Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

I received some much-appreciated feedback recently regarding a demo and presentation I’ve been doing on programming the Windows Firewall (”with Advanced Security”) on Vista.

For context, the whitepaper and the demo video.

The demo shows that the firewall can be manipulated programmatically, in essentially an arbitrary way, by any account with local administrators rights. The feedback I received, not directly about my demo but about the underlying feature, is that you shouldn’t be able to that.  That is, even for a local admin, an explicit warning should be given to the user that a firewall change has been made. 

I do believe that the operating system has been designed correctly in this case. The Windows security model is that administrators have full control over the local box.  That applies to programmatic interfaces as well as GUI configuration tools (which, after all, are merely a logical layer on top of the former).

Interestingly, the firewall is an example of a Vista feature wherein Microsoft attempts to straddle the above line. By default, if you turn off the firewall, you’ll get the security center nag icon in the systray.  That happens even despite the fact that admin credentials were required to make that change in the first place!  (Note - my understanding is that the OS will stop nagging the user in that scenario if a 3rd party firewall registers itself with security center.)  But - I don’t think the nagging accomplishes anything of real value.

Admins must be expected to know what they’re doing (the same argument applies to the su account on *nix systems).  Additional prompting is detrimental in that it adds no security and devalues confirmation dialogs in general.

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment