Permission to Simplify
Complexity in Microsoft's software does little but hinder people from using
their good security features, and the current state of Windows file
permissions is a perfect example.
By Mark Burnett May 17 2005 07:13PM PT
http://www.securityfocus.com/columnists/326?ref=rss
I have a funny story. A while back I was showing my son the cool speech
recognition features in Microsoft Word. I got out my laptop, went through
the configuration and training process by dictating into the microphone.
My son, twelve, could barely hold back the laughter as he listened to me
read to my computer various excerpts from books such as the Wizard of Oz and
Aesop's fables. He was just waiting for the chance to make fun of me. What I
didn't realize was that the cheap microphone in my laptop is hardly
sufficient for speech recognition purposes and the results were disastrous.
This is what happened: I opened up a blank word document, and spoke into the
microphone. Microsoft Word did start entering text into the document but it
was nothing like what I spoke. For example I said "Testing speech
recognition" and MS Word typed "Resting white house Santa Ana."
Of course my son who had been already struggling to hold back suddenly burst
in laughter at the nonsense it produced. The microphone picked up his laugh
and interpreted it as the phrase "and the redneck score that many job I can
eat the body to be."
Naturally, this made us both laugh, which resulted in the phrase "Barter
dismay as boleslav bigoted and it might be what the public into." We laughed
more and then Word gave us even more to laugh at.
Microsoft is really good at producing software with amazing features that no
one ever uses. Microsoft Word is loaded with powerful editing tools and
robust customization features, yet I still use just the default toolbars,
and I still send faxes with "Elegant Fax" cover sheets. I write as part of
my profession yet I rarely use any features that aren't already available in
WordPad.
"...considering how powerful these capabilities are if customized by users,
it might be worth it for them to spend some time rethinking the metaphors
and the user interface."
Windows permissions are kind of like that. The core security model certainly
is sufficient to comply with even the most demanding security policies. The
permissions are so flexible you are really only limited by your creativity.
The problem is that not enough people take advantage of these features.
Consider for example, some of the things you could potentially do:
* You could remove certain file extension mappings for specific users by
denying them read access to the registry keys that contain the mappings;
* With some applications that don't provide per user settings you can
sometimes accomplish the same thing with granular user permissions on the
registry keys themselves;
* You can set access permissions on programs such as the command prompt
so that they are only available to certain users, and only if they are
logged in interactively at the console;
* You can set permissions on much more than files and registry keys --
you can also set permissions on named and anonymous pipes, directory
objects, processes and threads, services, printers, network shares, and
kernel objects;
* You can set one access control list for a folder, another for its
subfolders (even if they don't exist yet), and yet another for the files in
the folder (again even if they don't exist). That means you could have a
directory that allows executables but any new file in the directory is by
default denied execution.
You never really see people doing stuff like this, but the users aren't all
to blame.
Back when I was a software developer a friend told me that if my users make
common mistakes with my software then my software is probably broken. He
explained that software design greatly contributes to user mistakes. Some
designs set users up to make the same mistakes over and over. For example,
how many times have you sent an e-mail and forgot to send the attachment?
Windows permissions are powerful but they set up users to make the same
mistakes over and over. The complexity and terminology alone are enough to
trip up even experienced users. Sure, once you master terms like ACLs, ACEs,
DACLs, SACLs, SIDs, RIDs, and SDDL, it gets a lot easier, but then you have
to think about things like inheritance, protected ACL's, trust, and
impersonation.
So it really should be no surprise how often I see systems with nothing more
than the default permission settings.
I'm not saying the complexity is bad. The complexity is the power. But you
have to ask yourself that if so many users fail to take advantage of these
features, maybe something broken.
Humans actually deal quite well with complexity. Usually all it takes is a
good metaphor, visualization, or object model. Look at Window Explorer -- a
file system can be complex but few users have problems getting used to
Explorer's folder and document model. But once you start using terms like
Discretionary Access Control List most of us tend to tune out.
You see, for most purposes people simply don't need added complexity. Many
systems have two roles -- users and admins. Therefore, most files will
either be user files or admin files. Most often, you will want users to have
limited access to files and admins to have full access. Windows tries to
simplify things with generic access permissions such as Read and Write, but
this obviously isn't enough.
The file permissions user interface in Explorer does little to hide the
complexity or to make it more understandable for users. Despite all of
Microsoft's research into user interface design, over the years little has
changed with the permissions dialog box. This is what bugs me the most about
that box:
* It takes too many mouse clicks to do any advanced permissions editing
on a file or directory.
* It is way too much work to do any significant permissions editing in
Explorer.
* In the basic permission settings box, they tried to simplify things,
but checking one box sometimes automatically checks others. However,
unchecking it doesn't uncheck the others.
* I always have to read twice the sentence, "Apply these permissions to
objects and/or containers within this container only."
* The "This folder, subfolders and files" drop-down list takes way too
much thought.
* There is a Clear All button, but how about a Select All button? Oh
wait, all you have to do is check the Full Control permission. Of course,
unchecking that box doesn't uncheck the others, hence the need for a Clear
All button.
* In an attempt to make things consistent, they combined both file and
folder settings on the same box, but it's hard to see the relationship
between Traverse Folder and Execute File.
* Microsoft added an Effective Permissions tab, but this may not always
be accurate. It does not take into account how the user logs in. It also
does not take into account when you deny Delete permissions on a file but
its parent allows Delete Subfolders and Files.
* And finally, my favorite of them all is that there are check boxes for
both allow and deny permissions. You cannot check both boxes, but you can
uncheck them both, it means that you neither allow nor deny them those
permissions, which really means that you deny them.
Many admins don't even bother with Explorer and go straight to the command
prompt to adjust file permissions. Windows has the built-in Cacls.exe tool
to accomplish this but it has some significant limitations. Microsoft's
Xcacls.exe and Xcacls.vbs tools are much more robust, but hardly intuitive.
With so many command-line options and non-standard abbreviations, it's hard
to use the tools without referring to the help reference at least once.
Third-party tools such as FileACL and SetACL are much better, but still
suffer from complexity. These tools are definitely not for average users.
All of the command-line tools get very difficult to use when trying to set
complex inherited ACL's.
For the ultimate in control, Microsoft provides the Security Descriptor
Definition Language (SDDL). This language is sparsely documented and far
from intuitive, but is actually quite powerful for specifying permissions.
If you aren't intimidated by the permission string
"D:(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;PU)(A;ID;FA;;;BA)(A;ID;FA;;;SY)"
well then, SDDL is just right for you.
There's no doubt that Windows permissions are complex. Microsoft has at
least improved things by using better default permissions so we don't have
to bother with it as much. But considering how powerful these capabilities
are if customized by users, it might be worth it for them to spend some time
rethinking the metaphors and the user interface.
Back to the complexity of Microsoft Word for a moment, however. I did find a
better microphone headset and retrained MS Word's speech recognition
feature. Just like Windows permissions, it turned to be pretty good and
quite capable once you know how to use it.
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
