Daniel Eran’s series that looks at five examples of core Windows architectural problems that relate to process management, applications and security, has reached Flaw #3.
The first two:
Flaw 1 – Windows’ Interactive Services
Flaw 2 – Windows’ opaque and illogical file system presentation
“Eran’s third flaw is, “Least privilege’ is impractical and broken.” Eran writes:
As computers joined networks, they were exposed to real external threats that demanded more attention to security. UNIX, and later Windows NT, took somewhat similar approaches to providing this, by handing authority to a privileged kernel that preemptively scheduled tasks, restricted access to protected memory and other hardware, set ownership and permissions on files, and defined users with restricted privileges.
The capacity for restricted users allows applications and processes to run with the least amount of privilege necessary, so if they are compromised, anything that takes control is restricted in what damage it can cause.
Limited user privileges act like janitors in a high security building; they have enough security clearance to do their work, but are restricted from areas they don’t need to enter. If someone were to steal their keys, they would still only have limited access within the building.
“Least privilege” is an important security principle that is poorly implemented in Windows. Part of the problem is sloppy programming by application developers, which demand excessive privileges when installing applications and consequently require users to have administrative privileges simply to run them. In Windows, the janitors have keys to everything. Pick a janitor’s pocket, and you have free run of the entire building.
Full article here.
Related articles:
Architectural flaws in Microsoft Windows already solved in Apple’s Mac OS X – October 10, 2005
Moral: There’s a difference between a being a custodian and having custody?
Who cares about Windows.
Anyone else experiencing real slooooooooowwwwwwwww loads of MDN this week? Don’t have the problem with any other sites in Safari 1.3.1.
Windows? Do people still use that thing?
yes Off Topic – the MDN site has been very slow – yesterday was painful at times.
MDN word: schools
hey I’m not getting the tag line “MDN = xxx” Could someone help out with this?
Yep, MDN is reeeeely sloooww…
& that is no fun with “one more thing” upon us!
The MDN MW: xxx is the MDN Magic Word that you have to type in to post. It’s a antiSPAM measure, because you have to read an image and type in the correct word.
MW: step, as in “I need to join a twelve-STEP program for my MDN addiction.”