Lock-down for geeks
Finally, after what feels like an eternity, Microsoft is starting to take seriously the urgent requirement to be able to lock down Windows in a straightforward fashion. Ever since Microsoft decided that XP would become the convergence platform that brought together the home-oriented Windows 9x family with the professional NT family, there’s been a more-than-nagging worry that the originally well thought-out security side of NT has been grossly compromised by the need to attract 9x users and their applications to run on the new operating system.
And that worry is very real – almost every XP Home installation I’ve seen has a single-user account on the machine, normally with no user login and password set up. This is the default Administrator account, of course, because all the older 9x applications have been written with the assumption that they’d be given such rights. Unfortunately, leaving a machine wide open in this way means it becomes a neon-illuminated target, even a magnet, for every bit of spyware, virus, Trojan or other malware that’s floating around the Internet. Any attempt to lock down such a machine normally ends up with some major applications having hissy fits and family life collapsing into uproar once Little Johnny throws a screaming fit after his favourite game refuses to run. I’ve named and shamed the appalling nonsense to be found on the Electronic Arts support website before in this column, where the firm claims it’s a good idea to delete all accounts, give everyone Administrator status and so forth before its games will run. I won’t expand any further my views on this matter lest it bring another fit of foaming at the mouth…
Microsoft has been incredibly complacent in this area too. Service Pack 2 brought a whole set of welcome security improvements, but singularly failed to address the core problem; namely, that of users running their machine as Administrator. Until this issue was tackled, no real progress could ever be made. Now, with the release of the Shared Computer Toolkit, Microsoft has at least admitted it’s a problem and, as with those 12 steps taken by a reforming alcoholic, such first steps are important even if they don’t manage to resolve the whole problem overnight.
I installed the Shared Computer Toolkit and played around with it for a couple of weeks, but at the end of that period my reaction was mixed. Part of me wants to get on a jet over to Redmond, find the people responsible and set fire to their underwear. The more forgiving side of me accepts that, despite its still horrible problems, this kit is a small step in the right direction (and, like the reforming alcoholic, we can’t expect our first fumbling steps to be anything other than wobbly).
So what’s the idea behind SCT (which I’m going to abbreviate from now on because I’m already tired of that name)? Well, the reality is that XP, both Home and Professional, has always come fitted with an array of settings that can be applied to lock down the machine and its users; the problem has been that we know such a lock-down will break lots of the home-oriented applications out there. Well, with the release of SCT, Microsoft has shrugged its shoulders and said: ‘So you want access to all the security settings: here they are.’ SCT is basically a toolkit that brings all the security and user settings into once place and allows you to apply the big ‘OK’ finger from the sky to the security of your machine.
That’s the good news. The bad news is, first, that to get SCT at all you’ll have to go through the rigmarole known as Microsoft Validation. I’ll come back to what this means in a minute, but with SCT the validation process is mandatory, not optional. Then, once you’ve downloaded SCT, it’s time to install it, and the first obstacle you hit is a full-scale roadblock. You see, SCT implements a rather useful technology called Windows Disk Protection, the idea of which is that any writes to the Windows system area will be diverted away to a special hidden place. When you log out of the system, all these changes you’ve made are thrown away so the system reverts to a ‘known good’ configuration. This is useful when experimenting with your system, especially as there are also ‘Retain Changes for one restart’ and ‘Retain changes indefinitely’ options on offer, so you can keep what works. The downside is that all this temporary storage can’t be done within the Windows partition itself, so SCT needs its own area to hide things away in, and that means repartitioning your hard disk.