Microsoft Zero Day security holes being exploited

[98 Guy]

I would kill off "View As Web Page" on sight, and thus not be
exposed to this exploit (which I see as a barnacle on a whale
of bad design...
I might kill off the .DLL that operates the web view "feature",

C:\Windows\System\webvw.dll

You should be able to rename it because you shouldn't have "view as
web page" enabled.

There apparently hasn't been any update to it for 98 because I only
see 1 version (4/23/99).

as well as Active Desktop of course.

See here:

http://www.msfn.org/board/index.php?showtopic=46066&st=0

regsvr32 /u webcheck.dll

There was an update to webcheck.dll on 08/29/02. I think I'll nuke it
and see what happens. Seems I have to do it from DOS.

Here's couple of unrelated web links for your reading enjoyment:

http://www.usdoj.gov/atr/cases/f4600/4644.htm

http://www.varbusiness.com/sections/98pages/198sw.jhtml

 

[karl levinson, mvp]

Care to provide some evidence that there are currently MORE unpatched
vulnerabilities for 98 vs XP?

That's difficult, because the number of unpatched vulns for XP is somewhat
unknown. Also, whatever comparison you do now, will be changing in the
future. With patches being released for XP and not for 98, the number of
unpatched 98 vulns is certain to increase.

Only Since July 11. And how many vulnerabilities discovered since
then are really for IE?

For a significant time before that, Microsoft was not providing patches for
updates they did not consider critical. There was some disagreement about
the non-critical rating Microsoft assigned to a few of the vulnerabilities.

And are you aware that the 2K versions of the patched files made
available since July 11 can be used on Win-98?

Is installing those Win2K patches on Win98 easy for home users? I assume
you have to manually extract the files and replace them, assuming they are
not in use by the OS?

Privilege escalation vulnerabilities exist for NT-based OS's like XP.

True, but Microsoft is and needs to be reducing these privilege escalation
vulnerabilities, not giving in to their inevitability. Resistance to local
privilege escalation attacks is one weakness Microsoft security has in
comparison to Linux, a growing competitor to Windows. With spyware, adware
and other malware increasingly infecting Windows platforms, more and more
users are asking why Windows cannot control what is done by local users.
The ability to open listening TCP/IP ports, send spam email outbound, launch
DoS attacks on other systems, etc. are things non-admins should not be able
to do silently and without native Windows logging.

A significant problem for Microsoft is the time it takes them to code both
patches and new software versions. A significant reason for that problem is
the large number of different combinations of product versions they need to
support. Different browser versions with different language versions on
different OS versions with different service pack versions in different
localized language versions, the number of combinations of patches that
Microsoft has to release is hundreds if not thousands. This is one big
compelling reason why Microsoft is trying to reduce the number of browser
and OS variants out there, such as eliminating Win98, in the name of
security. I do not see them reversing this trend, especially not to create
a Windows98-like niche OS that is only useful for some niche users [e.g.
home users that don't need the security features of XP].

Many systems are configured (for ease of use) for single-user systems
to logon as administrator or have admin rights. ACL permissions are
primarily designed for servers on multi-user networks, not really for
single-user desktop / home computer use.

Not true. ACLs are most valuable for system configuration management. Many
parents want to control what their children can and cannot do on their
single-user home computers, and this is difficult on 98 due to the lack of
ACLs.

Many large organizations configure their infrastructure so that no
personal or organizational files or data exist on local desktop
machines, and where a correct login name/PW must be used to gain
access to the network. That strategy can be used all the way down to
a 2-desktop network.

.... but going back to home users, the most likely consumer of the proposed
new Windows 98 product, those users would most likely be storing files on
the local hard drive, without any native protection against unauthorized
access from others in the house.

Irrelevant in the context of malware vulnerability. If you have users
of shared systems that seek out private information or intentionally
plant malware on their own system, then you have an HR problem.

Well, the assertion was that Win98 was more secure than XP. I see no reason
to evaluate Windows security by ignoring certain common security features,
just because you don't need them yourself. Windows should not be programmed
just for certain users. It needs to be configurable so that it will work
for all users. Malware is only one threat, and saying that one OS is more
resistant to malware is only so useful in evaluating security.

The ability to prevent one user from modifying the files of the OS or of
other users is relevant to malware on multi-user systems. This prevents one
user from infecting anything other than just her own user profile. Log in
as another user, and the infection is not present for that user. It also
prevents malware from reading and modifying OS files and the data files of
other users. It also helps XP to protect the secret encryption keys of each
user, whether the snooper is malware, a remote attacker, or an insider on
the machine.

XP SP2 included a number of security features against malware that depend on
NTFS, such as AES. Win 98 does not have those features.

A solution that is only viable in institutional/corporate settings and
not for single-user home use.

Logging in home users as non-administrators is absolutely viable, as Vista
is showing today. Linux and Lindows do it very well, and Walmart sells
Linux computers for home users. It's just that Windows XP and third party
software make this more difficult than it should be.

Availability of what?

Of new patches and fixes?

Maybe we should wait and see what new vulnerabilities come down the
pipe that are proven to affect 98. Until then, the "not supported"
argument is a red herring.

No red herring, as you should know, there are already unpatched vulns for
Win98, and the number is going to grow. Unless you think there are zero
more vulns to be found in Win98.

I was meaning to say system availability, meaning that Win98 is not terribly
stable and crashes if it is not rebooted and reinstalled frequently.
Availability is part of the "CIA" security triad, and it's hard to argue
that 98 has better availability and stability than XP. 98 does little to
nothing to ensure system integrity is not compromised, and little to nothing
about confidentiality, so I'm not getting the assertion here that 98 is more
secure than XP.

Too bad that from it's introduction in 2002 until SP2 was belatedly
released in late 2004 that XP systems were practically garanteed to
become infected via direct network exploits and a myriad of other ways
and that many XP systems in residential settings are never updated or
patched by their owners.

That was then, this is now. We have XP SP2 now, and both XP and XP SP2 are
steps forward in security.

And all users had to do to be protected from most of those vulnerabilities
was to enable the Windows Firewall, Automatic Updates and some sort of
antivirus... things they should have been doing anyways. Anyways, the
question was, what good resources are there for hardening Windows XP, and
that's part of the answer.

As far as XP SP2 being "belatedly" released, they designed, tested and
released it in only a year, and with only minimal problems being caused by
it. That's amazing and is something to laud and support, not deride.

 

[Dan W.]

Hard to respond to that without examples, but I certainly agree; SP2's
a worthwhile step forward. Anything older is stone dead if connected
as-is, because the firewall's off and both LSASS and RPC are unpatched
(yes, even in SP1a). In this respect, there's no safe-out-the-box
Win2000 at all - I dunno if the last Win2000 SP had fixes for LSASS
and RPC, but there's no firewall built-in.


I'm after safety. I want no "admin shares" whatsoever, I want to see
what I'm dealing with when I work on files, and I don't want the PC
resetting every time there's a system crash or RPC falls over.


I would kill off "View As Web Page" on sight, and thus not be exposed
to this exploit (which I see as a barnacle on a whale of bad design...
why would I want the ability to autorun scripts dropped in any
directory?). WinME does this properly, but Win98xx is slippery and
can fall back to "Web View" so I might kill off the .DLL that operates
the web view "feature", as well as Active Desktop of course.

I'm not sure if XP is using the "Web View" facility or not, as there's
no UI to specifically control it.


Yup. Software complexity meets automated exploit search.



Drugs are usually safe. Inject? (Y/n)

Thanks for the good points, Chris and it certainly seems that Windows ME
was not as terrible as everyone said it was. My dad had it for a while
and said it worked fine for him and did not see why everyone hated it.
I have not had the chance to use it but for very brief periods on user's
machines that I have fixed.

 

[Dan W.]

C:\Windows\System\webvw.dll

You should be able to rename it because you shouldn't have "view as
web page" enabled.

There apparently hasn't been any update to it for 98 because I only
see 1 version (4/23/99).


See here:

http://www.msfn.org/board/index.php?showtopic=46066&st=0

regsvr32 /u webcheck.dll

There was an update to webcheck.dll on 08/29/02. I think I'll nuke it
and see what happens. Seems I have to do it from DOS.

Here's couple of unrelated web links for your reading enjoyment:

http://www.usdoj.gov/atr/cases/f4600/4644.htm

http://www.varbusiness.com/sections/98pages/198sw.jhtml

Thanks 98 guy. Please keep us informed of our testing on your system as
will I after I get the go ahead from you. You get to be the star and
tester at the same time. <grin>

 

[karl levinson, mvp]

hackers broke through the Windows Professional XP Service Pack 2
firewall.

How did they do this? Is this a vulnerability that should be reported to
Microsoft? Or did they get through via outbound web browsing or a malicious
email?

 

[imhotep]

10th October 2006, not "months" as you claimed.

Stephen Howe

Ok, wanna bet about the lastest Active-X/Shell security hole???

 

[cquirke (MVP Windows shell/user)]

"cquirke (MVP Windows shell/user)" wrote:

C:\Windows\System\webvw.dll

Thanks, I wasn't sure if I remembered the name right

In Win95/98 you can just restart in DOS mode (so that Windows doesn't
track the change) and rename the file away to (say) WEBVW.DL!

In WinME, SFP...

http://cquirke.mvps.org/9x/sr-sfp.htm

.... would get in the way, and there's no built-in DOS mode...

http://cquirke.mvps.org/9x/me-dos.htm

.....but that's OK because WinME holds the setting to suppress "View As
Web Page" properly, unlike Win98 and/or IE4-infested Win95.

Note that any IE upgrade/update could undo the protection by creating
a new .DLL, as would "just" reinstalling Windows.

A key to keeping Active Desktop dead is to avoid using .JPG and .HTM
as your wallpaper - convert to .BMP and use that instead. There's
also a risk of fallback to "Active Desktop" if you leave the default
..HTM wallpaper file(s) in the relevant directory... often Win98 will
spontaneously use Windows98.htm as the wallpaper, enabling Active
Desktop, and then when you try to disable Active Desktop, you are told
that it's "needed" for the wallpaper "you selected".

Stuff like this can make you angry, if you let it...

http://www.msfn.org/board/index.php?showtopic=46066&st=0

regsvr32 /u webcheck.dll

Cool. I've not been a fan of Win98Lite, tho what it proved about the
so-called "dependence" on IE is valuable information.

http://www.usdoj.gov/atr/cases/f4600/4644.htm

http://www.varbusiness.com/sections/98pages/198sw.jhtml

Ah, you do seem to relish nursing those old wounds ;-)

I often wonder if the overall impact of that Netscape DoJ case was
beneficial or not. We still haven't got rid of exploitable
edge-facing subsystems that we may not want to use, so we're still
obliged to patch them - and that removes what would otherwise be a
major benefit to switching browsers, for example.

Also, the thrust of this case may have stampeded MS into really
entrenching IE4 into the OS, so the claim that it could not be removed
would be more accurate. OTOH, IE5 is far easier to remove and lacks
IE4's deep "desktop integration" when it's installed on a Win95 system
that has never had IE4 on it... I think MS was preparing for a court
ruling that IE would have to be dis-integrated, which never came.

The irony is that Netscape's own success involved leveraging the
initial browser monopoly (gained by offering the browser for free) to
drive sales of web development tools. "Use our tools, so that you can
be sure your code will work with the browser everyone uses", etc.

Using free software to gain market share (and thus become a de facto
standard, or "monopoly") remains common practice, e.g. free Acrobat
Reader, very costly full Acrobat, free Real Player, then market share
leveraged to sell in-your-face advertising and privacy impact, etc.

TMTC,TMTSTS - or as FZ would say, the torture never stops.

"Spam is green and buzzing in this mailbox of despair..."

BTW: Newer wounds are now available, from a wider range of vandors.
See your local class-action agency.

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)

 

[Dan W.]

Thanks, I wasn't sure if I remembered the name right

In Win95/98 you can just restart in DOS mode (so that Windows doesn't
track the change) and rename the file away to (say) WEBVW.DL!

In WinME, SFP...

http://cquirke.mvps.org/9x/sr-sfp.htm

... would get in the way, and there's no built-in DOS mode...

http://cquirke.mvps.org/9x/me-dos.htm

....but that's OK because WinME holds the setting to suppress "View As
Web Page" properly, unlike Win98 and/or IE4-infested Win95.

Note that any IE upgrade/update could undo the protection by creating
a new .DLL, as would "just" reinstalling Windows.


A key to keeping Active Desktop dead is to avoid using .JPG and .HTM
as your wallpaper - convert to .BMP and use that instead. There's
also a risk of fallback to "Active Desktop" if you leave the default
.HTM wallpaper file(s) in the relevant directory... often Win98 will
spontaneously use Windows98.htm as the wallpaper, enabling Active
Desktop, and then when you try to disable Active Desktop, you are told
that it's "needed" for the wallpaper "you selected".

Stuff like this can make you angry, if you let it...



Cool. I've not been a fan of Win98Lite, tho what it proved about the
so-called "dependence" on IE is valuable information.



Ah, you do seem to relish nursing those old wounds ;-)

I often wonder if the overall impact of that Netscape DoJ case was
beneficial or not. We still haven't got rid of exploitable
edge-facing subsystems that we may not want to use, so we're still
obliged to patch them - and that removes what would otherwise be a
major benefit to switching browsers, for example.

Also, the thrust of this case may have stampeded MS into really
entrenching IE4 into the OS, so the claim that it could not be removed
would be more accurate. OTOH, IE5 is far easier to remove and lacks
IE4's deep "desktop integration" when it's installed on a Win95 system
that has never had IE4 on it... I think MS was preparing for a court
ruling that IE would have to be dis-integrated, which never came.

The irony is that Netscape's own success involved leveraging the
initial browser monopoly (gained by offering the browser for free) to
drive sales of web development tools. "Use our tools, so that you can
be sure your code will work with the browser everyone uses", etc.

Using free software to gain market share (and thus become a de facto
standard, or "monopoly") remains common practice, e.g. free Acrobat
Reader, very costly full Acrobat, free Real Player, then market share
leveraged to sell in-your-face advertising and privacy impact, etc.

TMTC,TMTSTS - or as FZ would say, the torture never stops.

"Spam is green and buzzing in this mailbox of despair..."

BTW: Newer wounds are now available, from a wider range of vandors.
See your local class-action agency.



Drugs are usually safe. Inject? (Y/n)

---------------------------------
WEBVW.DL --- Chris -- why not just stick with 98 guy's game plan and
rename the file -- webvw.bak and then you have clear notification that
it is indeed a backup if the newer *.dll should fail. In addition, you
mentioned how reinstalling the operating system would remove the
changes. How about if a repair of Internet Explorer was done now --- I
would imagine that would remove all the customized changes that the
users has made since I think and correct me if I am wrong please that
repairing Internet Explorer brings it back to the defaults which would
not have the patches. Is anyone willing to test this if they have the
time? It looks like the repair feature for Internet Explorer will now
be unavailable unless the user wants to put in the customized *.dlls
again and rename the old *.dlls again as well. Amazing to think that
98SE is doing quite well with NT (New Technology) patches and furthers
my idea that this Classic Windows Series could bring the NT source code,
the 9x source code and maybe some open source technology together to
make a super powerful and secure operating system. I just wonder if
Microsoft is up to the challenge of doing this or if it has to fall to
another company because Microsoft is very busy doing everything else
under the sun.

BTW, I saw the status of the Zune Player and that it will be $250
and users will purchase points to buy songs that will cost about .99 +
tax a song like Itunes do. It will have an FM tuner. I am disappointed
Microsoft did not include an AM tuner in order for users to listen to
talk shows and hopefully they will provide this in a future upgrade or
maybe even add it now if it is not too late.

 

[Dan W.]

AFAIK, what happens is that a copy of the domain's settings are kept
locally, and are used whenever the domain is unreachable. I guess
this copy would be updated whenever the domain is there.

There's also a lot of detail and granularity when different
permissions are combined. Whereas *NIX uses the same structure for
both directory location and permissions, the NT security model does
not - while files within a subtree start with permissions of the
parent (AFAIK), you can change this on a file-by-file basis.

There are easy ways to get really painted into a corner with this
stuff, and one of the common mistakes is to assign rights to
particular users, rather than to a group. It's better to create a
group, set the rights for that group, and then add your user(s) as
members of that group (yes, even if there's only one member). That
way, if you fire Fred and employ Brad, you just drop Fred from the
group and add Brad to it.

Often there will be contexts where different sets of permissions are
simultaneously applied. For example, there are machine permissions,
network permissions, user permissions, etc. so what really happens is
a resultant of these, prompting the question; what trumps what?

In many ways, a sysamin's job is as much about managing users via
Active Directory as it is about managing network resources such as
domain servers. Most businesses large enough to be using AD and
domains will insist on certification (MCSE etc.) before anyone can
touch this stuff. So when this security model is dropped into
consumerland, it's tough... consumers understand physical security
very well, but have zero intuition on business and staff security.

And why should they?


Yup. I use Bart for those... the learning curve (OK, small wall) is
tougher than one would like, but if you do a lot of this stuff, it's
effort well spent. I expect malware to assume control over the system
I'm trying to clean, and start "from orbit" with Bart, concentrating
on the heavies, before tip-toeing in via Safe Cmd etc.

Safe Cmd is to XP what DOS mode is to Win9x, but there's a far higher
risk of malware being active in Safe Cmd than there is in DOS mode.


Could be... I use 7 av scanners and the usual 2 anti-"spyware"
scanners, then HiJackThis, then I de-bulk the usual malware hangouts
(loose code in C:\, all TIF, Temp), then I drop tools in place and run
'em when I enter Safe Cmd. The av scans shoot to kill, but the
initial anti-"spyware" and HiJackThis are usually look-don't-touch.

Once in Safe Cmd, I re-run SysClean (as some tests don't run when in
Bart), AdAware and Spybot, and this time I let the anti-"spyware"
scanners kill what they find. Then I add Ewido 4 and run that, do a
HiJackThis again, and look for mismatches that suggest a rootkit.

Next is normal Windows, which means I can install tools that require
the Windows Installer, e.g. BitDefender 8 and MS Defender. I add
BitDefender 8 if there's been a lot of traffic and/or the resident av
can't be updated. If the resident av is broken, expired or missing, I
add AVG 7. The I harden settings, set a clean baseline restore point,
and purge all older restore points (Disk Cleanup).

Then I check firewall, and go online to update the scanners and
non-scanning tools that need it (e.g. Spyware Blaster, Ewido,
BitDefender). Before going online, I'd have killed off old Java
versions and rreplaced the latest JRE, ditto Firefox, etc.


What sort of error?

Malware isn't the only thing that can bonk PCs; I didn't mention it,
but every Bart session starts with HD Tune to check physical HD, and
before that comes a few hours in MemTest86.



Drugs are usually safe. Inject? (Y/n)

Thanks again for the information, Chris and I really appreciate it. It
is time for me to get ready for church so I will see you at the
newsgroups later. Take Care!

Dan W.
Computer User

 

[karl levinson, mvp]

Keylogger to steal my passwords. The joke is on them however because I
was testing XP Professional SP2 and I proved to Microsoft my point about
the weakness of security in XP SP 2.

I don't see that. How would Win98 have fared any better in this scenario?

Anyway, first the hacker(s)
interrupted my Cox cable signal and then I reset my router.
Immediately, the intruder accessed the router with the passwords admin
and admin

That's not good. Had the router passwords been changed, none of this would
have happened. Assuming router security updates had been installed.

own password. Okay, defense number 1 gone and that is why I feel all
LinkSys Wired Routers need to have a special default password for each
one. The router was a good $80 router.

.... with an easy to guess default password. That isn't the router's fault,
or the manufacturer's fault.

It looks like the hacker took advantage of the inherent weakness of the
NT (New Technology aka Not There according to Microsofts own early
engineers)

Thirteen plus years ago! A lot has changed since then. Have any Microsoft
engineers called XP or XP SP2 Not There?

This does not necessarily sound like an inherent weakness. Once the hacker
takes control of a device on your network, I'm guessing the settings of the
Windows firewall had an exemption allowing any system in your local subnet
to access certain ports. Note that this probably woulnd't have happened had
the OS been directly on the Internet without an intermediary router or
firewall that could be compromised. That's not exactly an OS or kernel
vulnerability. And anyways, Windows 98 would have been just as vulnerable
in this scenario. Security and functionality are evolving processes.
Windows 98, if it existed now, would have XP functionality like RPC/DCOM
added to it, due to customer pressure. Hacker attacks progress and are
developed in days to months, and sometimes it takes a few years or third
party software to make an OS more resiliant to new attacks.

I'm wondering how this could have happened to your home system. This is not
at all a typical Internet attack of a home system. Most attackers would not
spend this much time and effort to get into any old home system. Of all the
systems on the Internet, how did this attacker just happen to attack your
router at the very instant it was being rebooted? Without knowing
beforehand what model router it was? And then from there, took the time and
effort necessary to crack into your internal workstations? For what? Or
was this a small / home office belonging to a business entity of interest to
others? You said you think you might have angered a hacker on the Internet?

by exploiting a patch that had not installed properly
according to the Microsoft Baseline Security Analyzer 1.2.

If you're talking about the Blaster RPC/DCOM MS03-026 patch, yes, I recall a
number of systems where the patch did not install properly, but no error was
given. That was three years ago, and I would argue that things have
improved. And Windows 98 would have the same problems with patches
occasionally failing to install correctly.

 

[Dan W.]

Everyone needs to know that all computers are somewhat vulnerable if they
are connected to the Internet no matter what the defense protocol
procedures that are used to safeguard the system(s) and the network(s).
Agreed.

This new 9x machine that is a successor to 98 Second Edition would have
Admin. accounts and User accounts just like in XP but still has the
overall system security of 9x as I have provided in great detail in an
above post on system vulnerabilities in the two operating systems.

Fewer vulnerabilities are being reported for Windows 98 because Windows 98
is old and less commonly used, and vulns found for it get you less fame and
glory. New vulns found tend to go down as software ages and matures. A new
version of 98 would quickly be attacked and vulns found.

The real deal is that 98 Second Edition has been out since 1999 while 98
came out in 1998 and I think ME which was the last of the series came out
in 2000. Like Chris Quirke, has said ME introduced a lot of new concepts
like System Restore

Didn't XP expand on and improve the system restore feature to a level not
currently in 98 or ME?

about Microsoft and its early days to present time. The early Microsoft
software engineers nicknamed it the Not There code since it did not have
the type of maintenance operating system that Chris Quirke, MVP fondly
talks about in regards to 98 Second Edition.

If the MOS being discussed for Win 98 is the system boot disk floppy, that
was a very basic MOS and it still works on Windows XP just as well as it
ever did on Windows 98. [Sure, you either have to format your disk as FAT,
or use a third party DOS NTFS driver.] I think Chris really wants not that
kind of MOS but a much bigger and better one that has never existed. XP
also comes with a number of restore features such as Recovery Console and
the Install CD Repair features. I never use those or find them very useful
for security, but they're way more functional and closer to an MOS than the
Win98 recovery floppy or anything Win98 ever had. 98 never had a registry
editor or a way to modify services like the XP Recovery Console.

that at the bare bones level the source code of 9x is actually more
secure --- I know that this is a RADICAL and hard to swallow statement but
it is TRUE!!! Windows NT (New Technology) that comes in flavors of
Windows NT, Windows 2000, Windows XP, and soon to be Windows Vista is very
secure because it has strong defenses. If you strip away the defenses and
compare the base lines of code in NT and 9x then you will see that it is
completely conclusive that 9x is more secure at the base foundation of the
kernel.

It depends on what you consider security. Win98 was always crashing and
unstable, because there was no protection of memory space from bad apps or
bad attackers. Many environments like government consider the "strong
defenses" absolutely essential and wouldn't consider evaluating the security
of an OS that didn't have them.

Win98 doesn't have some features that some customers and people require. If
Microsoft was to release a new 98, Microsoft would probably be forced to add
those extra features and extra code that are in XP that you feel make it
less secure.

This is an amazing concept. It would not actually surprise me if
Microsoft does indeed release this Classic Series of 9x operating systems
for the older software and as another choice for consumers, businesses and
governments. This Classic series would be aimed at consumers and schools
who have the need and desire of great legacy compatibility.

Microsoft's security problems have largely been because of backwards
compatibility with Windows 9x, DOS and Windows NT 4.0. They feel, and I
agree, that Microsoft security would be a lot better if they could abandon
that backwards compatibility with very old niche software, as they have been
doing gradually.

So why not forget compatibility with Vista and focus on security. A new
Classic Edition could be completely compatible with the older software
such as Windows 3.1 programs and DOS programs. It would work alongside
Vista and would complement it rather than harm it. Heck, Microsoft
could do this in a heartbeat without too much trouble. They have the
XBOX, XBOX 360, coming soon Zune player, Office, many flavors of Windows
Vista, etc. This would not be so hard to implement. I will do what it
takes to see this come to reality.

 

[Dan W.]

Until someone runs something on the system that initiates traffic,
there's no reason why they should be, unless there's an exploitable
surface in whatever first receives raw TCP/IP packets.

The trouble is, NT is designed to treat the Internet as a network, in
the sense that if you wave the correct credentials, you'd be able to
log in or otherwise interact with the system from "outside". That
adds additional exploitable surfaces.

I can think of NO circumstances where I'd want any Internet entity
that I had not initiated interaction with, to log onto to my PC,
access file shares, or make RPC calls - so why expose those services
at all? There's no "right" credentials to get in because I don't want
*anyone* to get in, so why even process such attempts?


I'd rather have zero possible access from the Internet, be it as admin
or as limited user. The per-user model just isn't that useful,
especially where there is only one user. Why should I pretend to be a
staff of different job descriptions just to use my own PC?

The really sad thing - sadder even than all those games and accounting
apps that won't run unless you're admin - is that end users have no
control over how new user accounts are born. For me, that absolutely
kills the usefullness of user accounts.

I don't feel at all safe when half the files on the system are hidden
from me, where I can't easily tell if I'm in C:\TEMP, C:\D&S...\Temp
or \\BossPC\Windows\Temp, and where I'm expected to "open" files
without any visible cue as to what they will do.

Yet that is the state I'm forced to live with on any newly-created
user account - frankly, I feel safer as admin and "open eyes".



Drugs are usually safe. Inject? (Y/n)

You say things so well Chris and I really appreciate your support. May
this plan become a reality.

Dan W.
Computer User

 

[karl levinson, mvp]

<snip>

Actually, I baited hackers to break into the system to prove to
Microsoft that their software firewall needed to be improved.

Well, for ease of use for home users who aren't networking experts, the XP
firewall by default trusts the local subnet for certain networking protocols
like Windows networking that are not intended to be exposed to the Internet.

There are ways to mitigate this, but it is not easy for a home user, and
also cannot easily be enabled by default. To make Windows networking or any
other kind of file sharing more secure, you would need to authenticate the
machine connecting to it. But that requires a domain controller server,
IPsec, a certificate authority and machine certificates, pre-shared keys,
etc. This is true whether you're talking about SSH, SSL, or NetBIOS. These
countermeasures like pre-shared keys are not really things you can enable by
default, the user has to take some action to configure them. And if these
things were enabled, Windows networking would probably become so difficult,
customers would complain.

And all of this security can be wiped out by the user choosing a poor
password.

 

[Dan W.]

Well, for ease of use for home users who aren't networking experts, the XP
firewall by default trusts the local subnet for certain networking protocols
like Windows networking that are not intended to be exposed to the Internet.

There are ways to mitigate this, but it is not easy for a home user, and
also cannot easily be enabled by default. To make Windows networking or any
other kind of file sharing more secure, you would need to authenticate the
machine connecting to it. But that requires a domain controller server,
IPsec, a certificate authority and machine certificates, pre-shared keys,
etc. This is true whether you're talking about SSH, SSL, or NetBIOS. These
countermeasures like pre-shared keys are not really things you can enable by
default, the user has to take some action to configure them. And if these
things were enabled, Windows networking would probably become so difficult,
customers would complain.

And all of this security can be wiped out by the user choosing a poor
password.

Thanks for the post, Karl. I appreciate it.

I will post here my security problem with XP since it seems appropriate.

At our school we had a real control freak -- 2 years ago according to the computer lady that has been there for a while.

She made the XP Professional computers extremely hard to work on. The
issue is this:
Even in Administration mode --- we cannot add new accounts for the
teacher.

There is only one account that cannot be deleted. There are two
different levels --

the server level and the desktop level. On the server level I could not
fix the account and on the desktop level ---

the computer lady said she could not create another account. How do we

 

[Gary S. Terhune]

Seriously, this is not a conversation that belongs in this NG (Win98).
Please remove that NG from future cross-posts.

--

Gary S. Terhune
MS-MVP Shell/User
http://grystmill.com/articles/cleanboot.htm
http://grystmill.com/articles/security.htm

 

[Dan W.]

Seriously, this is not a conversation that belongs in this NG (Win98).
Please remove that NG from future cross-posts.

Okay, will do.

 

[jez]

solution::::: dont use explorer.

 

[Dan W.]

AFAIK, what happens is that a copy of the domain's settings are kept
locally, and are used whenever the domain is unreachable. I guess
this copy would be updated whenever the domain is there.

There's also a lot of detail and granularity when different
permissions are combined. Whereas *NIX uses the same structure for
both directory location and permissions, the NT security model does
not - while files within a subtree start with permissions of the
parent (AFAIK), you can change this on a file-by-file basis.

There are easy ways to get really painted into a corner with this
stuff, and one of the common mistakes is to assign rights to
particular users, rather than to a group. It's better to create a
group, set the rights for that group, and then add your user(s) as
members of that group (yes, even if there's only one member). That
way, if you fire Fred and employ Brad, you just drop Fred from the
group and add Brad to it.

Often there will be contexts where different sets of permissions are
simultaneously applied. For example, there are machine permissions,
network permissions, user permissions, etc. so what really happens is
a resultant of these, prompting the question; what trumps what?

In many ways, a sysamin's job is as much about managing users via
Active Directory as it is about managing network resources such as
domain servers. Most businesses large enough to be using AD and
domains will insist on certification (MCSE etc.) before anyone can
touch this stuff. So when this security model is dropped into
consumerland, it's tough... consumers understand physical security
very well, but have zero intuition on business and staff security.

And why should they?


Yup. I use Bart for those... the learning curve (OK, small wall) is
tougher than one would like, but if you do a lot of this stuff, it's
effort well spent. I expect malware to assume control over the system
I'm trying to clean, and start "from orbit" with Bart, concentrating
on the heavies, before tip-toeing in via Safe Cmd etc.

Safe Cmd is to XP what DOS mode is to Win9x, but there's a far higher
risk of malware being active in Safe Cmd than there is in DOS mode.


Could be... I use 7 av scanners and the usual 2 anti-"spyware"
scanners, then HiJackThis, then I de-bulk the usual malware hangouts
(loose code in C:\, all TIF, Temp), then I drop tools in place and run
'em when I enter Safe Cmd. The av scans shoot to kill, but the
initial anti-"spyware" and HiJackThis are usually look-don't-touch.

Once in Safe Cmd, I re-run SysClean (as some tests don't run when in
Bart), AdAware and Spybot, and this time I let the anti-"spyware"
scanners kill what they find. Then I add Ewido 4 and run that, do a
HiJackThis again, and look for mismatches that suggest a rootkit.

Next is normal Windows, which means I can install tools that require
the Windows Installer, e.g. BitDefender 8 and MS Defender. I add
BitDefender 8 if there's been a lot of traffic and/or the resident av
can't be updated. If the resident av is broken, expired or missing, I
add AVG 7. The I harden settings, set a clean baseline restore point,
and purge all older restore points (Disk Cleanup).

Then I check firewall, and go online to update the scanners and
non-scanning tools that need it (e.g. Spyware Blaster, Ewido,
BitDefender). Before going online, I'd have killed off old Java
versions and rreplaced the latest JRE, ditto Firefox, etc.


What sort of error?

Malware isn't the only thing that can bonk PCs; I didn't mention it,
but every Bart session starts with HD Tune to check physical HD, and
before that comes a few hours in MemTest86.



Drugs are usually safe. Inject? (Y/n)

Wow, I will need to check out Bart from your website to read up on it.

 

[Dan W.]

solution::::: dont use explorer.

Okay, what is your alternative and why do you use it?

 

[Dan W.]

Until someone runs something on the system that initiates traffic,
there's no reason why they should be, unless there's an exploitable
surface in whatever first receives raw TCP/IP packets.

The trouble is, NT is designed to treat the Internet as a network, in
the sense that if you wave the correct credentials, you'd be able to
log in or otherwise interact with the system from "outside". That
adds additional exploitable surfaces.

I can think of NO circumstances where I'd want any Internet entity
that I had not initiated interaction with, to log onto to my PC,
access file shares, or make RPC calls - so why expose those services
at all? There's no "right" credentials to get in because I don't want
*anyone* to get in, so why even process such attempts?


I'd rather have zero possible access from the Internet, be it as admin
or as limited user. The per-user model just isn't that useful,
especially where there is only one user. Why should I pretend to be a
staff of different job descriptions just to use my own PC?

The really sad thing - sadder even than all those games and accounting
apps that won't run unless you're admin - is that end users have no
control over how new user accounts are born. For me, that absolutely
kills the usefullness of user accounts.

I don't feel at all safe when half the files on the system are hidden
from me, where I can't easily tell if I'm in C:\TEMP, C:\D&S...\Temp
or \\BossPC\Windows\Temp, and where I'm expected to "open" files
without any visible cue as to what they will do.

Yet that is the state I'm forced to live with on any newly-created
user account - frankly, I feel safer as admin and "open eyes".



Drugs are usually safe. Inject? (Y/n)

Exactly, at least if all users have admin. rights then why not just set
up profiles with full user rights to everyone and install tracking
software to see what user did what. The company could then keep track
of the problematic user and not have to worry about computer issues in
regards to the user accounts or are the hired employees so untrustworthy
that they will start formatting the drive(s). You can always just keep
sensitive material off the PC and with the one or two people that need
this data on an encrypted jump drive with at least 128 bit encryption
but upgrading this to 256+ bit encryption if the data is sensitive or
military in nature.