Re: Embedding Simple MFC GUI app into website

The real trick is to reduce the attack profile. I try to keep mine as fine as possible. I
disabled the ability to disply images in email; only one machine has direct access to the
Internet (well, not even direct; it has all the layers of firewall) and all my other
machines (all eight of them) have no Internet access, just local access. The Internet
machine runs on a VERY restricted account, with the inability to write nearly any
directory or Registry key (except for those keys and directories required to run Outlook
Forte Agent, and IE), etc. It is firewalled about as tightly as I can manage. The last
three attacks that hit me took me out for a week, and a week I didn't have to spare due to
deadlines. So I just decided that the risks do NOT offset the nominal gains. I use no
form of IM, and I refuse to allow animations, sounds, crap like Flash, and similar toys
that contribute little or nothing to my Internet experience (no, I take that back: sounds
and animation generally have negative value to me). I do not want a "rich multimedia
experience" if it puts my machine at risk. I also run two different rootkit detectors.

The account I run on is incapable of adding software or device drivers. If I need to
install new software on the email machine, I log in as "administrator" and do the install.
I tend to need to do this about two or three times a year. I have disabled the ability to
run any kind of Office macros in Word, PowerPoint, Visio, or Excel. I have set
protections on the Windows Scripting Host so it cannot be executed from my email account.

It took me several weeks to get all these protections in place. I shouldn't have had to
do any of this. Most of what I'm disabling exists not because of "bugs" that cause
security holes but because of irresponsible designs that pretend it makes sense to run
code of dubious provenance that cannot be managed or audited. The solution is very simple
in theory, tedious in practice: disable all this crap. Kill it off if possible.

The sensible thing, of course, would be to compile JavaVirus into MSIL, which is managed
code. Then I can apply managed code security to it. But when I suggested this to the IE
group, they essentially rejected it out-of-hand, simply saying "this will never happen".
Why? I have no idea. But this is from the same company that has a religious objection to
giving us regular expression filters in Outlook for the same non-reasons.
joe

On Sun, 22 Oct 2006 15:03:59 +0100, Daniel James <wastebasket@xxxxxxxxxxxxxxxx> wrote:

In article news:<h55ij21enniqkehoglr7p341o9t0s0f2ml@xxxxxxx>, Joseph M.
Newcomer wrote:
[I wrote]
In article news:<6rpai2hjbh7gvq49do2jbsmhoqk0j8rrbr@xxxxxxx>, Joseph M.
Newcomer wrote:
I don't use Windows Update. I will NOT use any technology that
requires ActiveVirus.

So how do you keep your Windows systems up-to-date (or don't you)?

I can't.

That is sad ... but I'm glad, in a way, to hear that there isn't some
ActiveX-free update mechanism of which I wasn't aware ...

I find the whole update-over-the-internet paradigm to be a degradation in
Microsoft support.

Being able to get updates *quickly* online is an improvement. Not being able
to get them online without reducing one's own PC's security to by a
possibly-unacceptable degree is indeed a degradation -- and a big consumer
of bandwidth -- not so bad for those of use with multi-Mb/s broadband
connections, but a real pain for those in the boondocks with an unreliable
telephone line and a 56kb/s modem that seldom reaches half its theoretical
download speed.

Not being able to get *every* update sent offline (a CD in the post) is also
rather poor.

I have external hardware blocking EVERY incoming Internet connection to
my site; there is no way anyone can get in.

I, too, have an external firewall -- but that's not necessarily a guarantee.
I just *hope* there are no exploitable flaws in its firmware.

Cheers,
Daniel.

Joseph M. Newcomer [MVP]
email: newcomer@xxxxxxxxxxxx
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
.

Relevant Pages

  • Securing a stand alone WXP connected to Internet: Best Practices
    ... In particualar, disabling the ability of ... connection to the machine from the Internet should be ...
    (microsoft.public.windowsxp.security_admin)
  • Re: svchost error
    ... Try disabling the SSDP Discovery Service and the Universal Plug and Play ... Set it to Manual if not on a network. ... Play devices or using Internet Connection Sharing. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Slow DSL Connection SBS2003
    ... believe the ISA version is 2000. ... This is cause that the server box can not access ... I could not access the internet at all from the ... >>disabling the internal adapter? ...
    (microsoft.public.windows.server.sbs)
  • Re: Conflict involving dial-up, IE, other processes
    ... inetinfo.exe belongs to Microsoft Internet Information Services and is used ... Try disabling it from the startup ... >>script debugging feature in Internet Explorer is turned on. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Browser hi-jacked by BHO?
    ... > The problem with disabling BHO's is that if they support ... > a browser application (such as streaming real-time stock ... to have something running like antivirus software - and it prevents browser ... Empty your Temporary Internet Files and shrink the size it stores to about ...
    (microsoft.public.windows.inetexplorer.ie6.browser)