If I install code, I'd like to know, when installation is trying to make _administrative_ change, explicitly - so that I have a chance to say YES or NO. In Windows, it is not implemented in installations - you _must_ begin installation as admin. Another big problem is permission system and directory structure. First of all, you are blind - no any analog of 'ls -l' which shows you file owner permissions so if someone change you WinNT directory to 'Writable by anyone_, you never notice it. Security system is toooo complicated for use by normal users; it's rich but require GURU to be configured. Second problem is directory structure. In Unix, when I configure IDS (osiris or Tripwire or Intact), I can just be sure, that 'bin' and 'etc' and 'sbin' and 'libexec' directories does not have any variable files - all non-static files are in /var (Solaris is an exception, they put some 'pid files into .etc, but even here, it is not a problem). But windose... you have not any directory which never changed, and I find few .dll files, changed every few days. Every application puts log and data files into it's own directory (with rare exception of applications, derived from Unix or written by people with Unix background). It makes terrible difficult to configure IDS, and makes system very vulnerable. Of course, it is all trade-off for functionality, but people overestimates it - many MS benefits come from it's dominance , not from functionality. And it all makes it a very good target for the viruses / worms. Alex Roudnev ==========
kenw@kmsi.net wrote: But, regardless, Win2K and WinXP do have restricted-user modes that tie this stuff down quite well. They tend to be used in corporate environments.
Indeed, and the one reason being that the last thing the IT staff wants is users installing apps, because even if the user is not installing a worm or Trojan, installing software inevitably generates incompatibilities and demand for more support.
But for home users, it gets to be a pain in the butt, because it prevents a lot of things users want to do, like installing games, multimedia apps and spyware.
Yep. In XP home, it's easy to have several users on the same machine but by default they all have administrative rights.
doug@nanog.con.com wrote: Microsoft software is inherently less safe than Linux/*BSD software. This is because Microsoft has favored usability over security. This is because the market has responded better to that tradeoff. This is because your mom doesn't want to have to hire a technical consultant to manage her IT infrastructure when all she wants to do is get email pictures of her grandkids.
Exactly. Michel.