this page was last updated on Wednesday, October 08, 1997 11:42 PM -0400 ------------------------------------------------------------------------ Question What does ActiveX, Exchange, etc... have to do with NT Security?? Answer It has everything to do with NT Security. NT Security serves no purpose whatsoever if you're not using the OS for some purpose. Obviously ActiveX, Exchange, etc... are all purposes for using an OS. What many of these applications demonstrate is the need for an OS like NT which is at least, in part, capable of addressing some of the security requirements for such applications. If this point gets past you then you're not appreciating what security means, NT or otherwise. More importantly, since ActiveX is a core OS technology, NT Security must address it more than it currently does, not IE or any individual application which might make use of it. What seems to be missed by many people is the realities that are the Internet, as well as what's happening on Intranets. In case you hadn't noticed, we're in a revolution here, both externally and internally. Portable code is nothing new, but the ability to easily plug this code into your environment (via Japplets, plug-ins, or ActiveX) is revolutionizing the way computing can be done. The problem with some folks today is that they expect the revolution to end today. They expect every offered innovation to be complete, 100%, without faults. If its not, then they pick it apart until they're blue in the face. To what end, I ask? To do this despite the potential benefits of the technology means that possibly useful technology can get swept under the table in favor of more debate. A Sandbox is not a complete answer to portable code, nor is ActiveX. Both offer the potential for better computing, and both offer feature/functionality that's needed in the model we're creating. One offers limited functionality with increased security, the other offers increased functionality with limited security. But this is true only when looked at from a Browser perspective. Instead, we should be considering them from a technology perspective. The Sandbox was designed to interoperate with a single server, much the same way that a terminal interoperates with its CPU. This has incredible potential for smart devices (e.g. Set-Top devices), but its hardly enough to replace the feature/functionality we get out of PCs today. What's being missed here is the fact that the Sandbox was, and is, not the technology. Java was a portable code language, designed to write applications. The Browser with its Sandbox was simply a neat implementation that allowed mini-Java programs (Japplets) to be demonstrated and make headlines. That was an effort to sell the technology, not the concept of a Sandbox. If someone walked up to you today and said "I'm going to remove your access to your hard disk, sorry" I think you'd have something to say about it. ActiveX was, and is, an attempt to allow existing code to be used in a distributed fashion. The technology is not new, as someone else pointed out, its simply OLE for networks with some tweaking. As a technology it was/is as needed as Java was/is. Since OLE wasn't Sandboxed, and no aspect of MS operating systems is Sandboxed, ActiveX wasn't constrained, why should it be? As a technology it allows you to implement as much security as you've always been able to implement (in fact much more than was previously possible). The issue has been the way ActiveX has been demonstrated. Instead of demonstrating the technology for what it is, its been implemented in a Browser similar to the way that Java was. The Web was seen as the right place to show how neato wow ActiveX could be. One big problem, however, was that too many people drew a comparison between ActiveX and the Java Sandbox. There is no comparison, they're two entirely different technologies with different feature/benefits. Now both developers are burdened with trying to make their demonstration products better, partly because the code-starved crowd on the Internet won't leave them alone to continue developing the technologies (which is what we should do). We don't need a better Sandbox, nor do we need better Authenticode for ActiveX, what we need are better OS' capable of supporting these technologies and giving us the ability to configure security the way we want. This is where NT Security comes in. Do I really want to run an application in order to get security on my interactions, or does it make more sense to get my security implemented at the time I log onto the box I'm sitting in front of, regardless as to whether that box happens to be a NetPC or a full-fledged PC?? My point is that the Browser needs to be the OS, not some application sitting on top of the OS. What's the use of implementing controls in a Browser that don't apply to every application I might run on my box, all of which might be able to do what a Browser does??? Should I have to configure my security preferences in each and every one of these applications, or would it make more sense that my security is defined in my system profile and loaded when I log on? Once loaded, it would apply to anything doing anything to anyone, anywhere. If NT was configurable to create a Sandbox, wouldn't we all be thrilled? I know I would, it would give me the ability to run applications within restricted environments to avoid some of the risks associated with "doing stuff", whatever that might be. Of course the Sandbox should be configurable, and I should be able to have as many different ones as I want simultaneously on the same box, but I damn well don't want it every single time I do everything, do I. From the same perspective, I want the ability to download code that can fully interact with my environment. Of course it should be forced to acknowledge the security profile I've established for each of my environments where I might run it, but within those constraints it should be able to do anything a properly console-installed application can do, why not?? Authenticode, for those of you who don't realize it, was and is intended for the sale and distribution of software via networks. Its not intended to be a security sticker, or an anti-virus flag. But the whole concept of trust is still in its infancy, and there are far too many voices willing to jump up and cry "Foul" over all sorts of esoteric ethical issues. Trust will evolve into something that will satisfy most, it just takes time. The point is, software vendors want some way to sell and deliver that software via networks. My experience is that most corporations today trust their vendors to supply them their orders without a great deal of verification. They place an order, its delivered, it gets installed (and this bit about a paper trail is really a side issue, a paper trail can exist regardless of how the software is sold or delivered). So where's the issue. Well, because of the Browser implementation of ActiveX in IE it today is possible for anyone to do most anything they want (and stuff they might not realize they're doing also). True, to an extent. A tool does exist to control what users are able to do, I got it, it works, others have complained about how difficult it is to get (which doesn't alter the fact it is possible to get it and it does work). Even without it, though, its possible to write Profiles which limit much of this access also (and MS should make this easier and more accessible), NT Tools recently announced a video series that includes a segment on just this sort of thing. To bottom-line it: 1. I want NT to provide my security, not Internet Explorer, Netscape, or any other individual application. This security should be applied via User Profiles. 2. I want to create a shortcut and then apply security policy to that shortcut, such that I could have two different shortcuts to the same application where one runs in a Sandbox and the other doesn't, or one accepts ActiveX controls and the other doesn't. And I want to be able to prevent access to the program other than through one (or more) of these shortcuts. 3. I want to see more 3rd-party vendors, like McAfee, write personal Firewall type products that can provide some, or all, of the desired features above. But if they write them such that they cannot be part of Profiles, their useless. While we're waiting for the above: 4. I want the components in IE that permit ActiveX downloads/installs to be componentized so that 3rd-parties can write a replacement for it (or wrapper). IE should be configurable so its not possible to run without the appropriate replacement/wrapper. 5. I want to be able to say which IP addresses (or ranges) I'll accept ActiveX controls from in IE and I don't want it to prompt me to install them from any site not on my approved list, and of course I want that approved list to be password protected so my user can't change it. 6. I want a list of the currently installed ActiveX controls and an easy mechanism to delete them. 7. I want an easy configuration option to turn off check boxes to accept controls from such that my users don't even know they could do that. Got a comment? Drop me an email at Russ.Cooper@rc.on.ca with your feedback. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security btw...thanks to Alan Killenbeck for passing along a link to an invaluble ActiveX tool. http://www.winmag.com/software/wmfiles.htm#activex is a link to WinMag Active XCavator, a utility which lists all of the installed ActiveX components on your machine. It also provides you with all the details of each, and the ability to remove them. copyright © 1997 Russ Cooper. All rights reserved Back to the R.C. Consulting, Inc. home page. ------------------------------------------------------------------------ Have a look at Russ Cooper and my place ------------------------------------------------------------------------ Best experienced with [RSAC I rated] [Microsoft Internet Explorer] [Microsoft Windows NT Server with Microsoft Internet Information Server] Click here to start. [LSoft's Catalist] [Powered by Listserv Classic]