A conversation that comes up often concerns what rights a Windows Administrator (domain or local) has to folders and files. The common assumption is that being an Administrator is the backstage pass, but while it is somewhat true, the details are a bit more complex. Windows did not get to survive in the server space by oversimplifying security, but the defaults are quite open. The fact is that in most cases the Administrator will have rights to all files and folders, but that is not an innate right. It is more of a default circumstance that is very subject to change, especially in environments that have been around for a number of years.
The first thing to understand is that no user has inalienable rights to any file or folder. If an Administrator account or a group which the account is a member is granted no rights at all or is explicitly denied rights to a file or folder then the result will be Access Denied so long as that state persists. A single deny will override membership in a dozen groups with full control or even directly assigned full control. For mere mortal users that is game over, there is no way for them to change this situation without help. But here is where Administrator has a superpower. The key is that an Administrator has the ability to take ownership of any file or folder. This seems like a weak superpower, but it is in fact very powerful because once you own a file or folder, you can assign any permissions you like. This means that the deny can be removed or full permissions can be granted as needed to banish the Access Denied message. The root of this power is in the fact that the “Take ownership of files and other objects” user right in Local Security Policy defaults to giving this right to Administrators. Removing this right will allow permissions at the folder or file level to take precendence, but also removes the failsafe.
This mechanism has been around since Windows NT, but it has changed over the versions. Back in the early days an Admin could only take ownership for themselves, they could not assign ownership to any other user unless they logged in as that user. This meant that it would be hard for an Admin to take ownership, change permissions, read or edit something they should not be touching and then change permissions back and reassign the ownership to the original party. This changed several versions ago so that now Administrators can assign ownership since it must have been decided that the benefit of making ownership assignable outweighed the security of making the scenario from before more difficult.
Over time permissions get changed, often with the intent that the changes are temporary, but seldom does anyone find time to reverse these “temporary” changes to permissions. Sometimes blocking inheritance is part of the change and sometimes experiments become permanent. This all means that sometimes, even when you are logged in as an Administrator, you will see Access Denied. The key to overcoming this is understanding the way that being an Admin lets you access all files and folders. It is not as cut and dry as most people expect or would hope, but that is why it is secure.
As I have been running various organizations I have detected a key trend that I think delivers a critical insight. I find that people who are open to have their perspective changed are able to adapt to our changing technology world much better than those that are not open to changing their mind. Most people listen only to information that supports their current views. This is intellectually lazy and a sure road to obsolescence in any fast moving environment.
I have always been eager to hear views contrary to my own and am excited at the prospect of someone overturning my world view. I do defend my current thinking vigorously so it is not easy to get me to come over to the other side of an issue, but it is possible.
Based on this, the best advice I can offer to anyone wishing to rise to the top of the IT field or any other is to allow others the chance to change your mind. Maybe you think Native Clients are overrated, or the Cloud is a passing fad, but you should actively seek those that challenge those views.
As the Presidential elections draw closer here in the US, I have been having conversations with a number of people who do not vote and in many cases have no intention of voting. I found this attitude baffling at first, but have grown to understand that it comes from a lack of understanding of the true cost of this attitude.
For example I was talking to a young man who I have known for many years and he revealed that he had no interest in voting. He did not think it made a difference. I quoted Mark Twain by saying “The man that does not read has no advantage over the man who cannot read”. I said to him that I found that statement to be profound and felt that by the same token the man that does not vote has no rights beyond the man who lives in a society that does not let him vote. In this way not voting does a disservice to all those who have fought and died to guarentee that right for US citizens.
To the assertion by my young friend that voting does not make a difference I have the following warning. Our political system is ever more cynical. This means that those in power cater to those that can give and take their power and that means blocks of “likely voters”. If you belong to a demographic that is not seen as likely voters then you can expect your views on your issues to be ignored at best and at worst for the tides of legislation to actively work against your wants and needs. The only cure for this is to vote regularly for equality starts with the vote.
As a war veteran of the US Army, I feel that voting is a sacred duty that all citizens are bound to fulfill and the only greater sin against our democracy than not voting is hindering the ability of a citizen to vote. I hope my words here have motivated some to vote and others to abandon their support of any measures that limit participation in voting in any way.
The details of my session at TechEd in Orlando are posted here.
Hope to see you there!
There is still time to sign up for the upcoming Boston Code Camp!
Go to here for details.
Hope to see you there!
A friend of mine forwarded me a link to a provocative paper by Microsoft Research that called into question whether the security advice provided to users for their online activities is useful based on a risk-reward calculation. The link and the PDF document can be found here.
At first glance I thought that the paper was doing harm by dismissing user security as simply not worth attempting, but that is not the point. The point is that the advice provided to users is often hysterical and out of touch with the real world. This is something I have believed for a long time. So rather than just say,
“yes, that is right, we are screwed”, I want to offer up the advice (and mandates) that my own employees and family get when dealing with the security aspects of online security. Here are my Rules of the Road if you will.
The password to my network must NEVER be used for anything else. Violating this rule is worth your job.
If your password is long enough then you never have to change it, except of course if it is known to be compromised. My password to my domain is over 50 characters and it is a pass phrase so since I have never told it to anyone, never written it down, never used it anywhere else, I feel no need to change it regularly (I do change it over time, but not monthly or even quarterly).
You should type in web sites yourself rather than click on links. If your bank sends you an email that something is wrong or they need to talk to you either open a new browser and type in the bank’s URL and login that way or call the bank using the number on the back of your credit card or on your last statement. Phishing is the biggest trap out there and always being suspicious of every link in every email is the best defense unless you are a security expert with alot of knowledge of TCP/IP (hint, if you didn’t understand any of that you are not that expert).
When in doubt close the browser (and if you like for good measure open up task manager and kill all browser processes).
Have a password plan. For me there are 5 levels of passwords. Level 1 is for sites I just don’t care about, but need a password anyways. I use a low security password but a password none the less. It is over 7 characters and has a number in it. Level 2 is for sites that I would not want a stranger browsing as me, but are not a risk to my reputation or my finances. Level 3 are sites like social network sites where I would face some embarrassment if someone hijacked it, but not financial loss. Level 4 sites are things like banking and I have very few of these and while according to my rules I could reuse passwords on this level I choose not to. Level 5 is of course the password for my business network and it stands alone.
If you find the need to write down your passwords then either get a password keeper program like whisper32 (there are many to choose from). These programs are not hacker proof, but the hacker needs to get pretty deep to be able to even start attacking these kinds of programs.
As the X-Files taught us, “trust no one! If someone asks for your password for anything stop talking to them no matter how the topic arrives.
Those are the highlights. I don’t try to make users security experts, but I seek to help them exercise some best practices. I am thinking of making this into a presentation for user groups and expanding it out with examples and much more detail.
I am happy to announce that very soon I will be providing a monthly article in the SD Times on Microsoft Technology.
With this regular writing task to spur me on I expect (and hope) to be doing alot more blogging as well…
Recently I have had two of my most senior employees come to me seperately and suggest new products for the company to build. I encourage this of course, but find I have to help them understand some things about what I call Disciplined Entrepreneurism.
Ultimately when you decide to build a product for general sale you have three choices:
1. Invent something
2. Copy something
3. Enhance something
Each of these has its strengths and weaknesses. For #1 you have to really have a good idea and you have to bear the burden of educating the world they need something they never had before. In path #2 you have to make sure you can do it so much better that you can overtake the current vendors. And with #3 you build an add on to an existing product as part of its ecosystem, so that means your only customers are the people who bought the thing you are enhancing.
None of these is easy and none is a “sure thing”. I find that it is a slow road with luck and hard work playing equal roles in most cases. Misjudging the market is a common mistake, but not doing any market research ahead of time is by far the most common mistake.
Our head developer of our FSM product, Amr (he specifically asked me to mention him when I told him I planned to blog about this), throught that it might be a good idea for us to develop a Facebook Application. My response was to point out that Facebook, iPhone apps and other applications seem like a great way to get rich, but the failure rate is enormous
my research says that it costs tens of thousands of dollars to bring one to market successfully as very, very few make any money at all the average lose money if the idea is good enough then you have a better chance, but everyone thinks they have the killer idea. The costs go way up if you advertise it with some having spent as much as a million dollars. There really are no shortcuts to wealth
You should never just build an application. You should first figure out the odds of it actually making money otherwise you spend your life just writing code and never make any headway.
The key is to jump in before the market gets too saturated and to do some pragmatic thought about the potential of your product idea. Rather than look to Facebook or iPhone apps I think Windows Phone 7 applications is a much better landscape since there is still room for new players to make a mark. Just remember that you have to tamp down your wishful instincts…
While I resisted Twitter for a long time, not too long ago I started following selected individuals on Twitter including Richard Campbell (richcampbell on twitter). I plan to start using Twitter myself hopefully to communicate things of value, but for now I am using it as a comsumer.
This morning Richard tweeted “Four things to write this weekend… is it wrong to do them in the order of how much they pay?”. This got me thinking about my own task juggling over the years. When I was in college I learned that there are times that you have more to do than can humanly be done. This was in fact a central part of the pressure West Point put on us while we were cadets there. To cope I came to the conclusion that the juggling metaphor is quite apt. The thing to realize is that not all balls (tasks) are created equal. Some are made of rubber and some are made of glass. Rubber balls bounce and you recover even if you let them drop from time to time. Glass balls shatter if you drop them even once. The key is to identify which kind of ball a task represents and there lies the rub.
We see the same decision points when we undertake software development. I try to tell people over and over that security is a task of glass.
For the record, I think Richard has his priorities correct all things being equal…
IBM has decided to build the mother of all Cloud Computing data centers in of all places, China. I will advise all that will listen that this is a fantastic blunder since China is the absolute worst choice for such a resource. I do not want any of my corporate code and data or the data from customers housed inside China.
Don’t get me wrong, I am not xenophobic by any means and am even not violently opposed to offshore development or data centers. The problem is that China is the capital of corporate espionage and the worst offender in the world of not respecting the intellectual property of others.
This is a big win for Microsoft Azure and Amazon unless I missed similar announcements from them (which I doubt).
The first mission of a Cloud Computing provider is to provide security of the data and I just don’t see that happening if the data is in China.