Differentiating ReactOS security from Windows security

The place to bring up any design issues, or post your own creations

Moderator: Moderator Team

gordonf
Posts: 17
Joined: Mon Jun 04, 2007 8:06 am

Differentiating ReactOS security from Windows security

Post by gordonf »

I read the UserSecurity article in the Wiki. It seems to tell a story about differentiating ReactOS security from Windows security, yet this article looks just like the original Microsoft solution to the security problem: Making it as easy as possible to get to Admin. And it all reads like it's in the name of making broken applications work.

Making security-ignorant applications work is not ReactOS' job. That job falls in the laps of the application developers. If ReactOS is to differentiate itself from Windows in security, it should do so by requiring security-aware applications. Mozilla already develops such things with Firefox, for instance, which runs under a limited account on Windows XP without hacking.

If I were developing a security model for ReactOS, I wouldn't even permit logging on to a shell with an admin account whatsoever. Any attempt to do so should auto-logoff if possible. Instead, I'd put admin password prompts on only a few specific things that change the computer, such as adding or removing apps, manipulating devices or user accounts, or editing the system-wide portions of the Registry. Yes, hackers could come up with ways to work around that, but at that point it's plausable to blame the user for running those things.

I've used this approach in Windows 2000 before with great success. I can boast a 100% malware-free record for clients I consulted for, without using anti-virus software. Yes, it meant a lot of security hacking to make broken apps work, but if I had a choice of better designed apps to do the same job, I would pick those and hack less.

ReactOS is in a state where its developers can demand better design from application vendors. It's one thing to make device drivers work; that's a critical goal of this project. But do you have to spend time making all of the apps work, especially the security-ignorant ones? I don't believe so.

By the way, if you have a Windows 2000 OEM product key and you want to see an example of a locked-down Win2K installation that's still fully functional, let me know.
[Clarification: I have a premade Win2K install that's been Ghosted and SYSPREPped. If you want to see it, you'll need a valid 2K product key because it'll ask you for it on first boot. I don't need your key.]
Last edited by gordonf on Fri Jun 22, 2007 9:29 am, edited 1 time in total.

Reacter
Posts: 326
Joined: Tue Feb 06, 2007 9:57 pm
Location: Tornado Alley

Post by Reacter »

Do you know how much of a pain up the *** not having an admin account can be? Plus, you need an admin account to run Recovery Console, I found this out after I lost my main Administrator account password. P.S.:I bet you lost your Win2k key? You might want to erase that lockdown part of your post. That is not something you want to advertise, it is really bad.
More ReactOS, please!

hto
Developer
Posts: 2193
Joined: Sun Oct 01, 2006 3:43 pm

Post by hto »

A possible solution is to make two ReactOS versions -- one looking to compatibility, another to security.

gordonf
Posts: 17
Joined: Mon Jun 04, 2007 8:06 am

Post by gordonf »

Reacter wrote:Do you know how much of a pain up the *** not having an admin account can be? Plus, you need an admin account to run Recovery Console, I found this out after I lost my main Administrator account password.
I did not suggest that at all. Admin accounts on 2K and XP are needed for actually maintaining the system. I do not believe they are there to run day-to-day applications. I'll explain more in a further post, as I'm about to digress in an ugly fashion...
Reacter wrote:P.S.:I bet you lost your Win2k key? You might want to erase that lockdown part of your post. That is not something you want to advertise, it is really bad.
I'll explain what I posted in greater detail...

...in the process of rebuilding two PCs I got that clients were willing to throw out anyway, I bought two genuine MS OEM kits for Win2K SP4 on eBay with the intent of refurbishing them and reselling them. And before you go off on that tangent, yes, the seller followed eBay and MS rules for such a sale. If there were other channels to obtain valid kits for a seven-year-old OS, I'd have used them.

Usually when I kit together more than one identical machine, I do one kit and then SYSPREP and Ghost it for duplication. That process is the same that most PC makers use when they mass-copy an NT-based installation. Said kit, when it boots, asks for a product key on power-up. I do this whenever I deploy multiple instances of 2K or XP to save reinstalling everything more than once.

Now it happens that I have the image from the last kit I put together, and I'm OK with giving out copies because those copies are worthless without valid product keys. If you want to use it and see what I'm talking about when I say "lockdown," you will need your own Win2K OEM product key because it will ask you for it the first time it boots. I will not ask you for a key, and Sysprep will not copy the key somewhere to be later retrieved by myself.

Now I'm going to get suspicious if I get fifty or so requests for the thing; I assumed only interested ReactOS developers would want to see what I was talking about. Perhaps that assumption was unfounded.
Last edited by gordonf on Fri Jun 22, 2007 9:44 am, edited 1 time in total.

gordonf
Posts: 17
Joined: Mon Jun 04, 2007 8:06 am

Post by gordonf »

Reacter wrote:Do you know how much of a pain up the *** not having an admin account can be? Plus, you need an admin account to run Recovery Console, I found this out after I lost my main Administrator account password.
Anyway, back on to what I was referring to...

I believe an administrator account is for administering the computer. It is not for day-to-day use of the computer. I kit out an NT-based installation of Windows with this belief in mind. If I need admin access for some administrative reason, I log on with an admin account. If I'm lazy or I'm in the middle of something else, I use Run As for certain administrative tools.

However, like the hood of my car, which I won't leave open while I drive the thing, I don't leave said admin tools open when I'm done using the tools. I also won't do other non-admin things such as web browsing while I'm doing admin things.

There's a fundamental problem with this approach: Too much garbage that passes as "quality software" requires access to the system normally restricted to administrators. This stems from Windows 95 being around, and is another topic altogether.

However, I submit that this problem should not concern the ReactOS developers when they develop their security model. It's not their fault that Warcraft III writes to Program Files as part of its regular operation, for instance. If ReactOS security is to be different from Windows security, yet compatible with Windows security, it needs to discourage or even disallow admin access for non-admin things. And damn the vendors who ignore that.

On ReactOS' side, is Vista's User Account Control. Vendors are fixing their apps, albeit slowly. You shouldn't have much more convincing to do.
hto wrote:A possible solution is to make two ReactOS versions -- one looking to compatibility, another to security.
ReactOS Home Edition and ReactOS Professional?

XP Home Edition uses the same security model as XP Pro, even if the same user interface isn't available outside of Safe Mode. The idea behind that was you can stop kids from breaking the family PC by preventing an installation of Kazza, for instance.

I wouldn't waste developer time working on two unique versions of ReactOS, and I wouldn't ask for that. If the target is 2K or XP compatibility anyway, you have a unique opportunity to ditch all of the stuff that made 9x insecure, such as "admin by default." I figured driver and kernel compatibility was more important than broken app compatibility.

Mrkaras
Posts: 379
Joined: Sat Nov 27, 2004 5:43 am
Location: Australia
Contact:

Post by Mrkaras »

sounds like vista style to me. regardless of the account you need to confirm before any administrator only action can take place.

Reacter
Posts: 326
Joined: Tue Feb 06, 2007 9:57 pm
Location: Tornado Alley

Post by Reacter »

What Mrkaras is proposing(I think) is this: One quick run-as box for an admin program. Not 3 rounds of 15 yes-no questions for starting QEMU or my IRC manager. Installing something on Vista is rather intimidating.
More ReactOS, please!

gordonf
Posts: 17
Joined: Mon Jun 04, 2007 8:06 am

Post by gordonf »

Reacter wrote:What Mrkaras is proposing(I think) is this: One quick run-as box for an admin program. Not 3 rounds of 15 yes-no questions for starting QEMU or my IRC manager. Installing something on Vista is rather intimidating.
So I'm reading, especially when the installer doesn't have a "standard" name like "setup.exe" or something like that.

I would question any need for an IRC manager to create security prompts. Why is an IRC client accessing things off-limits to non-admins? I would just as soon have my OS deny access to whatever said client was trying to access, and I'd then go get a different IRC client... I recall Trillian seemed to behave nicely in this respect, where mIRC did not.

I should also clairify that some... installing software, to me, is an admin function. A "Run As Admin" or equivelant for its installer is a good idea. However, using whatever I just installed, to me, is not an admin function, and if such a thing requires admin access just to use it, it's poorly designed. I believe the ReactOS developers have better things to do than adding compatibility hacks to make such... fundamentally broken... things work.

mf
Developer
Posts: 368
Joined: Mon Dec 27, 2004 2:37 pm
Location: Eindhoven, NL
Contact:

Post by mf »

However, using whatever I just installed, to me, is not an admin function, and if such a thing requires admin access just to use it, it's poorly designed. I believe the ReactOS developers have better things to do than adding compatibility hacks to make such... fundamentally broken... things work.
Read the homepage?
ReactOS aims to achieve complete binary compatibility with both applications and device drivers meant for NT and XP operating systems, by using a similar architecture and providing a complete and equivalent public interface.
We're trying to make Windows apps work on ReactOS, not break on ReactOS. What you're suggesting is beyond silly. User Account Control might be implemented after ReactOS 1.0, but implementing a different security model than the OS we're cloning, don't count on it. It won't happen. Maybe if someone forked the project, heh.
It compiles, let's ship it!

GreatLord
Developer
Posts: 926
Joined: Tue Nov 30, 2004 10:26 am
Location: Sweden

Post by GreatLord »

in vista the secure model have change it make allot apps break for they can not get admin access by hacking known whay to optain it.

All this secureture risk are posible in windows 2000/XP/2003
But not in Windows VISTA
1. Screensaver does not run in admin mode in vista any longer

2. system accunt have lower right that admin mening a program can not overwrite admin secure level or bypass it, as it did before

3. Maping file must do as msdn say, u need provide it is local or gobal user, old way was u was avail leave this parama NULL and u apps gain admin level even it was a user did run it.


Thanks to all this fix allot software stop working in vista
I am greatfull that ms have close this three securetis problem in vista
it mean less virus/spyware can use this trix to spread into the system
anothing NTVDM is basic dead in VISTA if u run 64bits system, it mean no old dos program or windows 16bits program can be run in VISTA.
MS did hack VISTA to run some most pouplare installer that are still 16bits.

if we see at vista Zero spywares/virus at my internet cafe on vista machine after 2 month, XP machine we did have we where force shout them down for our ISP thread us close our line if we did not shoutdown XP machine. after exaime them more closer it was over 1000 virus and spywares. all machine (VISTA/XP) using same spyware protections and antivurs software.

Haos
Test Team
Posts: 2954
Joined: Thu Mar 22, 2007 5:42 am
Contact:

Post by Haos »

I`d say - crappy antivirus/spyware protection...

User experience ALWAYS IS a big factor here... but i left my old rig at home, with Nod32 antivirus, Lavasoft/Spybot ad-awares and Jetico IDS.
My folks been using that rig since i moved to UK. They do a lot of browsing/emailing, yet with only basic PC skills. I went back only 5-6 times during those 2 years, only had to install updates and such. Done a thorough scanning during every visit, and till the current day - zero viruses and only a handfull of spyware.

I`m running a Win2k3 not XP though.

gordonf
Posts: 17
Joined: Mon Jun 04, 2007 8:06 am

Post by gordonf »

(suggested fix for the home page)
ReactOS Homepage wrote:ReactOS aims to achieve complete binary compatibility with applications and device drivers and malware meant for NT and XP operating systems, by using a similar architecture and providing a complete and equivalent public interface.
mf wrote: We're trying to make Windows apps work on ReactOS, not break on ReactOS. What you're suggesting is beyond silly.
You don't need to. App writers themselves have done a fine job of making Windows apps break on Windows, never mind a Windows clone.

Even if ReactOS duplicated Microsoft's security model from Windows 2000 precisely, it would break badly written apps. That's not your fault and what I'm suggesting, silly or otherwise, is that you need not waste time making bad apps work when you start developing your security model.

Reacter
Posts: 326
Joined: Tue Feb 06, 2007 9:57 pm
Location: Tornado Alley

Post by Reacter »

By the time you finish up the API, get security on, and get a huge user base, the GPL kicks in: your giving out source. Virus makers can see the source and use it. But still, that is what having a good antivirus is for.
More ReactOS, please!

gordonf
Posts: 17
Joined: Mon Jun 04, 2007 8:06 am

Post by gordonf »

Reacter wrote:the GPL kicks in: your giving out source. Virus makers can see the source and use it.
Not that lacking source code stops virus writers anyway. Or is this a suggestion that the GPL encourages virus writers? Ya know, Steve Ballmer could have a field day with that suggestion.

Reacter
Posts: 326
Joined: Tue Feb 06, 2007 9:57 pm
Location: Tornado Alley

Post by Reacter »

You've got to give away source to make applications (Or a manual on the API). So there is no way to get past viruses. Unless you do not allow anyone to see source/API guide, and throw those that do in jail, you cannot get away from viruses. Just an annoying part of life. But sometimes the source can make them quicker to adapt, but while waiting for more API targets to open up, the virus maker's virus becomes well known, ceasing all profits.
More ReactOS, please!

Post Reply

Who is online

Users browsing this forum: Semrush [Bot] and 1 guest