Spyware has security hole

[Christy]

I manage over 200 computers and have the Internet
Browser's tools set to read only. We have to monitor the
URL's the kids visit and I do not want them to be able to
delete the history. We also have had problems with the
start up page being changed to porn sites.

I installed Microsoft's antispyware on 30 of the XP
professional machines. They are formattedd with NTFS and
have their security locked down well, that is,until the
spyware program gave them the ability to change the
homepages and remove the history. The program is not
looking at the security measures that are in place.
Limited user accounts that have read only rights to
Internet Explorer can change everything they want to
inside of the program.

The program needs to follow basic security measures. If a
user does not have access rights to make changes, then
neither should the antispyware program. This could be
taken care of with the default url's of the administrator
being used if the browser has been hijacked. The pop-up
asking if you want the URL address change should not even
happen if the user is logged on as a limited user. If the
spyware program looks at the read only (and execute)
attribute for Explorer.exe, the assumption should be that
they do not have permission to make those changes, so do
not even ask.

Will this be fixed in the future versions?

Thank you.

 

[JohnF.]

That's why there is a warning that this is a BETA and should not be loaded
onto production machines for the purposes of bonafide protection.

The problems with security and limited user accounts has been noted for
correction in a later beta build.


JohnF.

 

[Bill Sanderson]

These problems are pretty well covered by this KB article which is one of
only two published as known issues at the download site from the inception
of the beta:

http://support.microsoft.com/kb/892375 End users may be prompted to allow or
block administrative actions that originate from a central management tool
after they install Windows AntiSpyware (Beta) on a computer that is managed
by Systems Management Server 2003

Simply put--this beta product isn't suitable for the environment you are
using it in, and no one has claimed that it is--in fact, they've made every
effort to make it clear that it is not.

There will be a centrally managed and lock downable version of the product
produced. It won't be free, and no further information(dates, etc) is
available.

 

[Christy]

I appologize for not giving you enough information in my
first post. The 30 XP machines are Not connected to a
server and they function no differently than a child
connected to the Internet at a home PC. The XP machine
has the "child" set up as a limited user, so the "child"
cannot install software, etc. The "adult" went one step
further to keep the "child" from erasing the history in
the browser. The iexplore.exe file was made read and
execute only. Thus the tools/internet options are grayed
out and the "child" cannot change them. Using the
Microsoft Management Console, the "adult" also changed the
cpl files to deny access to the "child".

All these changes were dones manually to the XP machines.
The security was not handled through a server. They have
XP home edition and function like a home user would. As a
home user, I do not want my young child to be able to
change his/her start up page using MAS.

Will the home version of Microsoft Antispyware have the
ability to, for example, password protect changes to the
browser? For instance, Cyberpatrol is in the systray, but
you cannot actually launch the program to make changes to
the settings unless you have a password. Microsoft could
even make the password use optional. If you don't want
the nag about a password, just don't install one.

I understand that in the future there will be a fee for
this service, however, I do not want to purchase the
product for my kids' machines if I cannot control their
ability to "erase their tracks".

Does this give you a better understanding of my dilema?

Thank you.

 

[JohnF.]

We still have no idea what MS will provide for a finished product so please
keep an eye on what MSAS does in the future. Currently, you have few
options for using MSAS in the environment you are describing. You really
need to get something to lock down those pcs better and use SpywareBlaster
and SpywareGuard to help keep things like popups and such under control
until a network managed version of MSAS becomes available.

I have found that cybersitter is a much better application for locking down
your browsing / chatting options than other "filter" software but that is a
"pay" product.

JohnF.

 

[Bill Sanderson]

That's a good description, I think.

Microsoft does read the messages posted here, and use the feedback in making
choices about the product development.

A request to password protect some settings has been made by others during
this beta--so you aren't alone, although the relative security of such a
setting is something of a quandary. I guess as long as the administrator of
the machine can override it, it can be properly secured--i.e. the answer to
the question "I lost my antispyware password, what do I do?" can be ask your
administrator or reinstall XP.

I can't predict whether this is a feature likely to make the final cut for
this product--but this is the right place to post feedback requesting it.

 

[Christy]

We use a paid for product called Cyberpatrol for filtering
content. I just want MSAS to look at the built in
security features in Microsoft's operating system and
say "hmmm, the kid does not have access to change me,
maybe I shouldn't change it either". lol

Or, just use a simple password. If mom or dad set up the
homepage to be www.netsmartz.org, and do not want it
changed, they should be able to do that. As it is right
now, MSAS overrides all the internal security features
that come with XP. (assuming the disk is formatted
w/NTFS). Everything is manually locked down for the
student, unless he launches MSAS.

Hope this gets resolved, because, I really like the other
features, makes my life easier.

c