On 6/12/12, Keith Medcalf <kmedcalf@dessus.com> wrote:
Windows security sucks.
The real problem with Windows is that there exist folks who believe that it is, or can be, secured. They believe the six-colour glossy, the Gartner [snip]
Well, they are right. Windows can be secured. The problem is it It won't be secured in practice. Because that's too hard, and truly securing Windows will be rejected by the user, because many applications used in practice are not implemented securely on the platform. Users of Windows endpoints require functions such as Web Browsers, Flash, their favorite Office applications, PDF Viewers, and remote share access.
You would be surprised at the number of Fortune 500 companies that lock-down their >policies into deliberately insecure settings, and refuse to permit more secure settings. ..
This is because, while you would expect IT to understand the importance of security. "Lock Down" has a perception of security attached to it. In practice, "Lock-Down Policies" and standardization have nothing positive to do with security, but IT convenience, and reducing support costs, by attempting to enforce a standardized endpoint experience. They can lead to less security if done without extra security review. Hopefully they also include a backup/imaging system to recover, when the lock-down policy makes it break, however.
This is, unfortunately, a typical reaction which arises from a failure to carry out proper root-cause analysis. The root cause of the issue is not "thumb drives", "baby fingernail drives", or whatever removable media type.
The windows shell is to blame, but you can provide an alternate shell that doesn't do that "magical executable code insertion" stuff and disable Explorer. -- -JH