never-ever-****-with-my.net

Last Wednesday, Microsoft published Windows Vista Security Guide, which provides recommendations to harden computers that use specific security baselines for the following two environments:

1. Enterprise Client (EC)--client computers in this environment are
   located in a domain that uses Active Directory and only need to
   communicate with systems running Windows Server 2003--implementation of this security baseline is described in Chapter 1;
2. Specialized Security--Limited Functionality (SSLF)--concern for
   security in this environment is so great that a significant loss of
   functionality and manageability is acceptable--implementation of this security baseline is described in Chapter 5.

• Defend Against Malware--Chapter 2 includes information about how to most effectively use User Account Control (UAC), Windows Defender, Windows Firewall, Windows Security Center, Malicious Software Removal Tool, Software Restriction Policies, and Internet Explorer 7 security features (e.g., Protected Mode, ActiveX Opt-in, Cross-domain scripting attack protection, Security Status Bar, Phishing Filter, etc.);
• Protect Sensitive Data--Chapter 3 focuses on encryption and access control technologies that help protect mobile computing environments from potential loss and theft: BitLocker Drive Encryption, Encrypting File System (EFS), Rights Management Services (RMS) and Device control;
• Application Compatibility--Chapter 4 provides guidelines to preserve functionality of existing applications when using the new and enhanced security features of Windows Vista.

As pointed out by the ISC's Handler's Diary, and further to the ZDNet article reporting that Microsoft considers taking admin rights from employees (link posted last Wednesday), Microsoft published Standard User Analyzer, a tool that "helps developers and IT professionals diagnose issues that would prevent a program from running properly without administrator privileges.  On Windows Vista, even administrators run most programs with standard user privileges by default, so it is important to ensure that your application does not have administrator access as a dependency.

Using the Standard User Analyzer to test your application can identify the following administrator dependencies and return the results in a graphical interface:

• File access
• Registry access
• INI files
• Token issues
• Security privileges
• Name space issues
• Other issues"

Nothing new here, but it took me a couple hours to remember where I found this before (Google kept giving me results for commercial software).

Bo Brantén published FileDisk, a virtual disk driver for Windows NT/2000/XP that uses one or more files to emulate physical disks. This works with CD images too. :-)

FileDisk is packaged with Gilles Vollant's nifty WinImage, which is shareware.

Also, I read Microsoft published Virtual CD-ROM Control Panel to mount ISO image files as CD-Rom devices (the tool is unsupported, I have not tested it).

Computerworld published a neat FAQ on Apple's Boot Camp, which finally lets users run Windows XP natively on Intel-based Macs.

This free public beta will only be available for limited time. Apple scheduled to include the final version in the next major release of Mac OS X.

I discovered through word of mouth an interesting tool to control local administrator privileges: DesktopStandard's PolicyMaker Application Security.  It allows your regular users to run a particular set of applications with admin permissions, or to downgrade your admin users' privileges when they carry out sensitive tasks, i.e. browsing the web or checking e-mail.

The product used to be called NeoExec--the technology is actually licensed from NeoValens, a company managed by Marco Peretti, SecureWave's "former" founder & CEO (another great publisher of Windows security software, which is based in Luxembourg too).

Update 2006/10/27: Another one bites the dust: DesktopStandard has been acquired by Microsoft. While most products will be integrated in Microsoft's GPMC or other products, PolicyMaker Application Security will be sold as Privilege Manager by BeyondTrust. I guess Microsoft left out PolicyMaker Application Security due to licensing issues (see above), and above all, because they already have a competing product in their portfolio: Protection Manager from Winternals Software.