STATEMENT:

Internet Explorer: IE should support a complete separation of data and control. Java and JavaScript should be modified so they cannot use external programs in arbitrary ways. ActiveX should eliminate all controls that are marked "safe for scripting."

RESPONSE:

"ActiveX" doesn't do anything; it's an interface contract. IE already does implement object safety by asserting a dialog box stating that the control isn't safe for scripting, if it isn't. Further, it doesn't get that far if it isn't signed.

STATEMENT:

Today Microsoft builds large, complex services that intermingle many smaller services. For example, the Microsoft file-sharing protocol contains file sharing, registry sharing, remote editing, printer sharing, password management, and a host of other services. If a user wants one of those services, he has to implement them all.

REPSONSE:

Ever heard of the 'Remote Registry Service'? I think what you're referring to is the SMB protocol. It's simply an extensible protocol that is extended in a generic way: RPC. Further, you already can disable practically anything you want: The Registry, File Sharing, Printer Sharing, etc. If you don't want something available, disable it.

STATEMENT:

We would also like to see Microsoft abandon the Registry in favor of a less opaque and more user-friendly system.

RESPONSE:

They are already moving towards embracing XML for configuration. .NET applications utilize this as a primary source for configuration data. Of course you?d know that, being the Unix/crypto security experts that you are.

As for the registry, what's wrong with a binary database that supports DACL/SACLs, auditing, and has a well-defined interface?

CONCLUSION:

I purchased Windows because I wanted Windows -- not unix.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/315/10195#10195