Here is my advice for microsoft/windows

[Skybuck Flying]

Microsoft should do the following:

The operating system is a critical component of any PC so:

1. Make everything that belongs from microsoft and windows "write
protected".

Even third party drivers can be installed in seperate folders.

That means everything in the windows folder will be "clean" from microsoft
only.

This is in big contrast with the current reality... the windows folder is a
big mess because all kinds of programs install junk into it.

Note: *** There is absolutely no reason why a program should ever need to do
this expect from microsoft updates... even these could be installed in
seperate folders ***

Programs can simply create registry entries etc to their folders... and keep
everything together.

My advice to microsoft... and I would really like to see this happen in a
next version of windows is to be *** very strict *** about how an
application should install itself.

*** everything *** that belongs to an application should be installed in the
application folder.

This would make it easy to delete an application which is mis behaving etc
or causing annoyances like spyware.

All other folders should be write protected.

Only the folder designated by the user as valid for that application should
have write access for the installation program or something like that.

If this would be possible to implement securely this could make a hell lot
of a difference in fighting bad programs

One last improvement might be a big change... instead of a file system.. it
would be more like a database... with transactions... everytime a program
installs etc.. or the user adds many files... or something like...

It is "logged" as an "transaction"

The idea is that individual "transactions" can be rolled back incase they
wreck havoc.

Bye,
Skybuck.

 

[Doug Knox MS-MVP]

Much of what you point out is already in the works. The biggest issue now, is compatibility. For example, some Lexmark drivers (and others) like to stick their stuff in the Windows\System32 folder. Very, very bad practice in my opinion, but that's the way they're coded. A limited user would not be able to install these drivers, only an Administrator. The same is true with other programs. They were never "updated" from the 9x world to the NTFS world. They expect to be able to write to parts of the file system and registry that were formerly unprotected. This causes many apps to break when not run as an Administrator. The down side is that many users run as an Administrator, even when they don't need to. This exposes them to virus, trojan and other malware infections that write themselves to locations that you have to have Administrator credentials to write to.

A large part of the focus is for the future in a process called Least Privileged User Access. The full mechanism isn't defined yet, but it will answer a lot of your issues. I for one, hope that they require programs to not write to Windows, System32 or any of the subfolders (with the possible exception of drivers) or protected portions of the Registry, in order to receive "logo" certification.

Hopefully, some of this will come about before Windows Longhorn, but there are no guarantees.

 

[Jack Wang [MSFT]]

Hi Skybuck,

Thank you very much for the great suggestions.

This is a great idea for a future product enhancement. I'd recommend that
you forward the recommendation to the Microsoft Wish Program:

Microsoft offers several ways for you to send comments or suggestions about
Microsoft products. If you have suggestions for product enhancements that
you would like to see in future versions of Microsoft products, please
contact us using one of the methods listed later in this article.

Let us know how we can improve our products.

Product Enhancement suggestions can include:

¡¤Improvements on existing products.

¡¤Suggestions for additional features.

¡¤Ways to make products easier to use.



All product enhancement suggestions received become the sole property of
Microsoft. Should a suggestion be implemented, Microsoft is under no
obligation to provide compensation.



World Wide Web - To send a comment or suggestion via the Web, use one of
the following methods:

¡¤In Internet Explorer 6, click Send Feedback on the Help menu and then
click the link in the Product Suggestion section of the page that appears.

¡¤In Windows XP, click Help and Support on the Start menu. Click Send your
feedback to Microsoft, and then fill out the Product Suggestion page that
appears.

¡¤Visit the following Microsoft Web site:



http://www.microsoft.com/ms.htm



¡¤Click Microsoft.com Guide in the upper-right corner of the page and then
click Contact Us . Click the link in the Product Suggestion section of the
page that appears.

¡¤Visit the following Microsoft Product Feedback Web site



http://register.microsoft.com/mswish/suggestion.asp



and then complete and submit the form.



E-mail - To send comments or suggestions via e-mail, use the following
Microsoft Wish Program e-mail address, (e-mail address removed).



FAX - To send comments or suggestions via FAX, use the following Microsoft
FAX number, (425) 936-7329.



NOTE Address the FAX to the attention of the Microsoft Wish Program.



US Mail - To send comments or suggestions via US Mail, use the following
Microsoft mailing address:



Microsoft Corporation

Attn. Microsoft Wish Program

One Microsoft Way

Redmond, WA 98052-6399



MORE INFORMATION

Each product suggestion is read by a member of our product feedback team,
classified for easy access, and routed to the product or service team to
drive Microsoft product and/or service improvements. Because we receive an
abundance of suggestions (over 69,000 suggestions a year!) we can't
guarantee that each request makes it into a final product or service. But
we can tell you that each suggestion has been received and is being
reviewed by the team that is most capable of addressing it.

All product or service suggestions received become the sole property of
Microsoft. Should a suggestion be implemented, Microsoft is under no
obligation to provide compensation.

Sincerely,
Jack Wang, MCSE 2000/2003, MCSA 2000/2003, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Skybuck Flying" <[email protected]>
| Newsgroups: microsoft.public.windowsxp.security_admin
| Subject: Here is my advice for microsoft/windows
| Date: Thu, 18 Nov 2004 02:17:36 +0100
| Organization: @Home Benelux
| Lines: 53
| Message-ID: <[email protected]>
| NNTP-Posting-Host: cp250405-a.landg1.lb.home.nl
| X-Trace: news2.zwoll1.ov.home.nl 1100739898 5203 84.25.126.9 (18 Nov 2004
01:04:58 GMT)
| X-Complaints-To: (e-mail address removed)
| NNTP-Posting-Date: Thu, 18 Nov 2004 01:04:58 +0000 (UTC)
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!tornado.fastwebnet.it!tiscali!new
sfeed1.ip.tiscali.net!border2.nntp.ams.giganews.com!nntp.giganews.com!feeder
enertel.nl!nntpfeed-01.ops.asmr-01.energis-idc.net!newshub3.home.nl!newshub
1.home.nl!home.nl!not-for-mail
| Xref: cpmsftngxa10.phx.gbl
microsoft.public.windowsxp.security_admin:150569
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| Microsoft should do the following:
|
| The operating system is a critical component of any PC so:
|
| 1. Make everything that belongs from microsoft and windows "write
| protected".
|
| Even third party drivers can be installed in seperate folders.
|
| That means everything in the windows folder will be "clean" from microsoft
| only.
|
| This is in big contrast with the current reality... the windows folder is
a
| big mess because all kinds of programs install junk into it.
|
| Note: *** There is absolutely no reason why a program should ever need to
do
| this expect from microsoft updates... even these could be installed in
| seperate folders ***
|
| Programs can simply create registry entries etc to their folders... and
keep
| everything together.
|
| My advice to microsoft... and I would really like to see this happen in a
| next version of windows is to be *** very strict *** about how an
| application should install itself.
|
| *** everything *** that belongs to an application should be installed in
the
| application folder.
|
| This would make it easy to delete an application which is mis behaving etc
| or causing annoyances like spyware.
|
| All other folders should be write protected.
|
| Only the folder designated by the user as valid for that application
should
| have write access for the installation program or something like that.
|
| If this would be possible to implement securely this could make a hell lot
| of a difference in fighting bad programs
|
| One last improvement might be a big change... instead of a file system..
it
| would be more like a database... with transactions... everytime a program
| installs etc.. or the user adds many files... or something like...
|
| It is "logged" as an "transaction"
|
| The idea is that individual "transactions" can be rolled back incase they
| wreck havoc.
|
| Bye,
| Skybuck.
|
|
|