IE version 1 .. and what was the threat model at that time? Folks on
9600 baud modems and the Melissa virus?
Any current Microsoft product with the XP logo has to run as LUA these days.
If there are software from MS in violation (especially anything new)
please nominate them to www.threatcode.com. Give specific examples.
You should see the logo requirements for Vista.. I strongly predict that
admins/users will take time to get used to Vista's "non admin" dialog
boxes. It will annoy the heck out of them first.
2003 I only log into that box when I need to administer it as an
admin... say installing patches... it's got that Enchance IE security
... I don't use that server OS ever in the same context as a "local
administrator". I log in with domain admin equivalent rights, do my
maintenance and log off. Otherwise users have appropriate rights on
that server (certainly not admin rights)
No...the vendor needs to code appropriately. This isn't 1998 and we're
running modern software.
The "it's too hard" won't cut it anymore. Yell at the vendor..and I'm
not talking Microsoft here... google on LUA instructions (there's many
community resources starting out there) and most of the time... if I
don't tell the user in my office they don't have admin rights... they
don't know they don't have them anymore.
http://blogs.msdn.com/aaron_margosis/
Devin Ganger wrote:
At Friday, March 31, 2006 3:08 PM, Susan Bradley, CPA aka Ebitz - SBS
Rocks [MVP] wrote:
Is it IE that's insecure? Or how the workstations are setup in the
first place?
Both. I remember back to using IE version 1 and having to maintain web
developer desktops with multiple versions of IE and Netscape. IE/Windows
has always had more insecure defaults, more bugs and vulnerabilities,
and caused more problems than any of the other browsers.
In hindsight, Windows 2000/XP/2003 should never have been released while
effectively requiring users to be local admins on the box (and despite
what the official guidelines say, there are too many cases of even
Microsoft software assuming that you're local admin to hide the fact
that these platforms have NOT been designed with LUA in mind).
This problem bites the users of any browser, and adjusting current
versions of Windows to run LUA is difficult, frustrating, and expensive
in time. A lot of smaller companies just don't have the time or
knowledgeable resources to do it properly -- and the OS should be doing
it for them.
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
