Things I'd do if I ever have time

Wish list

Please help a man further his career by donating expensive hardware. Cash works too.



Most people who complain about Vista don't know what they're talking about

Published: 03/25/2009

I didn't really play with Windows Vista until it was released to the business side at the end of 2006. When the beta was out for it, I didn't pay any attention since I was too busy with other priorities. But once it was official, I was tasked with figuring out its differences from XP and how it would affect the software developed by the company I work for. I essentially spent an entire quarter reviewing the OS (mainly Enterprise edition), as well as reading Mark Minasi's book Administering Windows Vista Security: The Big Surprises. I feel this was the best Vista book out there at the time, period. All the other so-called "bibles" went into the same 'ol, same 'ol about how to use the new GUI, how to use mail, how to use the browser... You know, irrelevant crap. Mark's book went right on the money discussing the real underlying differences in the OS.

I'll always be a Windows admin first before a Linux / BSD / network guy. It's where I started from (if you exclude DOS). And having administered Windows systems for a while now with a long list of personal complaints about the platform in general, many of the features within Vista was welcomed news for me. This is why when I started reading user feedback on blogs, forums, and from friends regarding Vista, I started realizing just how many so-called experienced Windows folks have little clue how an operating system works, let alone about security architecture and how Microsoft is playing the market.

First of all, UAC is a good thing. It's looooong overdue. It's not as flexible as sudo, per say, but it's about time. Integrity levels are another good thing, even though the concept of a mandatory access control system isn't new either (SELinux is probably a common current-day equivalent). File and registry virtualization is an interesting stop-gap idea, primarily so "poorly-written" applications don't immediately break. I remember Microsoft claiming that Vista would be the only OS to ever support this and going forward this feature would be removed. Well, I guess it takes time to revamp apps to not write into protected directories and HKLM because low and behold this feature is still in Windows 7 (the beta, at least).

Seriously, I talked to people about UAC and it started occuring to me that admins have no clue what a security token is. UAC is more than just an annoying prompt, folks... You need to read up on what a split token is. And most people still run as an administrator, even though they're in Admin Approval mode. When I started using Vista in my lab, I had a straight Standard User (Microsoft apparently renamed the "Restricted User" term so it didn't sound so, well, restricted) account which meant that whenever UAC prompted me, I had a credential dialog for elevation, not a consent prompt where I could simply hit Continue. Admins are so lazy sometimes. Apparently, a lot of people missed the memo about process - security token impersonation. Every process runs in the context of a security principle, folks. Trying doing a whoami /all within a regular Command Prompt vs. an elevated one and see what you get when you running with an account that's a member of the Administrators group.

Quite frankly, users aren't qualified to make risk assessments and well-informed decisions on-the-fly when they're involved with an operating environment and its interactions with a public network. That's what least-privilege is for. Every *nix out there uses it, including OS X. This isn't new.

Aside from UAC, most people look at Vista as a GUI upgrade. Same thing with Windows 7 - all the media attention is on the GUI. Seriously, folks, there's an architecture difference here. Do you know what Secure Desktop is? Do you know that you can see whether virtualization is "running" for a particular folder or within Task Manager? Do you know what icacls.exe is? How about credential providers and the lack of a GINA in Vista? What about the new netsh contexts that don't exist within XP? I'll bet the vast majority of folks whining over Vista have no clue what these are. It's these same folks who will run a browser, scripting enabled and all, and complain when their anti-virus fails to stop something that seems to be causing interference on their desktop. Seriously - AV is not a security-catch-all; it's just one shield of defense.

We all know that Microsoft wanted to give a wake-up call to all the application developers out there to start adopting coding best practices so they had to shock the world with the new by-default restrictions which really should have been there since Day One when NT 4.0 was released. Nobody should be running as an admin, not even Domain Admins on their own machine. We humans make far too many mistakes without realiziing it. That's why RunAs exists. But if you think this is really annoying for us consumers, you should realize that Microsoft these days probably doesn't care about the consumer market as much as the enterprise market. If you look beyond their Microsoft Live and academic license offerings, you'll see products like Exchange, Internet Security and Acceleration, SharePoint, SQL Server, Forefront, etc.. Selling to and supporting a bunch of individual users is tough. Selling an Enterprise Agreement license for a few thousands seats to a large organization with dependencies on Active Directory, Exchange, Office, etc. in a pure Microsoft shop is probably a lot easier and perhaps more lucrative.

Microsoft shot themselves in the foot a long time ago without realizing it when they gave everyone admin privileges by default out of the box. Baaaad move, and certainly set in stone a lot of default expectations for the users, giving them complete access and freedom to do whatever they want in the operating environment as they pleased without providing any guidance on what the potential consequences would be.




Go back to my list of rambles.