Microsoft

Stories about Microsoft, Windows, Office and so on

New computers – Windows 7 – security and password aging

Today when I signed on I got a bit of a shock.  The computer warned me that my password was going to expire in 5 days, and I should probably consider changing it.

It was a shock because this is my computer, and I go along with current password aging thinking, which is that a) we can’t figure out who first figured that password aging was all that hot an idea, and b) if it ever was a good idea, in the modern computing environment, password aging is a non-starter.  Given that passwords should probably exceed 20 characters, and likely should be somewhat complex, trying to get people to choose a good one more than once every few years (when rainbow tables have been extended) is likely more security compromising than enhancing.

So, I went looking.  Having dealt with security for a number of years, it wasn’t too hard for me to figure out that I didn’t want the control panel (since I hadn’t seen anything along that line while I was modifying other settings), and that I likely wanted “Administrative Tools,” and under that “Local Security Policy.”  I had to read through all the options to determine that I probably wanted “Account Policies,” but, under that, it was obvious I wanted “Password Policy,” and, once there, “Maximum password age” stood out.  With no particular options or actions I went back to the menu bar until I found that “Action” had a “Properties” function, bringing up a dialogue box with an entry box with a number in it.  I figured that setting it to zero might turn off password aging, but I didn’t want to do anything that might require me to set a new password every time I signed on, so, when I saw that one of the tabs was “Explain,” I choose that.

(Allow me to digress for just a second here, and note that I suspect that the average home or small office user would not have found it easy to find this setting, and thus would have been stuck with the default.  And all that that implies.)

The explanation did confirm that setting the number of days to zero does mean the passwords never expire.  But it also told me that “It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user’s password and have access to your network resources.”

Microsoft, you’ve got to be kidding.  If an attacker has enough access to your system in order to start cracking your passwords, then they’ll almost certainly succeed within a few days.  Unless you’ve chosen a really, really good password, in which case it might be some years.  So 30 to 90 days makes very little sense.  (And, if you’re really serious about the maximum of 90 days, how come the entry box allows up to 999?)

But then, right down at the bottom, it tells me that “Default: 42.”

Oh, sorry, Microsoft.  Obviously you are kidding.  Nobody could take that seriously as a default.

(But then, why is that the default, and why is it enabled by default? …)

The issue prompted a little more thinking on my part.  Was it really 37 days (42 minus 5) since I’d installed the machine?  Ah, but then, it couldn’t be.  As previously noted, I had to take it back to the store to clear up some OS registration issue.  They, of course, didn’t ask what password I’d set, they just blew off the passwords.  So, the 37 days would start from that point, wouldn’t it?

Well, apparently not.  When I checked my journal, it was obvious that the 37 days started when I first started setting up the computer, not when the store eliminated the passwords.

Interesting version of “history” there, Microsoft …

The “Immutable Laws” revisited

Once upon a time, somebody at Microsoft wrote an article on the “10 Immutable Laws of Security.”  (I can’t recall how long ago: it’s now listed as “Archived content.”  And I like the disclaimer that “No warranty is made as to technical accuracy.”)  Now these “laws” are all true, and they are helpful reminders.  But I’m not sure they deserve the iconic status they have achieved.

In terms of significance to security, you have to remember that security depends on situation.  As it is frequently put, one (security) size does not fit all.  Therefore, these laws (which lean heavily towards malware) may not be the most important for all users (or companies).

In terms of coverage, there is little or nothing about management, risk management, classification, continuity, secure development, architecture, telecom and networking, personnel, incidents, or a whole host of other topics.

As a quick recap, the laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

(Avoid malware.)

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

(Avoid malware, same as #1.)

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

(Quite true, and often ignored.  As I tell my students, I don’t care what technical protections you put on your systems, if I have physical access, I’ve got you.)

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

(Sort of a mix of access control and avoiding malware, same as #1.)

Law #5: Weak passwords trump strong security

(You’d think this relates to access control, like #4, but the more important point is that you need to view security holistically.  Security is like a bridge, not a road.  A road halfway is still partly useful.  A bridge half-built is a joke.  In security, any shortcoming can void the whole system.)

Law #6: A computer is only as secure as the administrator is trustworthy

(OK, there’s a little bit about people.  But it’s not just administrators.  Security is a people problem: never forget that.)

Law #7: Encrypted data is only as secure as the decryption key

(This is known as “Kerckhoffs’ Law.”  It’s been known for 130 years.  More significantly, it is a special case of the fact that security-by-obscurity [SBO] does not work.)

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

(I’m not sure that I’d even go along with “marginally.”  As a malware expert, I frequently run without a virus scanner: a lot of scanners [including MSE] impede my work.  But, if I were worried, I’d never rely on an out-of-date scanner, or one that I considered questionable in terms of accuracy [and there are lots of those around].)

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

(True.  But risk management is a little more complex than that.)

Law #10: Technology is not a panacea

(Or, as (ISC)2 says, security transcends technology.  And, as #5 implies, management is the basic foundation of security, not any specific technology.)

New computers – Windows 7 – security and permissions (2)

Had an interesting experience.

There is a file I keep with some reference material.  For a number of years I’ve had this in the root directory of the drive on most of my machines.  I tried to update it the other day.

I couldn’t.

Windows 7 apparently would not let me modify anything in the top-level directory, even though properties showed that I had full control.  I tried a variety of different ways to make these permissions effective.  No dice.

Eventually I found myself somewhere that offered to let me blow off permissions for the root directory.  Permanently.

I thought it over, and eventually decided not to.  Generally, I’d agree that having the ability to write to the root directory might possibly be dangerous, in a somewhat bizarre set of circumstances.  But I decided that moving the file wasn’t that much of an issue.  So I let the permissions lie.

But I’m left with some questions.  My first reaction, once I got to the screen that would let me change the permissions, was to blow them away.  I was so frustrated by the roadblocks and lack of information provided by Windows 7 that I probably wasn’t thinking completely clearly.  And I’d suspect I’m not alone in this.

The other question is: why on earth did Windows 7 allow me to put the files there in the first place, but not allow me to modify them?  Isn’t the ability to put a file there in the first place even more of a security risk?

New computers – Windows 7 – compatibility (4) – oddities

A few interesting … “undocumented features” of Windows 7 observed in the last couple of days.

One is that Windows 7 seems to have a great deal of difficulty remembering the window settings (placement, size, full screen, etc.) for non-Microsoft software.  Not terribly important, perhaps, but greatly annoying, and new to Windows 7.  (XP had some faults in that regard, but nothing like Win7.)

I plugged in one of my cameras this morning.  Normally this would just be plug and play.  However, I couldn’t find any entry for it in Windows Explorer, even though the computer had said that the new device was found, and the driver successfully installed.  Unplugged and plugged again, and it still wouldn’t play.  Finally went looking for devices and printers, and, under removeable storage it simply did not appear.

However, I noticed that one of the other devices had an oddly familiar name.  When I clicked on that, I noticed that one of my mapped network drives was no longer that network drive, but the camera.  Very odd.

(I must say that, once I found out [via Google, not Microsoft Help] how to access it, I very much appreciated the fact that you no longer have to go through contortions to get yourself a command prompt function via Windows Explorer.  A “Shift-context menu” seems a bit arcane, though …)