D
DevilsPGD
In message <[email protected]> "S
There are a couple problems with what you just said.
First off, no password is needed in Windows if you are an administrator
(you already provided your password) -- If you're running as a limited
user (or set it via an appropriate group policy) then administrative
credentials are required.
Windows uses a single-sign-on model, which makes locking the workstation
when unattended the user's responsibility. There are also appropriate
tools for environments designed for security to help users avoid leaving
their PC unlocked while unattended (One store I visited had a system
when if you stepped off of a pad on the floor, the machine logged out)
UAC is for a different threat -- UAC is not designed to ensure that
there is an administrator sitting at the keyboard. Windows already
figured that out, you don't have to tell it over, and over, and over,
again.
Rather, UAC is designed to assume that the app which wants
administrative privileges was intentionally started by the user at the
keyboard, not a user-level program.
These are *very* different threats.
If I'm a piece of malware that wants to compromise your system, all I
have to do is run silently in the background and wait for you to enter
your password, after that I have 10 minutes to do whatever I want to
your system. If I were a malware author, I'd call that a wet dream.
Wayne said:
There are a couple problems with what you just said.
First off, no password is needed in Windows if you are an administrator
(you already provided your password) -- If you're running as a limited
user (or set it via an appropriate group policy) then administrative
credentials are required.
Windows uses a single-sign-on model, which makes locking the workstation
when unattended the user's responsibility. There are also appropriate
tools for environments designed for security to help users avoid leaving
their PC unlocked while unattended (One store I visited had a system
when if you stepped off of a pad on the floor, the machine logged out)
UAC is for a different threat -- UAC is not designed to ensure that
there is an administrator sitting at the keyboard. Windows already
figured that out, you don't have to tell it over, and over, and over,
again.
Rather, UAC is designed to assume that the app which wants
administrative privileges was intentionally started by the user at the
keyboard, not a user-level program.
These are *very* different threats.
If I'm a piece of malware that wants to compromise your system, all I
have to do is run silently in the background and wait for you to enter
your password, after that I have 10 minutes to do whatever I want to
your system. If I were a malware author, I'd call that a wet dream.
