Threat Modeling at Microsoft
This is an excellent series of blog posts by Microsoft's Larry Osterman about threat modeling, using the PlaySound API as an example. Long, detailed, and complicated, but well worth reading. The last post is particularly good.
Posted on October 1, 2007 at 5:48 AM
@not THAT anon
"I guess you haven't used WinXP much."
To the contrary. I use Windows XP _a lot_. I also manage IT for and consult to several SMB's, most running Windows XP networks and a couple with Windows 2000 networks. I am also the "IT guy" for a number of friends and family running Windows XP Home and Pro.
For all these WinXP and Win2k computers, networked or not, the users all run _without_ admin privileges (as limited users for stand-alone computers and as normal domain users, not in the local admin group, for business AD domains).
Many applications, including those from Microsoft, can be configured to work fine in a non-admin environment. There are a number of applications, like Microsoft office, which have no problems at all working in a non-admin environment. I have even used RDP and VPN for users running as non-admin.
It just takes good planning on the part of the IT department to properly test and configure applications, as well as ensuring the end users are properly trained for working without admin privileges, with proper expectations. For example, end users need to know that they can't install their own applications (but what good IT dept would let users install applications anyway?) The same goes for system level configuration changes. Unfortunately, there are simply some applications that can't be made to work. The biggest offenders I have found are printer companies (i.e. HP, Epson, etc.), where while the basic printer drivers work fine as non-admin, they create crapware printer applications that needlessly require admin level access and simply can't be easily worked-around. None of these problems are with Windows XP or Windows 2000, these are all problems with poorly written applications, by lazy programms and ISVs.
What I have found is that the only time "holes" need to be created in the WinXP or Win2k non-admin environment is to accomodate poorly written applications written by lazy programmers and/or ISVs.
For example, why would a program like Intuit's Quickbooks EVER need admin privileges to the OS registry root? It doesn't! Its an accounting program. Intuit's programmers are just plain lazy, and this bug should have never been in that application to begin with. The fact that it has taken Intuit 6 years to fix this major bug is appalling.
Sidebar photo of Bruce Schneier by Joe MacInnis.