Art,
Yes, I know. Yet one of the users of an authorization mechanism is intrusion
prevention ! It would be nice to have a bit more control over who runs what
in my machine.
Alberto.
-----Original Message-----
From: Art Baker [mailto:xxxxx@nfr.com]
Sent: Friday, August 09, 2002 1:15 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Is it possible to prevent any .exe file from gett
ing executed?
Alberto,
What you describe in your post is more on the order of an
intrusion-prevention component than an authorization mechanism. As I’m sure
you already know, Windows itself doesn’t provide anything close to that
level of protection. On the contrary, Microsoft’s fascination with
“[Hyper]Active Everything” tends to make executing arbitrary code a little
bit too easy (in my opinion).
-Art Baker
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Friday, August 09, 2002 12:18 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Is it possible to prevent any .exe file from gett
ing executed?What I may need is to make sure that some .exe files don’t get executed,
even by accident. For example, I may not want to execute any .exe
files that
come attached to an email; I may want to prevent anyone from outside my
machine to launch cmd.exe; I may want to make sure no rogue
process can fork
out the execution of an executable file; and so on. In a
nutshell: I may not
know the name of the file in advance, just the circumstances
under which the
file was launched. In fact, I may not even care which file we’re talking
about; for example, it’s ok if I run cmd.exe from my keyboard,
but it’s not
necessarily ok if someone else manages to run it from somewhere
else in the
network.What’s needed is an authorization mechanism that is attached to contexts,
not to specific files or pathnames. “No running certain .exe
files from the
network, please”. “No executing anything from inside an unzip operation”.
“No executing certain files from inside .bat files”. “No running
executables
by doubleclicking on some website links”.And so on, user- or admin-selectable. Can Windows do that ?
Alberto.
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to %%email.unsub%%
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.