Mac the Knife

Helpful as ever...

main(i,c) int*c; { for(c=fopen(c[1],"r"); i=~getchar(); putchar(getc(c)^~i)); }

Gertrude the Wombat

It works though. I know plenty of people who find that a stealth mode router plus some common sense is all that is required. It's even not really difficult to train children not to download and install and run spyware.

Saab Dastard

Don't run as administrator or equivalent!!!!!!!!!!!

Gertrude the Wombat

Well, I did try that, on my new box on which I've installed Windows 2003 Server, but so much stuff didn't work that I had to give up.

But the basic hygiene rules still work.

DBTL

A good read on Admin and other rights esp. related to Web browsing:
http://www.securityfocus.com/infocus/1848

Gertrude the Wombat

Er, yes. I note that the testing procedure includes:

- Obtain a list of unfriendly websites.
- Open each of these sites on the virtual machine using Internet Explorer

If you simply choose not to do that sort of thing there isn't a problem in the first place and nothing that needs fixing.

Mac the Knife

You're theoretically right Gertrude, but that doesn't help the average user who doesn't have much commonsense and has no idea of the problems. This sort of advice really isn't very helpful - you could just as well say that if you drive really responsibly and carefully you don't need car insurance.

The average punter just doesn't have a clue, they just use the apps. They've never seen the command line and don't know anything about how an OS works. They have zero insight and little inclination or interest in learning stuff that isn't directly relevant to their computing experience. That's just how things are. Pontificating that they ought to learn that stuff is the mistake that us Linux mavens are often guilty of (and why Linux is not more widespread) - folks just refuse to learn things that even smell complicated that they see no immediate benefit in (even though they'll write complex spreadsheet macros).

I've taught Tom to be very circumspect about what he downloads and installs and he's a responsible lad, but it wouldn't be that dificult to catch him out. HE doesn't know what is spyware and what isn't, even though your clever (and well disciplined) children do. But he does check with me (usually). "Training" children (and adults) in computer caution is not that easy or foolproof.

Running as non-admin is theoretically good, but in practice it's such a pain and so many things don't work (esp. games) that I don't. If you're prepared for a LOT of tinkering with MakeMeAdmin etc., you can get a reasonably smooth non-admin experience, but it's a PITA.

AV is by no means infallible (any of them), but it's a good second line of defence - having said that, it (Norton and AVG) have only picked up a couple of virii in all the years I've been using them (and I download a lot). Admittedly I don't frequent warez sites.

I'd guess 1 in 100 users or less have a properly configured ("stealth" as you put it) external firewall, which is the best defence, although there are lots of inexpensive ways to implement this). MS firewall (in SP2) isn't wonderful, but it isn't bad.

So irn_bru, if you:
Use MS built-in firewall (ON by default)
Set autoupdates to ON (ON by default)
Install & use MS Antispyware, aka Windows Defender
Use a reputable AV product - properly set up and set to autoupdate
Avoid Internet Explorer and Outlook (use Firefox/Thunderbird or Opera)
You should be reasonably safe.

DO find an ISP who does virus/spam filtering (important!) and don't give your email addy to all and sundry (don't use the unsubscribe function!)

Oh and just don't install any viruses.....

Saab Dastard

Mac, I usually agree with 99% of your posts, but in this case it's the 1%!

I find it a non-issue to simply "run as" administrator (win XP), either to install or to run apps (games included). OK, I have to type the admin password, but I can type this so fast it really isn't a problem!

Compare this to the hassle when my wife downloaded a "screensaver" trojan before I instigated the no-admin policy!

It also means that the boys have to ASK to run some games that require an admin password - a handy bit of extra parental control!

SD

HelenD

I have come up against a problem with updating defender: My PC is rarely run in Admin mode, Defender asks if you want to update it to which I reply yes. I believe it downloads the update then promptly complains that it cannot install as the PC does not have administrator privileges. I have not found any way of doing the download seperatly then using the Run As method to do the install keeping only that install running with Admin privileges. Considering that MS are now preaching secured by design, secured by default and secured in deployment it is pretty poor show that they dont provide a means of having the PC running as Non Admin and allowing their defender program to be installed using Run As. If anyone has any ideas on how to install defender while having the PC mainly as non Admin I would like to know currently I am

Mac the Knife

Yo Saab! I too can type the administrator password (though it's not called Administrator on my machines).

RunAs is fine if it's a solo machine, but many games store user info and game score in the currently logged on profile - not all of them create an internal database of players. If you have several kids doing games then all the preferences and scores get all mixed up.

And running anything "as" Administrator means that everything gets written into the Administrators document folder rather than yours.

Using Michael Howard's DropMyRights for Internet facing apps. is an approach that appeals to me more and I started using it a while ago. That way you can have two shortcuts for an app. - one with admin privileges and one restricted.

Vista if it ever ships will supposedly correct these problems but I'm not planning on going there. SuSe 10.1 keeps me pretty happy.

But perhaps I should reconsider RunAs as a strategy on the Windows machines - I'll try demoting Tom and see how many of his games crash out, I forsee some tears ahead!

Saab Dastard

MAC,

Thanks for the info on DMR, I'd not come across it before - it might have useful applications in my corporate world too.

For others interested, here's a link to the MSDN DropMyRights article

- Not a problem for me, as both boys log on to the same account.

This may be true - I haven't noticed it myself - but the boys aren't complaining (yet).

I find that the way that works best is NEVER to use the autorun install, but to run the game SETUP.EXE as admin (while logged in as normal user), then create a shortcut with "run as" for the game once installed.

Copes with everything the 7 and 10 year old have wanted to run - so far!

I also recommend VirtualCD or similar, especially for younger kids - why bother with the hassles of physical CDs if you don't have to? I find that about 30% of games will install if simply copied to the hard disk, and a further 50-60% will work with V-CD. That just leaves 10-20% where you have to physically put a CD in the drive.

And yes, I know you call it root, or SU

Mac the Knife

Actually no. One of the first things I do on a Windows machine is to change the name of the "root" account from Administrator to something else.

Note for anyone who doesn't know, the "root" account in Windows is given the default name of Administrator, but you can change this to anything you like - this is a good security practice, since if you know the name of an account and can always count on there being one called Administrator then you're halfway to getting in. And many Administrator accounts have a blank password or something trivial like "admin". Theoretically Windows disallows network logons to the Administrator account if the password is blank but in practice it doesn't always seem to!

This of course leads to a cruel honey-trap!

1) Change to name of the root account from Administrator to something else.
2) Create a new, VERY limited account with the name of Administrator (since there is no longer an account called Administrator you are allowed to do this).
3) Either leave the PW blank on this new account or set it to something silly like "admin" that is easily guessed.
4) Monitor login attempts for this account with a tripwire since they'll all be hack attempts.

This is hilarious, as hackers login as Administrator, laugh at you and congratulate themselves, but then find out that they can't do anything

[To change the name of Administrator, run the Group Policy editor and go to Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options and there it is: Rename administrator account]

DBTL

Seems the present XP password encryption scheme is nowhere near too secure:
http://www.securiteam.com/tools/6T00D0A35S.html

I could imagine a root-kit type of trojan getting an access to this same database as the software featured in the above link, then decrypting all the passwords, and having a go at it at will.

Saab Dastard

Mac,

I see what you mean - I thought you were referring to the Unix / Linux systems that you champion.

Yes, I too have renamed the administrator account.

For the purposes of the discussion I was using the term "administrator" to mean "the administrator account", not necessarily the name, as referring to it as "Joe Bloggs" (no that's not it, really) might not have been understood!

SD

Mac the Knife

Sorry Saab! I know you know all this stuff (and more). Understandable that you should have thought I was talking about UNIX/Linux/BSD

I actually run Windows (9x and XP), FreeBSD and a couple of Linux flavours, but I'm only an amateur and it's just a pastime, not a crusade.

For all it's faults and foibles (and awful default security model) 2000/XP is not such a bad OS (despite MS unpleasant and rapacious corporate culture) and it's certainly fun to tinker with.