Wednesday, May 25, 2005

CCS User Group Presentation

I gave my little talk to an small group from the CCS downtown chapter last night, after two days of intensive training on SQL Server 2005. The audience was mixed with technically advanced and novice users, so I started by explaining something about how security works in Windows. Then went on to a discussion about how you should lock down your WinXP box. We ended up spending so much time on security settings for Internet Explorer that I had very little time to show the techniques I have used for running as Non-Admin(LUA) but I encouraged folks to check out my references here and offered to answer any questions posted in comments here.

Norbert suggested that I write up the steps I suggest for securing a new PC. That is something I have been thinking of and will start to in posts here.

Guy G. brought up a number of interesting points. When I was demonstrating the Internet Zone settings, I complained that there should be some intermediate ones between untrusted Internet and Trusted Sites. He said there is. In the past I had looked into this briefly, but now a google search shows some remarks suggesting this is possible. So I will look into it and post more details.

When I urged all users to track and apply patches/updates from Microsoft that seemed to provoke a lot of comment and resistance. I asked who had installed the XP Service Pack 2 and several people said it breaks lots of apps, but couldn't say which. Microsoft has posted a recent list of Programs that are known to experience a loss of functionality when they run on a Windows XP Service Pack 2-based computer. I emphasized that you should install it if you run IE and other Internet connected apps and suggested that now MS patches most known defects before they are widely exploited. At that point Guy and others spoke up to state that MS has not responded to a lot of posted vulnerabilities. I see that the Secunia - Stay Secure site indicates a number of unpatched advisories. I don't know anything about that site - it just was linked from some blog postings.

I was doing the demos on WinXP Home and Guy mentioned some problems he has had with it. He asked whether you can create local groups, and the answer is yes. While you cannot use the control panel plugin that is available on XP-Prof, you can do it at the command line as follows:

NET LOCALGROUP MyTestGroup /ADD 'creates new local group
NET LOCALGROUP MyTestGroup SomeExistingUserName /ADD 'adds user to group
NET LOCALGROUP MyTestGroup ' shows membership of the group

On another theme, it was good to see some folks from my old Programming SIG at CCS - specifcally Allen Kapusta and Pat Kennedy, and Tim Mill-Groninger of the ITRC which hosted us.

[Added July 25]
Allen Kapusta asked for exact command lines for launching IE, that I rushed through at the end of the presentation when time ran out. Here are several options.

First, a batch/cmd file to launch IE from a shell command window, which you open with possibly different credentials. I put this line in a file called "LaunchIE.CMD".

Start " " "C:\Program Files\Internet Explorer\iexplore.exe"

Alternatively, if you are running as Admin or other privileged user, then you can use the DropMyRights utility (by Michael Howard) to run IE (or other program) under that ID with reduced privileges with a shortcut such as the following.

C:\utils\DropMyRights.exe "C:\Program Files\Internet Explorer\iexplore.exe"


Blogger Allan Wolff said...

Guy had another comment. He said he has a user whom he does not want to have Admin rights, who must do a certain task which requires them. To do that he uses a little command line utility which holds the Admin logon in enrypted form and passes it unencrypted to the target program when run. He creates a shortcut on the desktop for his user. That sounds like a pretty neat solution. Another possibility would be to find what additional privilege is needed for the task in question and add that to the user in question. That approach has been taken to the common task of opening the clock/calendar in the Windows system tray.

1:53 PM  
Blogger Allan Wolff said...

Guy also had yet another issue related to limits on the number of concurrent inbound connections to a WinXP workstation. He has a client with a small network using a XP-Prof box as a file server. He indicated that the limit of 10 inbound connections was causing a number of problems. I noticed this statement in MSKB#314882:
"All logical drive, logical printer, and transport level connections combined from a single computer are considered to be one session; therefore, these connections only count as one connection in the ten- connection limit. ... The only way system A will have multiple sessions to another system, system Z, is if system A is running services that create logical connections to system Z." I don't know if that is accurate, but if so, perhaps he can investigate the accounts under which the user processes are running and combine them to keep the connection count down.

8:59 AM  
Blogger Guy said...

Here is a link to that dilly:

CPAU -Create process as another user


4:40 PM  
Blogger Allan Wolff said...

Great link, Guy. is a good site, with interesting tools. Thanks.

7:31 AM  
Blogger Allan Wolff said...

SP2 for WindowsXP:
Here is a post discussing problems Paul Thurott had with SP2 -

2:16 PM  
Blogger Allan Wolff said...

I just got an email from Allen Kapusta [spelled correctly] detailing the notes he took on my presentation. They are pretty detailed. He asked for exact command lines for launching IE. I will add them to the post itself.

10:06 AM  

Post a Comment

<< Home