this page was last updated on Wednesday, October 08, 1997 11:42 PM -0400
------------------------------------------------------------------------
Question
What does ActiveX, Exchange, etc... have to do with NT Security??
Answer
It has everything to do with NT Security. NT Security serves no purpose
whatsoever if you're not using the OS for some purpose. Obviously ActiveX,
Exchange, etc... are all purposes for using an OS. What many of these
applications demonstrate is the need for an OS like NT which is at least,
in part, capable of addressing some of the security requirements for such
applications. If this point gets past you then you're not appreciating what
security means, NT or otherwise. More importantly, since ActiveX is a core
OS technology, NT Security must address it more than it currently does, not
IE or any individual application which might make use of it.
What seems to be missed by many people is the realities that are the
Internet, as well as what's happening on Intranets. In case you hadn't
noticed, we're in a revolution here, both externally and internally.
Portable code is nothing new, but the ability to easily plug this code into
your environment (via Japplets, plug-ins, or ActiveX) is revolutionizing
the way computing can be done.
The problem with some folks today is that they expect the revolution to end
today. They expect every offered innovation to be complete, 100%, without
faults. If its not, then they pick it apart until they're blue in the face.
To what end, I ask? To do this despite the potential benefits of the
technology means that possibly useful technology can get swept under the
table in favor of more debate.
A Sandbox is not a complete answer to portable code, nor is ActiveX. Both
offer the potential for better computing, and both offer
feature/functionality that's needed in the model we're creating. One offers
limited functionality with increased security, the other offers increased
functionality with limited security. But this is true only when looked at
from a Browser perspective. Instead, we should be considering them from a
technology perspective.
The Sandbox was designed to interoperate with a single server, much the
same way that a terminal interoperates with its CPU. This has incredible
potential for smart devices (e.g. Set-Top devices), but its hardly enough
to replace the feature/functionality we get out of PCs today. What's being
missed here is the fact that the Sandbox was, and is, not the technology.
Java was a portable code language, designed to write applications. The
Browser with its Sandbox was simply a neat implementation that allowed
mini-Java programs (Japplets) to be demonstrated and make headlines. That
was an effort to sell the technology, not the concept of a Sandbox. If
someone walked up to you today and said "I'm going to remove your access to
your hard disk, sorry" I think you'd have something to say about it.
ActiveX was, and is, an attempt to allow existing code to be used in a
distributed fashion. The technology is not new, as someone else pointed
out, its simply OLE for networks with some tweaking. As a technology it
was/is as needed as Java was/is. Since OLE wasn't Sandboxed, and no aspect
of MS operating systems is Sandboxed, ActiveX wasn't constrained, why
should it be? As a technology it allows you to implement as much security
as you've always been able to implement (in fact much more than was
previously possible).
The issue has been the way ActiveX has been demonstrated. Instead of
demonstrating the technology for what it is, its been implemented in a
Browser similar to the way that Java was. The Web was seen as the right
place to show how neato wow ActiveX could be. One big problem, however, was
that too many people drew a comparison between ActiveX and the Java
Sandbox. There is no comparison, they're two entirely different
technologies with different feature/benefits.
Now both developers are burdened with trying to make their demonstration
products better, partly because the code-starved crowd on the Internet
won't leave them alone to continue developing the technologies (which is
what we should do). We don't need a better Sandbox, nor do we need better
Authenticode for ActiveX, what we need are better OS' capable of supporting
these technologies and giving us the ability to configure security the way
we want.
This is where NT Security comes in.
Do I really want to run an application in order to get security on my
interactions, or does it make more sense to get my security implemented at
the time I log onto the box I'm sitting in front of, regardless as to
whether that box happens to be a NetPC or a full-fledged PC??
My point is that the Browser needs to be the OS, not some application
sitting on top of the OS. What's the use of implementing controls in a
Browser that don't apply to every application I might run on my box, all of
which might be able to do what a Browser does??? Should I have to configure
my security preferences in each and every one of these applications, or
would it make more sense that my security is defined in my system profile
and loaded when I log on? Once loaded, it would apply to anything doing
anything to anyone, anywhere.
If NT was configurable to create a Sandbox, wouldn't we all be thrilled? I
know I would, it would give me the ability to run applications within
restricted environments to avoid some of the risks associated with "doing
stuff", whatever that might be. Of course the Sandbox should be
configurable, and I should be able to have as many different ones as I want
simultaneously on the same box, but I damn well don't want it every single
time I do everything, do I.
From the same perspective, I want the ability to download code that can
fully interact with my environment. Of course it should be forced to
acknowledge the security profile I've established for each of my
environments where I might run it, but within those constraints it should
be able to do anything a properly console-installed application can do, why
not??
Authenticode, for those of you who don't realize it, was and is intended
for the sale and distribution of software via networks. Its not intended to
be a security sticker, or an anti-virus flag. But the whole concept of
trust is still in its infancy, and there are far too many voices willing to
jump up and cry "Foul" over all sorts of esoteric ethical issues. Trust
will evolve into something that will satisfy most, it just takes time. The
point is, software vendors want some way to sell and deliver that software
via networks. My experience is that most corporations today trust their
vendors to supply them their orders without a great deal of verification.
They place an order, its delivered, it gets installed (and this bit about a
paper trail is really a side issue, a paper trail can exist regardless of
how the software is sold or delivered).
So where's the issue. Well, because of the Browser implementation of
ActiveX in IE it today is possible for anyone to do most anything they want
(and stuff they might not realize they're doing also). True, to an extent.
A tool does exist to control what users are able to do, I got it, it works,
others have complained about how difficult it is to get (which doesn't
alter the fact it is possible to get it and it does work). Even without it,
though, its possible to write Profiles which limit much of this access also
(and MS should make this easier and more accessible), NT Tools recently
announced a video series that includes a segment on just this sort of
thing.
To bottom-line it:
1. I want NT to provide my security, not Internet Explorer, Netscape, or
any other individual application. This security should be applied via
User Profiles.
2. I want to create a shortcut and then apply security policy to that
shortcut, such that I could have two different shortcuts to the same
application where one runs in a Sandbox and the other doesn't, or one
accepts ActiveX controls and the other doesn't. And I want to be able
to prevent access to the program other than through one (or more) of
these shortcuts.
3. I want to see more 3rd-party vendors, like McAfee, write personal
Firewall type products that can provide some, or all, of the desired
features above. But if they write them such that they cannot be part
of Profiles, their useless.
While we're waiting for the above:
4. I want the components in IE that permit ActiveX downloads/installs to
be componentized so that 3rd-parties can write a replacement for it
(or wrapper). IE should be configurable so its not possible to run
without the appropriate replacement/wrapper.
5. I want to be able to say which IP addresses (or ranges) I'll accept
ActiveX controls from in IE and I don't want it to prompt me to
install them from any site not on my approved list, and of course I
want that approved list to be password protected so my user can't
change it.
6. I want a list of the currently installed ActiveX controls and an easy
mechanism to delete them.
7. I want an easy configuration option to turn off check boxes to accept
controls from <wide spectrum> such that my users don't even know they
could do that.
Got a comment? Drop me an email at Russ.Cooper@rc.on.ca with your feedback.
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security
btw...thanks to Alan Killenbeck for passing along a link to an invaluble
ActiveX tool. http://www.winmag.com/software/wmfiles.htm#activex is a link
to WinMag Active XCavator, a utility which lists all of the installed
ActiveX components on your machine. It also provides you with all the
details of each, and the ability to remove them.
copyright © 1997 Russ Cooper. All rights reserved
Back to the R.C. Consulting, Inc. home page.
------------------------------------------------------------------------
Have a look at Russ Cooper and my place
------------------------------------------------------------------------
Best experienced with
[RSAC I rated] [Microsoft Internet Explorer] [Microsoft Windows NT Server with Microsoft Internet Information Server]
Click here to start. [LSoft's Catalist] [Powered by Listserv Classic]