Performance problem? No, it's a security issue...

We block Internet browsing for accounts in admin groups. It's a malware control and I like it. But we hit a strange little problem with this using one particular app. It was fast to start with ordinary console accounts, but privileged accounts were really slow. It took a smart lad -- not me -- with a protocol analyser to spot that the startup sequence involved a certificate authentication, and the host certificate had a CRL access point at an Internet URL. The admin accounts couldn't reach this so they had to go through an agonising timeout. Problem solved!

The non-Build Build

From time to time we issue non-build laptops to people who want to use the SSL VPN but don't have a suitable personal machine . It's not a practice that gives me much pleasure, as the temptation will always be to assume that it's OK to put firms data on one of these. And it's not.

So I've been developing a little list: what we should do to a standard manufacturer's XP install so that it can be placed in the permanent, unmanaged care of a regular user. Here's what I have:

• Truecrypt set up for the system partition. (If there's and I386 on d: or e:, leave that in clear.) Why encryption? 1) because I don't trust them not to put firms data on it, and 2) it's an immediate downer for a thief.
• The MVPS hosts file. It doesn't auto update, but it's a good start.
• Default Browser: Chrome. It's not IE so it's under attacker's radar, but it does auto update even if you never run as admin
• Microsoft AV -- seems to have difficulty with non-admin updates, but better than nothing.
• The default log in takes you to a non-admin account.
• Default settings on the Windows firewall, and Windows update.

It's not much -- in particular you can't make Adobe and Java auto update on a non-admin machine, but it is better than nothing.

ActiveX is Satan's Execution Environment. From Hell.

I went live with a simple but rather marvellous little change -- all the groups which deliver bulk machine or account admin privilege have been dropped into the group that denies browsing on the proxies. That's a huge win -- a vital step forward now that so many legitimate sites have been perved up to push BadSrc exploits and the Dear knows what else. The admins have two accounts, and if they want to browse from their workstation, they have to make sure it's not a member of any of the privilege groups. We're not mandating how the support teams arrange accounts, we're not touching anyone's permissions -- we're just declining to accept the risk of admin browsing.

It's good. I trialled on it myself and -- for six months -- on the domain admins. I gave support six weeks notice and a pile of reminders. I engaged with anyone who asked for advice on the technicalities. (It mostly boils down to using runas and getting a second explorer instance.) I've written a page on the support wiki, and for those who can't handle my writing there's advice from Aaron Margosis. It seems there are no tasks that require admin privilege browsing. Everything should be good, and our vulnerability surface hugely reduced.

Except for ActiveX. One of the Desktop team's top-twenty calls is to install or update an ActiveX applet from an external web site. And there's no way round it -- you do need to browse and you do need to be an admin, because what you're doing is exactly what malware does -- it's just that you happen to trust the site.

There's no need for this. I don't see ActiveX giving any better user experience than JavaScript -- it's just bad design. But it has to work.

I'm not going back. But:

• It's pretty plain that this can't be handled with Windows permissions. ActiveX is too broken. And anyway the philosophy of this change has been to leave Windows access alone. 
• So we have to look at the other side. When we do this at the moment, why is it OK? It's because the admin, reassured by the user, trusts the site to be safe, and required for business.

Naturally the block imposed by the no-browsing group is right at the top of the proxy policy. So I'm going to go in with a rule immediately in front of the block. If the user is a desktop admin, and the site is in a static list of "Approved for ActiveX" then the browsing is allowed, and the blocking group won't get a chance to take effect. There's an extra step to get new sites into the list but I don't think that will be too much inconvenience, and like the rest of this change, it's the sort of control we should have had a long time ago.

We have to settle who will approve sites into this list, but that's easy: I will.

Next step: probably to enable fast user switching on the desktops, to make life easier all round.

Club Penguin Without Being Mad

Club Penguin is an MMPORG a bit like Second Life. Except that you can't use bad language. And your avatar is a Penguin. And it's owned by Disney. This is right up the Not-Mad-At-All-Just-Stubborn Daughter's street and for her ninth birthday treat she was subscribed.
So that's lovely except that the browser applet wouldn't connect.
Now by rights I ought to go off on a LUA rant here about the daftness of software for children that has to be admin to run. Except that CP is fine as an ordinary user and in fact I had an inkling what was wrong as soon as I saw the message.
So I went off searching and found this support page. Take a look at point four.

4. If none of these things work, you should call your Internet Service Provider (ISP). That is the company that you pay to connect to the Internet. They might be using a firewall that is blocking the ports that lead to Club Penguin. When you call them, tell them to open up these ports for TCP traffic, inbound and outbound: 3724, 6112, 6113, and 9875.

That's right, you have to open the ports, inbound and outbound without any limitation by address! "Sure I've got a hardware firewall, except that if you scan these ports you can reach a closed source server written by security numbskulls running on my daughter's PC..."
Long faces all round in the U household.
But it's actually OK. All it really seems to need is those ports open outbound, and it runs fine, with the NMAAJSD playing the mini games to her heart's content.
And that's the reply I expected to get when I opened the reply to my support enquiry. I'd asked for the server server addresses so I could limit the inbound traffic. What I got was a different list of ports (843, 9875, 6112, 3724, 6113 and 9339) with no reference to my questions about direction or limitation. This is software that's intended to be safe for children.
Nice try Walt. But Mad Aggy's happy, and that's what matters.

Auran Trainz 2006 without being an Administrator

It's not hard. As an admin:

1. Install in the normal way. Get it working with the graphics settings etc. DirectX 9 works for me, and OpenGL doesn't.
2. Run these commands as an admin:

   
   C:
   cd \Program Files\Auran
   cacls * /T /G Users:F
   

3. Run Regedit and navigate to HKLM\Software\Auran. Right-click on Auran and select Permissions.
4. Select Users and check the box marked full control

Done! Any user can run and save settings.