[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WinXP registry security
Dan Fleischer <dan.fleischer@banktr.com> wrote:
> I have a question re: windows xp registry security best
> practices.
> For background we're running:
> 1. samba-ldap backend
> 2. everyone runs with user or power user rights as needed
> by their job's software requirements
This in itself is an excellent achivement. Yes, "Power User"
gives all sorts of rights users shouldn't have, but without
it, 90% of Windows software today wouldn't run (not even
looking at the ones that require "Administrator").
> 3. OpenOffice installed on all PC's, MS Office installed
> only where required for 3rd party compatibility
> Here's the scenario:
> At the request of one of our departments I've installed
> some trial software on one of our PC's running WinXP fully
> patched. It is a stand-alone application which never
accesses
> network resources except for printing and package updates.
> The software required the installation of a Microsoft
> Access 2000 runtime and the .net framework as well.
Danger Will Robinson!
I've had my fill of MS Access-based solutions and they are
almost entirely _crap_. If a vendor cannot provide a _good_
design with at least MSDE (which has its own issues) or MS
SQL (let alone a _real_ "enterprise" SQL), then you're
getting some _kludge_ software that _will_ be a _nightmare_
to administer.
> The most disturbing aspect of this process was that I had
> to give this individual 'Full Control' permissions on the
> software's keys in the registry which are actually in
> HK_LOCAL_MACHINE\SOFTWARE\...
You're lucky it's not any worse. Most vertical application
software in the MS Access 8.0 (97) days _required_ you to
give "Administrative" level system-wide. But yes, most
vertical apps based on MS Access 9.0 (2000) have steep system
access requirements.
I would make it a point to the vendor that they need to
develop a _corporate-ready_ piece of software, and not such a
kludge. I was at a small company and fought left and right
to spend 60% more on a _real_ ERP software package, and lost
because the alleged Access-based solution was "cheaper." We
ended up spending a lot of time fixing and dealing with other
solutions, let alone add-ons, that ended up costing 200%
more.
> This is not the way I was raised. I thought that non-admin
> windows users should never have access to anything outside
> HKLM\CURRENT_USER .
Welcome to the world of kludgy MS Access-based solutions.
> Any comments? Can anyone cite security papers on the
> topic?
Forget even security, you're going to be fixing the tables
and DBs regularly -- let alone have other support issues.
--
Bryan J. Smith Professional, Technical Annoyance b.j.smith@ieee.org http://thebs413.blogspot.com
----------------------------------------------------
*** Speed doesn't kill, difference in speed does ***
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.