Vista and Intranet Application Security

Filed under Security, Vista

On my setup, I have a file server with a RAID that generally is a bare (but SP’d and updated) Win2003 server install, ie a very minimal installation. At one point I set up ADS with a domain, DNS, etc. Nowadays, I still setup the DNS server on this box, but generally don’t make use of ADS, in my (albeit weak) attempt at simplification.

On my workstations, I install Win2000/XP/Vista in Workgroup mode and use identical passwords and user accounts on the server and each workstation. That way, legacy login support kicks in and login validations still apply, but I don’t have to mess with ADS and domains to make it happen. Not as secure as ADS, but not completely open either. 

One thing I tend to do, when possible, is install apps to a network drive and run them from there. I say when possible because for those apps that require COM registration, etc, this doesn’t work too well. But there are plenty of apps that work just fine this way, including Trillian, Keepass, InfoSelect, NotePad++, IrfanView, etc. Keeps me from having to reinstall and redo configuration.

With the latest install of Vista, however, I was getting a “Are you sure” dialog like this every time I went to run an app off a server share.

image

Now, before people start screaming “Good Lord, don’t turn that off, there’s no telling what might have replaced that app out on the network! How do you know it’s safe?!”, the fact is that my entire network runs behind a firewall, and all machines run NOD32. If something infected an app out on the server share, it’s just as likely to have already infected my local workstation anyway.

I’d rather not have to “accept” running any app off the server every time I want to, so what I needed was a way to tell Windows, “Hey, it’s OK to run files from these locations, I’m fairly certain they’re safe”.

Come to find out, such a setting exists, of all places, in the Internet Settings area of the Control Panel:

image

image 

Make sure the Local Intranet security is medium-low or lower. This is the default though, and doesn’t appear to need to be changed.

image 

image 

At this point, just enter the UNC of your server, say \\MyServer (you only need to enter the root server name, unless you specifically don’t trust certain shares on your server, in which case you could specify the server and share name, such as \\MyServer\MyTrustedShare.

image 

And that’s it.

If there are any significant security issues with this approach, I’m not seeing them. I have to trust my server as much as my workstations (if not more, since I rarely actually install any software on my server. Anybody care to enlighten me?

5 Comments

  1. Ralf says:

    I swear to god, I’m going back to DOS.

  2. Darin says:

    Isn’t that what MS is doing with PowerShell?<g>

  3. Ralf says:

    I guess I’m getting more curmudgeony with each passing day, but this trend towards more insanely complicated software saddens me. A lot of the "features" in Vista appear to be in there because (a) the microsoft legal team suggested it, (b) the microsoft marketing team suggested it, or (c) somebody at microsoft has falsely equated "pretty" with "usable".

    Let’s look at Vista’s "must have" features, shall we?

    – Aero. It’s pretty, if you have the hardware grunt to run it. So what? Anyone wanting a Candyland desktop packed with visual effects is a casual user at best, a child at worst, and not a business user. Anyone WANTING this stuff has already installed a 3rd party desktop enhancer (as from Stardock). Having this useless crap built into the O/S is silly. How much of Vista’s 5 year development time was spent getting Aero "just right" I wonder? It’s the first thing I turn off.

    – New end-user security model. Poorly conceived solution to (IMHO) a non-existsing problem. If a user is so lost that they allow malware to run on XP, who thinks they’re smart enough to evaluate one of those Vista security pop-ups correctly? Usability studies repeatedly demonstrate even knowledgable users suffer from "dialog fatigue" and click through stuff without reading. Factor in that the really crafty malware out there is designed to look like a system dialog anyway, and I’d guess 90% of the end-users the Vista model is designed to protect will simply click "OK" when confronted with THE security prompt that actually catches something bad. Meanwhile, the rest of us suffer through dozens of needless pop-ups.

    – Enhanced search. Like half the planet doesn’t already have Google desktop installed, or X1, or Ransack, or any number of better products.

    – IP v6 support. Right. I’ll jump on buying a new router and hooking up to the waycool next generation internet. I think outside of DARPA, China has the only network utilizing the new protocol, right? And when the rest of the world DOES upgrade, there’ll be two dozen service packs between now and then, any one of which could add this functionality.

    – Hiding complexity behind "simple" menus and dialogs. The trend started with XP’s "simple file sharing" setting, which causes more problems than it solves. Now it’s way worse. Finding the firewall settings took me 10 minutes the first time I booted Vista. Configuring it to use a fixed IP is a truly surreal experience. And this is BEFORE installing anything like real software and doing any work. IF you can get the software to install, which is another rant.

    – DRM. Yeah, the users were BEGGING for this, weren’t they?

    – The new SQL Server-based file system. This one is GREAT! Of all the new features, I have to say they really hit it out of the park with… *sigh* Nevermind.

    Vista smells like something shoved out the door because it’s been FIVE FREEKING YEARS since XP, and the suits in Redmond were squirming. I read it someplace else, but I’ll steal it now: "Vista is Windows ME all over again". With billions of R&D dollars and years of user feedback Microsoft has learned nothing, and by reacting to OS X and pandering to the XBox generation they’ve made a mess of things. I work with no coporate customers who plan to adopt Vista; shoot, some of them are still quite pleased with Windows 2000.

    Despite all this venom, I’m sure underneath the crap lurks a truly great operating system. Of all the complaints I’ve read, none have been about crashes once the thing’s running. The out-of-box experience is quite nice; they finally got the installer right. So somebody’s on the ball, deep within Redmond’s steam and whirring cogs.

    But I have hope — perhaps Vista SP1 will strip away the ridiculousness and restore some dignity.

    It should be available for download about the same time as the ZunePhone makes its debut.

  4. Darin says:

    I have to admit, the new vista visuals are pretty slick, but you’re right, that’s only window dressing.
    From everything I’ve seen so far, there’s really not much "new" to Vista. Loads of additional libraries, etc, plus a virtual army of built in drivers that so far have worked pretty much out of the box with every piece of hardware I’ve thrown at it.
    But then, a simple update of XP would have done as much.

    Still, a damn fine rant, curmudgeon or not<g>

  5. Ralf says:

    Heh, thanks. Is there a weekly meeting for angry old programmers who hate Vista?

    If not, should I start one?

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

*