Jonathan Hardwick : Security

Aaaaand, we're back

jonathanh — Tue, 24 Jan 2006 10:21:00 GMT

I’ll be making lots of updates to the nonadmin wiki this week. Yesterday it was three months’ worth of press articles about running as a non-administrator, and today it’s two webcasts and two whitepapers for the other resources page*.

This is also a way of tricking myself into breaking a month-long backlog of blog topics. When you’ve got so much to choose from that all your energy goes into deciding why you shouldn’t blog a particular topic first… it’s probably easier just to do it.

*The update includes a new authoritative white paper about how to start using least-privilege user accounts – so if you’re only going to read one document about LUA, download this.

More press coverage of NOT running as an administrator

jonathanh — Fri, 24 Jun 2005 09:38:00 GMT

Ryan Naraine has written a nice article for eWeek about non-admin security in XP. He notes that Microsoft will be promoting Least-privileged User Accounts heavily in Longhorn, but that you can enjoy their added security right now – if you know where to look in Windows!

The article includes commentary from security guru Michael Howard about the problems of user education, and a link to my own nonadmin wiki, where we’ve been gathering tips and best practices for the whole community to use. Most of which came from Aaron Margosis, of course :)

Ryan emailed me for comments when he was writing the article, but I bowed out when I heard that he already had Michael’s feedback – Michael is a trained security spokesman, and I definitely am not. So kudos to Ryan for doing a good job of keeping all the information in the article, but me out of it. Definitely a pleasant encounter with the press.

Mary Jo Foley picked up on the story over at Microsoft Watch (“No Need to Wait for Longhorn for LUA”), but in summarizing things for our ADD-prone world, she simplifies a little too far:

The company is making available new tools on a Wiki aimed at Windows users to try to help increase awareness.

The tools aren’t new, the wiki has nothing to do with Microsoft (especially since it's powered by Linux), and I’m not aware of any official effort to raise awareness, but apart from that the sentence is accurate :)

Oh, and thanks to everyone who noticed! Including Jack Richins, J. Daniel Smith, Peter Provost, and Kirby Turner.

Category: Security

Great things are afoot over at Channel 9

jonathanh — Wed, 08 Jun 2005 08:51:00 GMT

Another vital resource has sprung up fully-formed on Channel 9 – the Patterns and Practices Security Wiki (yes, this is yet another Microsoft wiki). Whether you need to deploy a secure ASP.NET 2.0 application right now, or just have a vague wish to learn some better secure coding practices, bookmark the site. Here’s why:

The people behind it have lots of experience in the area, and have made it as simple as possible to get started, with an emphasis on concrete checklists and how-tos.
Ward Cunningham has given it a once-over – if you don’t know who he is, watch the Channel 9 video of Ward discussing how he invented wikis…
As Anil John says, it’s going to be a “living, working resource”, where the original authors can learn as much from new contributors as vice versa. Or as Bill Brown puts it, “It promises to be updated more regularly than the great Patterns and Practices books on the subject” :)
Shortly to be linked to from http://msdn.microsoft.com/security, thanks to Brian Johnson (gee, ya think that’ll drive some traffic?)

It’s also been fun watching it gradually take shape over the past few days, via the “Recent Changes” page on the Channel 9 wiki. Whoever user appleberry9 is, they sure put in a lot of late-night work!

Lots of LUA links

jonathanh — Thu, 19 May 2005 21:33:00 GMT

[I originally posted this two weeks ago, but it got lost when they had to roll back the servers, and it doesn't look like the original is coming back anytime soon]

I’ve added a bunch of new links to the non-admin wiki, taken from various blog posts over the past month. Thanks to one and all!

“Longhorn LUA Links” from Andy Allred
“Windows admins, give up your privs!” by bryan — includes some good advice on detecting and fixing programs that break the two most common post-install rules of LUA*
“Tools 2 Use – Do you LUA?” from tonyso — with three TechNet Webcasts about securing your desktop against phishers, spammers, scammers, and other malicious software (this is also the first time I’ve seen the help address lua-qa@microsoft.com mentioned)
“I flattened a box tonight” by Susan Bradley — from now on her kids are going to run as LUA (via Daniele Muscetta)
“Security Enhancements in the .NET Framework 2.0” by Keith Brown — describes a new programmatic equivalent of RunAs in managed code (via G. Andrew Duthie)
“TechEd: Non-Admin Development BOF” by Robert Hurlbut — if you’re going to Tech-Ed 2005, make sure to attend this Birds of a Feather Session! (also via G. Andrew Duthie)
“Non administrator: running with least privilege” from Jeremy Mazner

Of course, if you’re subscribed to the wiki’s non-admin RSS feed, you already know this :)

* Don't write to %systemdrive%/Program Files or %windir%, and don’t write to HKEY_LOCAL_MACHINE

Refresh build of Microsoft Windows AntiSpyware beta

jonathanh — Thu, 17 Feb 2005 11:55:00 GMT

Microsoft’s antispyware team made version 1.0.509 available for download a couple of hours ago. You can use Help > About to see what you’re currently running, but unless you’re another Microsoftie with the latest internal bits, you probably don’t have this one yet :-)

The only time I notice I’m running it is when it warns me about the latest piece of facehuggerware trying to install some autorun entry. Ahhh, Apple Quicktime, what would we do without you?

Anyway, two thumbs up. Get it while it’s hot:

http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

How to run as a non-administrator - announcing a new community site

jonathanh — Sat, 05 Feb 2005 03:22:00 GMT

I’ve set up a new community web site at http://nonadmin.editme.com. It’s a place where anyone can share their experiences with running as a non-administrator in Windows – the good (tips, tools, and help for using a limited-user account), the bad (programs that won’t even install, let alone run, unless you’re administrator), and the ugly (workarounds and kludges). Here’s my quick attempt at a FAQ:

Why should you care?

Because running as administrator (which is unfortunately the Windows default) can be a serious security hole. If you use a limited-user account instead you’ll really reduce your computer’s “attack surface”. And if you set up your parents’ PC that way, you’ll really reduce your tech-support visits too!

Why bother bookmarking a new site?

Because while there’s lots of great information on the net about how to run as a non-administrator, there’s no single site that puts it all into one easy-to-find place.

Why is it a community site?

Because I’m lazy, and because other people are much smarter at this security stuff than I am! I can’t keep track of all the neat work going on in the community, but I do want to learn about it from the experts. If anyone can add their expertise and experience, we all benefit. A good example of another community site is the Windows Update Services wiki.

What’s already there?

I’ve added content and pointers from several bloggers, including Aaron Margosis, Brad Wilson, Eric Jarvi, Eugene Siu, G. Andrew Duthie, Jenni Merrifield, John Howard, Keith Brown, and Mike Smith-Lonergan. Please add more!

What about developers?

Don’t worry, there’s a section just for you. Learning to write applications that Just Work under a non-administrator account is already a requirement for getting a Windows logo, and it’s going to be even more important under Longhorn.

What’s all this talk about a wiki?

Shhhh… you weren’t supposed to notice! The folks at http://www.editme.com have done a great job at putting a user-friendly front-end on top of their wiki software, including a WYSIWYG editing control. If that is too much for you, you can just leave blog-style comments. Different strokes for different folks.

Didn’t Robert Scoble already blog this?

Yup – I sent out a “sneak peek” email last night, and he blogged it within 45 minutes! I had been planning to get more input from the experts over the weekend before announcing the site next Monday, but now that the secret’s out…

Reporting false positives from Microsoft Windows Antispyware

jonathanh — Fri, 07 Jan 2005 10:16:00 GMT

One thing I forgot to mention in my previous post is what to do when the Microsoft anti-spyware tool incorrectly reports something as being adware or spyware.

If you’re just trying to get on with your work, and you’re certain that the file really is innocent, you can tell the tool to always ignore it. If you also want to help out the Microsoft anti-spyware team, try checking microsoft.private.security.spyware.signatures – other people might have already seen the problem, or yours could be the first report!

If you’re a vendor of a program that is being flagged as adware or spyware, and you think this decision is wrong, then fill out http://www.spynet.com/vendors.aspx. You can also find the criteria being used at http://www.spynet.com/info_spywarecriteria.aspx. Looks like there’s been no change of domain name or policy from GIANT’s original SpyNet infrastructure :-)

Microsoft anti-virus software to complement today's beta of an anti-spyware tool

jonathanh — Fri, 07 Jan 2005 08:49:00 GMT

[Update for people finding this post through web searches: the anti-virus tool has been released as the Microsoft Windows Malicious Software Removal Tool (KB890830). You can use that link to download it directly, but really you should be using Windows Update so that you get an automatic update to the tool every month!]

In case you were hiding under a rock today, Microsoft released a beta of an anti-spyware tool based on the GIANT AntiSpyware codebase*. What seems to have been lost in all the general noise** is the other announcement, the one about our promise of regularly updated virus-removal tools. Rod Trent is the only guy I read who’s noticed the press release:

The new Microsoft Windows malicious software removal tool consolidates [our existing removal tools for Blaster, MyDoom, and Download.Ject] into a single solution. The tool will be updated on the second Tuesday of each month as part of Microsoft's monthly software security update process to respond to new viruses, worms and variants.

The Microsoft Windows malicious software removal tool will be offered in the following ways:

As a high-priority update through Windows Update and Auto Update.
Through a simple, online interface.
For larger corporate customers, a download through the Microsoft Download Center.

Summarizing the rest of the press release:

It’s free
The first release will be next Tuesday

Oh, and the anti-spyware beta is well worth checking out – I’ve been running it for a couple of weeks. There are still plenty of fit-and-finish issues (I’ve submitted half a dozen bugs, mostly related to non-standard Windows controls and some bits that weren’t rebranded), but the core functionality is all there. Grab it from the official Microsoft Windows AntiSpyware page, where you can also find a FAQ, a list of Known Issues with the beta, and pointers to (shock horror!) newsgroups where you can get support.

*Well, technically it hit the servers last night, and several enterprising folks found the bits before the “official” news release at 9 a.m. this morning. Ahhh, what would we do without rabid fanboys? :-)

**I believe Michael Swanson was the first on blogs.msdn.com to post about it, and gives an excellent summary of the anti-spyware tool.