June 25, 2004

Microsoft, You’re not setting a very good example. I am disappointed.

I know I am going to get myself in trouble for this... and will probably be banned from the Microsoft campus, but I saw a post by a Microsoft employee and felt compelled to respond.

I am taking Aaron Margosis to task and following his suggestion. In his post he says:

Customers: if you see any MS sales, MCS, Premier, PSS, etc., doing web or email as admin, please tell them, “You’re not setting a very good example. I am disappointed.”

How about PowerPoint? How about Word? How about demos of stuff not needing to be run as admin? How about running a remote desktop? I saw all of these when I was at Microsoft.

When I was walking through the trustworthy computer fest last week at Microsoft I stopped at NINE machines that Microsoft employees were using, and all nine were logged on as administrator. 9 for 9 were NOT running with least privilege. But thats not the frustrating part. This was a SECURITY RELATED computer fest. You would think that this crowd would be much more aware and focused on such things.

Combine that and the recent fact I found out that in the latest RC of XP SP2 you no longer can use "runas" on your Windows Update right out of the box... and I see serious problems on the Microsoft campus. It seems many don't wish to eat their own dog food.

Microsoft, You’re not setting a very good example. And I am disappointed.

Posted by SilverStr at June 25, 2004 03:30 PM | TrackBack

If they were running self-contained demos, it might be possible. I'd like to see you catch "nine of nine" in production doing that. It's one thing to get caught last-minute and told "go set up this booth" with very little or no preparation. It's another to take an enterprise system to task.

Maybe you should do some more homework before you run off at the mouth.

Posted by: ThePro at June 27, 2004 08:54 PM

Pardon me?

Either you use least privilege or you don't. The fact that the the latest RC of SP2 does not allow you to use runas out of the box for Windows Update shows that no one tried, or they decided not to increase the trust zone for their own update servers.

Either way its bad practice in both principle and use.

This isn't running my mouth. Its stating facts. Fact Aaron wanted us to talk about. Being that a few of the machines I was looking at were on the networked backbone, I consider this as close to 'production' as you can get.

There is no reason, production or not, to run Word or PowerPoint as Administrator. Perhaps you might consider reading some of my other entries on least privilege, doing your own homework to understand where I am coming from before worrying about if I did my own homework.

You might want to start by reading my "8 Rules of Information Security" (http://silverstr.ufies.org/blog/archives/000468.html). Rules 1 and 5 are of particular interest here.

Posted by: SilverStr at June 27, 2004 09:13 PM

naw, I have other things to worry about. Educating the likes of you on what applications require and the methodology of certain people are wholly out of my remit.

Why don't *you* see what *you* can do before you start trying to say those people at Microsoft are getting things wrong. Funny how it's so easy to be on the couch, but the guy that has to get out there and do the job has a different "perspective"...

I also don't pay attention to anyone that has to link to their own book, their own "rules"or whatever. If you havea point to make, do so succinctly without requiring someone to go read the book of n00b by SilverStr..

Posted by: ThePro at June 27, 2004 10:17 PM

I also want to add *I* don't work at Microsoft, but I know people that do. I just get sick and tired of everyone bashing Microsoft for this and that and the REAL cause of their problems is mostly themselves. Sure, MS could do a better job of the things they can control, but they do not control the people/process elements outside the corporate boundaries of their own company. i.e., the most secure software can be implemented in a way that makes it insecure. Ask any "Linux" bigot how secure they are with the hundreds of patches that have to be applied to some distros just to stay up and not get 0wn3d.

Posted by: ThePro at June 27, 2004 11:42 PM

I'm sorry, but if you're so arrogant that you think you don't need to read what Dana wrote before you start rambling off, then you have indeed said enough.
If you don't understand the concept of least priviledge and why it's imperative to be used, well, then just keep out of this discussion.

Dana isn't "Bashing Microsoft", he's kicking their behinds because they don't practice what they preach. And that is a just cause.

Posted by: Axel at June 28, 2004 12:16 AM

Completely agree with your comments Dana. I've seen the same thing at many presentations given by Microsoft folks as well.

Oh, for "ThePro", while I do agree with your sentiments that "..most secure software can be implemented in a way that makes it insecure", implying that Dana is a "Microsoft Basher" is a bit ridiculous considering all of his community participation on the subject of secure coding on the windows platform.

Back off on that Kool-Aid a bit mate. While Microsoft has put Security front and center and is doing a much better job of putting out more Secure-by-Default products, their people still need to be out there practicing what they preach, which is not the case in this particular instance.

Posted by: Anil John at June 28, 2004 08:13 AM

thePro: riiiiiiiiight. Ok. Dana IS practicing what he preaches. Are you saying it's OK that they run as administrator becuase they are BUSY? What about patching their servers or computers?

Dana: As an aside, did you happen to see if the MS machines were local admins during your EDT demo?

Posted by: Scott at June 28, 2004 10:28 AM

What doesn't work with Windows Update? I just run IE from my admin account and go to the WU website... works like a charm. I've never actually used the WU application.

Posted by: Peter Torr at June 28, 2004 11:17 AM

Windows Update works great for me as an Administrator. The problem I have occurs when I try as a normal user to right click Windows Update, select runas, choice the credentials of the Administrator account and then try to update. Every time I try to do an update it fails. However, if I log on as an Administrator and do it... it works fine. Before SP2 this never was the case.

Posted by: SilverStr at June 28, 2004 12:39 PM

I'm also failing to repro your WU issue. I'm a normal User, using SP2-RC2. I click Start/All Programs, right-click on Windows Update, enter local admin credentials, and IE (running as local admin) goes to the Windows Update site and checks for updates. Do you get that far? (I didn't go farther because there aren't any updates I need to install.)

Posted by: Aaron Margosis at June 28, 2004 01:06 PM

Yes, I can get that far. After that select "Custom Install" and select a few components (I just confirmed on two different machines that I can't install Microsoft Journal... an optional component). After the download occurs, it ends with "Updates were unable to be successfully installed".

Originally after installing SP2 I couldn't even get this far. Originally it failed to actually launch the update service until I added *.windowsupdate.microsoft.com to the trusted sites. Now I notice when it loads it uses an "Unknown zone" and seems to work. This is newer behavior than I was having last week when I first installed it. I am guessing either an update changed this, or some external setting which I am not yet aware of. I now note that I can remove the *.windowsupdate.microsoft.com entry from the trusted hosts... and it still connects fine. Weirdness.

Posted by: SilverStr at June 28, 2004 01:17 PM