Real Security for Windows

September 20th, 2006

I see so much being done with Windows and .NET to add more "features" intended to enhance security. I believe that the premise that "less is more" applies to security and it not being followed here. Access control concepts have come from the ineffective features in Windows 95 to complex Access Control Lists and now FullTrust with .NET. But what do all these new additions really give us?

I already know that people will be annoyed enough by these roadblocks that they will simply disable those features. Just as now, people will run as the Adminstrator and give themselves full access to everything. It will render the "improvements" useless.

Instead I would simplify the access controls and create a new service to track installed applications. Look at the applications listed in your Add/Remove Programs listing. Some of them do not list the software vendor, much less an accurrately descriptive name. And many are not even digitally signed. Some installations from Sun, IBM and others do not provide this basic information. My local installation of the Java runtime just has the name. No support information is included, such as the website address or 1-800 phone number. With all of the work which goes into creating this software, you would think a few extra minutes to fill out this essential information would not be overlooked.

Here is my solution. Consider what happens when you insert a music CD into your computer. Your music playing software can get album and track information from the CDDB automatically. This information can often be contributed from users as well to correct inaccuracies. Installations for Windows could use a similar system to use an MD5 checksum of an installer to look up information about the software. When the installer is activated it could access the online service to fetch current information.

You do not even have to have the software vendor sign the software. The MD5 checksum of the installer (MSI, CAB, or setup.exe) can be used as the unique signature. Once you can match the installation media with an record in the online database you can start sharing information about that software. Does it chew up your processor and memory? Is it a buggy program which crashes your computer? Do you suspect it of installing spyware? Does it talk to servers on the internet without notifying you first? Such information could be published with the online service to provide a statistical audit of the software people are using. It could even be attached to something like Wikipedia with experts watching over their areas of expertise.

With the online service in place you could check your locally installed applications against the online service to get recommendations. It may request an upgrade to a more stable current version, or to uninstall a rogue application. If you have version 1.6 which has many complaints reported on it while version 1.7 has been stellar, it could suggest an upgrade and provide information for getting the upgrade. If I had such a tool it would allow me to look at all of my locally installed applications and get unbiased information on each of them I would have a much more confidence in my system. It would really be secure.

« Visual Studio Tip #2: Customize the Start Page
Multiple Site Authentication with ASP.NET 2.0 »

Comments are closed.

This entry was posted on Wednesday, September 20th, 2006 at 12:44 pm and is filed under microsoft, software, tech. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.