcing that?
The "wonder if MSFT will start enforcing that" is already answered - they do,
and HAVE been. Even with XP you could "run as administrator." I used to do it
all the time. I actually like the UAC in Vista/Win7 better as it gives seamless
admin capabilities while interactively logged on as a normal user.
Anyway, this dead horse is beaten enough...
T
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/