Everything, Everything

2024: J F M A M J J A S O N
2023: J F M A M J J A S O N D
2022: J F M A M J J A S O N D
2021: J F M A M J J A S O N D
2020: J F M A M J J A S O N D
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Fundamentally Insecure Design?
Wednesday 10th January, 2007 17:29 Comments: 0
I was reading an article from The Register, written by Dan Clarke, which blamed software developers for some of the problems we see in Windows, and moaning that new code from software developers continues to be vulnerable. He does point out how you can mitigate problems, and where to look for guidance on writing applications that are more secure. In the article he says:

Insecure applications are such a problem that Microsoft has spent the last five years and many millions of dollars re-engineering its operating system and much of its other software in order to improve the situation [and can one ever really overcome the temptation to bolt-on security to a fundamentally insecure design, in pursuit of "backwards compatibility", in such circumstances - Ed].

Notice that rather cynical addition from the editor of The Register. Vista is based on older versions of Windows, but it's a major rewrite based on the 2003 code (which is based on the 2000 code, which is based on the NT4 code from the '90s, which was a multi-user platform with groups, privileges and file system permissions with NTFS). It's not like the old 9x FAT platform with FAT partitions, which really did have multi-user support bolted on (who remembers Profiles?) and was inherently insecure. The 2003 code has proven to be pretty secure and resilient over the years, and has gained a lot of respect running as a webserver with IIS6, although few people can afford to use it as a desktop OS (although that's exactly what Windows XP Pro x64 is!). I suspect the editor's main complaint is that the new UAC stuff is a way of keeping Administrators running other things at a lower privilege, and is more of a mitigation feature that allows users to log in with full privileges on a daily basis, rather than forcing users to only use the Administrator account when they absolutely have to. But in many ways Microsoft should be praised for their approach, as it's not their fault that people like to log in with an Administrator account. I know this rant is going to sound very pro-Microsoft, but here goes...

On Linux/Unix you are a low level user that needs to "sudo" or log out and back in as "root" in order perform certain administrative tasks. Once you're running as root, anything you launch also runs as root. Any commands or programs you execute will do exactly what they want. It's bad practice to run as root, but people do it anyway and usually get away with it (I only really do it on Virtual Machines with snapshots, like my install of Slackware 11 or my BackTrack LiveCD)..

On Windows you are typically presented with an Administrator account that can do anything and everything. Anything you launch will run with Admin privileges and that process can do anything it wants. But with Vista, applications are launched as low level processes (and certain, well written, applications that run as Administrator will also be able to spawn low level processes). This means they can't do anything dodgy/whatever they want (this is especially true when you run IE7 in Protected Mode!). If you try to, you'll get a prompt asking you to continue (or it'll fail rather silently, like batch files that try to start services *cough* FileZilla Server *cough*). This means that Administrators will usually be prompted before they do anything particularly stupid - unlike Linux, which will simply get on with it. If you log on a a low level user, you can't do anything dodgy, just like logging in as a low level user on Linux. On Windows, you had to rely on "Runas" (similar to sudo) to launch anything as another user, such as Administrator. With Vista, you now get a pretty prompt asking for an Administrator username and password in order to do certain things, rather than things failing or behaving very oddly in Linux. Microsoft have even tried to be nice, so fewer things require prompts for Admin privileges. I typically use the clock in the corner to quickly bring up a calendar, but this window also lets you change the date and time (which would require Admin privileges). In Vista you can now click on it to bring up the time and calendar as a low level user - no need for an unnecessary UAC prompt! If you click the option to change the date or time, then you'll get a prompt.

So perhaps it isn't quite as straightforward as the Linux design, but it's more user friendly, and if you do choose to run as an Administrator it's better at stopping you from doing anything stupid. Sadly, many people will still run Windows Vista with an Administrator account, but that's a user education problem more than anything else. And at least Microsoft have made an effort to mitigate things. Yes, an Administrator can disable UAC (which is enabled by default) and all the old complaints about Windows will come hurtling back, but it's no different to the default behaviour when you log in as root. Except most Linux users know better. User education.

The security model for (NT based) Windows isn't dissimilar to Linux (both have users, groups, privileges, permissions), the main complaint is that most people prefer to use an Administrator account on a daily basis, but that's not a fault of Windows. By placing certain restrictions on what the Administrator can do without further approval, I might almost go as far as claiming that Windows Vista is now a more secure design than Linux. A bold and controversial claim, I know.
© Robert Nicholls 2002-2024
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3