locked
General security suggestions

    General discussion

  • This may be the wrong place to post this, but I don't see a 'suggestions subforum', so here it is.

     

    Would be nice to have a decent OS installation routine for windows, for a change. Put all the options on a single screen right at the start, without having to click 'next', 'next', 'next', etc. to install windows. Windows 7 has improved on this substantially, but there is still more than one screen, which is annoying. At the end of the installation it needs to boot into the desktop without any more prompts or messages.

    Users should have a choice of programs to include upon installing windows too. Many would prefer to uncheck Internet Explorer and check one of the other mainline browsers, for a start.

    Dynamically boost user-access like Ubuntu (Linux) does would be nice (give a shortcut allowing the user to manually lower the access too), instead of the backward method Vista and Win7 use.

    This would be a big step in the right direction towards making the computer 'idiot proof'. As some have mentioned before, this is a big 'must', and security is the very first reason. There should also be a multi-level user access system - aka:
    1 - Administrator, full power.
    2 - Power user, can install any apps, from any source.
    3 - Apps user, can only install apps from a very tightly pre-defined controlled list, to prevent them from installing crapware.
    4 - Pseudo-guest, prevent all but the smallest of system changes; block access to most folders (including higher level documents folders) without a password. Include a 'guest documents' folder for these users to make use of. Of course the folders themselves should be completely interchangeable. If you want to allow or deny/block access to the 'Music' folder or even individual folders within, it should be possible to do so without installing 3rd party apps.

    If you are the tech guy and are assisting a friend who has 'apps user' access, you can temporarily boost your system privileges to power user or admin (with a password) to make system changes or access various 'blocked' folders, or even access 'blocked' applications. I'm aware that you can do some of this already with multiple user accounts, but it's not always practical to have more than one user account; this should be possible without the need for half a dozen separate accounts. "Keep it simple! yet fully featured."

    Example: you click a button and a message comes up, "You have chosen to temporary modify your user access. You currently have Pseudo-guest access. Choose a level and time limit:
    Apps user (recommended) | Power user | Administrator
    Time limit: 10 minutes (No drop down menu. This should be fully customizable.)
    Remove time limit and make permanent: [x]
    Enter password: [ ]

    Users would then be able to run on Pseudo-guest level almost permanently, only elevating their access when necessary. This could even completely negate the need to 'lock' the computer if you need to take a break, because anyone else attempting to make changes or access your data during your absence would be severely restricted.

    The 'Apps user' idea is a big step towards preventing 'newbies' from installing random toolbars or fake anti-viruses to mess up their own system.

    It would also most likely need to have dynamic encryption built-in. To explain, it should be possible to write to an encrypted folder without needing to first unlock the folder (write only) but in order to see the contents of the folder, you'd need to enter a password to boost user-access again.

    The ability to modify and create multiple custom user access levels would also be great. What if you decide you need access somewhere between the Pseudo-guest and Apps user levels? It should be possible for the user to add a new custom access level (requiring admin access to do so, of course)

    Files, folders, and applications would then be matched with various access levels. My Documents, for example:
    Write access:
    [x] Administrator
    [x] Power user
    [x] Apps user
    [x] Custom user level 1
    [x] Custom user level 2
    [x] Pseudo Guest

    Read access:
    [x] Administrator
    [x] Power user
    [x] Apps user
    [ ] Custom user level 1
    [ ] Custom user level 2
    [ ] Pseudo Guest

    Ultimately you'd have options for setting: Write access, read access, folder visibility (semi-read access), write protection (prevent over-writing files), etc.

    The blocked files/folders/apps would need to be encrypted, with your login password as the key, similar to how existing windows encryption works (but perhaps you can take a few hints from TrueCrypt too)

    If the situation makes it unfeasible to use the login password to grant admin access (or any other heightened access), then separate passwords may be needed. Example: you have installed windows for and are assisting a friend who is not too computer savvy and who is prone to getting viruses, despite having decent protection. You don't want him to have admin or power user access, but you do want him to have apps user access. He should not, then, be able to use his password to grant himself admin access because that would negate the entire point of the exercise. You should be the only one with the admin and power user passwords.

     

    Also security related: Windows firewall is in dire need of a function to block web addresses. Using the hosts file only allows you to block domains, which is very limiting, and forces many admins to install 3rd party firewalls or blockers. URLs (URIs by some standards) need to have blocking with wildcard functionality (* and ?), whitelists, blacklists, multi-level lists for over-riding blacklists, and or not and xor functions, etc. Making it possible to subscribe to multiple lists would be a good idea, with the option to check and uncheck auto-updating specific lists from 3rd party sources. This would, for a large part, do away entirely with the need for adblock in a browser, as you'd be able to block ads straight from the firewall.

     

    Unrelated note on System Restore: With the advent of multi-terabyte hard drives, it is no longer feasible to base System Restore on percentages alone. 1% of 2 terabytes is 20 gigs, which is too much for many users. We need to be able to manually select a size, such as 3 gigs.

    Another unrelated suggestion: add support for linux filesystems (so users can read files on linux drives & partitions without having to reboot into linux)

    Monday, December 5, 2011 4:55 PM

All replies

  • "Put all the options on asingle screen right at the start, without having to click 'next', 'next', 'next', etc. to install windows."

    I agree with this. What is being suggested, essentially, is that Setup user input should be in a form format, not a wizard format. Wizards that result in users predictably clicking Next, Next, Next ... result in popup apathy, IMO. Popup apathy is a bad thing to encourage on UAC-enabled systems. I would like to see Metro app installs also use the form format. The initial install screen would have two buttons; [Install] and [Options]. Click/touching [Options] would open a fullscreen web form containing various install options. The [Install] button commences install immediately, with default options activated, and with no further user input required (or possible) - similar to using msiexec.exe with the /passive switch.

     

    "Users should have a choice of programs to include upon installing windows too. Many would prefer to uncheck Internet Explorer and check one of the other mainline browsers, for a start."

    One Setup option i would like to see included is to launch Windows Live Essentials web setup (wlsetup-web.exe). This might not be viable for MSFT to do for legal reasons (Antitrust, etc), but why not for OEMs (instead of some or all of their own crapware)? I'm not sure i want to see IE as optional until the other mainstream browsers support Protected Mode. Other browers should not compete on a level playing field during Setup until they support their own implementation of this mode.

     

    "Dynamically boost user-access like Ubuntu (Linux) does would be nice (give a shortcut allowing the user to manually lower the access too), instead of the backward method Vista and Win7 use."

    My understanding is that this possibility was discussed during the development of Vista and decided against. Someone else might care to provide a relevant link.

     

    There should also be a multi-level user access system - aka:
    1 - Administrator, full power.
    2 - Power user, can install any apps, from any source.
    3 - Apps user, can only install apps from a very tightly pre-defined controlled list, to prevent them from installing crapware.
    4 - Pseudo-guest, prevent all but the smallest of system changes; block access to most folders (including higher level documents folders) without a password. Include a 'guest documents' folder for these users to make use of. Of course the folders themselves should be completely interchangeable. If you want to allow or deny/block access to the 'Music' folder or even individual folders within, it should be possible to do so without installing 3rd party apps.

    This is a quite an elaborate scheme, and although i appreciate that you've thought this through, the easy criticism to make is that it would not be used wisely, even if the intentional usage was widely understood. Have you read the Mark Russinovich post The Power in Power Users? Having said that i think the existing guest account could be more widely used. Setup for the Home SKUs should offer to enable the Guest account and explain its benefits;

    Enabling the Guest account will allow your home visitors or casual users of this machine to access the internet in a secure manner, and without compromising the security of your own account, security credentials or personal files. Do you wish to enable the Guest account? [Yes] [No]

     

    My personal preference for adding some extra sophistication to the security of Windows is based on this simple bit of thinking:

    • Trustable software is almost always signed (except for some old stuff)
    • Malware is never signed (except by mistake)
    • Malware infects systems by accessing auto-start locations
    • Ergo, unsigned installers should not be allowed access to auto-start locations

     

    So what we really want is something like a subAdministrator - a user from a group that has most of the rights, privileges, and permissions of an Administrator, except that registry and file system writes to autorun locations are redirected to benign (non-autorun) locations. These locations would include:

    • HKLM|CU\Software\Microsoft\Windows\CurrentVersion\Run|Runonce|RunonceEx
    • HKLM|CU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    • HKLM\SYSTEM\CurrentControlSet\services 
    • "\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
    • many others

     

    So for example a subAdministrator attempting to write to 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' would be redirected to 'HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'. The mechanism for invoking a subAdministrator account would be the UAC setup/installer detection, where the install executable is unsigned or cannot be verified. If the user proceeds with elevation, they get an Administrator-like account but with the above limitations in place. The installation will appear to succeed, but autorun entries (if any) will not populate the expected locations. If this breaks some software, so be it. Alternatively, the user can chose to do a 'Full Elevation', via an option on the UAC dialog. This invokes the "Real McCoy" Administrator account (or equivalent), as would be the case if the install exe were legitimately signed. This configuration would be complex enough - you would presumably need to have tri-state security tokens - user/subAdministrator/Administrator. However, Joanna Rutkowska would probably agree with this idea, at least in concept. http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html

     

    "With the advent of multi-terabyte hard drives, it is no longer feasible to base System Restore on percentages alone. 1% of 2 terabytes is 20 gigs, which is too much for many users. We need to be able to manually select a size, such as 3 gigs."

    Rather than a space-based limit, i'd like to see an option to specify a maximum number of restore points. Example: 5. The SR service would then simply use the HD space it requires to create that many restore points. I'm inclined to think that all restore points should be based on specific events, and not on time intervals since last restore point creation. I know creating restore points at regular intervals is probably better from a security PoV, but i'm not sure if this helps users. How do they decide if a restore point created X hours ago is worth restoring to, compared to a restore point tied to an event like an app install? Also, i think SR, UAC and the 'Programs and Features' CPL should work together. If a user elevates for an unsigned installer executable, a restore point should be automatically created, regardless of the installer type. If the user later uninstalls this app via 'Program and Features', and no other apps have since been installed, once uninstall is complete the 'Programs and Features' CPL should prompt the user;

    "There is a system restore point associated with the installation of the program 'Program Name', which was installed from an untrusted source on <date>. Do you wish to use this restore point to completely restore the system to its state just prior to installing the program? [Yes] [No] [Help]

    To me, this would be an ideal way to use System Restore.

     

    • Edited by Drewfus Tuesday, December 27, 2011 12:29 PM
    Tuesday, December 27, 2011 8:25 AM
  • "The mechanism for invoking a subAdministrator account would be the UAC setup/installer detection, where the install executable is unsigned or cannot be verified. If the user proceeds with [partial] elevation, they get an Administrator-like account but with the above limitations in place. The installation will appear to succeed, but autorun entries (if any) will not populate the expected locations. If this breaks some software, so be it."

    Rather than simply breaking some software, an alternative for the user would be to install with partial elevation (subAdministrators token), and then if the program failed to execute properly, run a repair - this time by invoking full elevation (to Administrators token). This assumes an MSI install type. This process would obviously be more convoluted than simply installing as a full Administrator in the first place, but it at least gives the user the opportunity to install under a user with reduced permissions (relative to the Administrators group), and then take the chance with the non-degraded Admin token if necessary. The choice is with the end user and the the existence of the subAdmin account gives a closer approximation to the Principle of Least Privilege. Compare this to the stark either/or choice users currently face, which Joanna Rutkowska described perfectly:

    "One thing that I found particularly annoying though, is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges. So, when you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing e.g. to load kernel drivers! Why Tetris installer should be allowed to load kernel drivers?" Running Vista Every Day!

    Two full releases later and the situation has not changed!

     

    "Also, i think SR, UAC and the 'Programs and Features' CPL should work together."

    Add the registered Antivirus program to the list. An option to AV scan the installer, should be added to the Unknown Publisher (unsigned code) UAC dialog. Until the user invokes the scan, the default behavior should be to grey-out the 'Full Elevation' button, and leave it disabled if the AV scan returns a positive result (that is, if malware is detected). If the user does not have AV software installed, they cannot get full elevation on unsigned code, unless this default behavior is disabled via Group Policy.

     

    Thursday, December 29, 2011 10:18 AM
  • The problem with "elevate me for X minutes" type options, is that they're fundamentally flawed. In Windows and Linux, permissions are assigned to a process at creation time and can't be changed subsequently (and attempting to allow that would break things even further). So what actually ends up happening is that after the X minutes are up, anything you launched during that time continues to run with elevated permissions. It's not difficult to potentially write a malicious app that sits around in the background waiting for a period of elevated rights and then exploiting that to launch an executable that gains full control over the computer, something which can't really be accomplished with the UAC model.

    As for Power User type accounts, they existed for a long time in NT and were equally problematic. The main issue being that developers either wrote applications that run as a standard user, or wrote them such that they required full administrative access. Expecting developers to do any different is probably a fools errand. It's a similar situation if you start trying to create "custom" permission levels, which you theoretically could do with Windows today, because they simply won't be usable in any real world way.

    Thursday, December 29, 2011 5:32 PM