Some of the new stuff in Windows XP SP2
We're on the home stretch for Windows XP SP2! I can't begin to tell you what a relief it is to see it almost done.
Anyone, over the next few weeks I want to outline some of the new features in the product.
Ok, here's the the first, I call it protecting users from themselves.
If you attempt set the default Internet zone security policy to lower than Medium, IE will complain, and set it back to Medium for you :)
Sure you can hack the registry, but the point is to protect people from making little mistakes!
Comments
- Anonymous
June 26, 2004
What about something to protect users from hitting the poweroff on their powersupply ^^ maybe 1000 Volt à 10 Ampere :) - Anonymous
June 26, 2004
hhhmmm, 1000v at 10amps = 10kW; sounds like instant death to me! I'm not sure that's a good idea! - Anonymous
June 26, 2004
The comment has been removed - Anonymous
June 26, 2004
XP SP2 issues
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/07/13102.aspx - Anonymous
June 26, 2004
I agree with Cyrus. If it's a complete mistake for anyone, including seasoned pros, to use the UI to adjust the setting to anything less than Medium, then Medium should be the lowest setting.
To me, having a non-selectable "low" visible to users only undermines the Usability of the dialog and announces to hackers that "hey, there is a low setting out there". - Anonymous
June 27, 2004
The comment has been removed - Anonymous
June 27, 2004
Michael, was this change introduced after RC2? I see that IE is not letting me change the security from Medium, but it's not complaining about it - it lets me think that I changed it without saying anything.
I also agree with Cyrus, though. If 'Low' is not selectable through the interface, it shouldn't be exposed through the interface. - Anonymous
June 27, 2004
My guess, and it is a guess (I'd need to speak with the IE UI guys) is if an admin allows low by hacking the registry for a specific reason then it would be shown in the UI. - Anonymous
June 27, 2004
Thats sounds like a horrible feature for uses. If the user can't set it, don't put it in the interface, don't even have it as a hidden setting. If the average user doesn't know it's there, that just opens up an exploit for someone to change a setting the user didn't know existed. - Anonymous
June 27, 2004
The comment has been removed - Anonymous
June 27, 2004
The comment has been removed - Anonymous
June 27, 2004
I agree with Cyrus. Don't give th use an option he can't use.
Amazingly, we don't have to deal with this in firefox. - Anonymous
June 27, 2004
I think it's a good feature. It addresses a real problem with the existing UI - namely, that it's very easy for users to accidentally shoot themselves in the foot.
Sure, it could have been more thorough. It doesn't prevent you from doing stupid things using custom settings. But it's simple enough to be squeezed into a service pack at the last moment (I think it wasn't there in RC1), and it addresses the 90% case.
For all those who say "if users can't do this, don't show the option" - think about it. How would you handle the case where settings are set to "low" in group policy? Would you show it as "custom" on the client, or what? - Anonymous
June 27, 2004
I think people are reading a little too much into the "protect users" comment I made. Building secure software means many things, from better educated developers, better design, better code, better testing, reduced attack surface and finally, helping the users make good decisions.
I am ABSOLUTELY not blaiming users for anything, and any who knows me will back me up - I am totally in favor of getting as much right up front and not putting the burden on users.
This change in IE, which is amongst hundreds of other defenses added to XP SP2, is only one. - Anonymous
June 27, 2004
How is it easy to accidentally change that setting? You have to go through four mouse clicks to change it (and fifth to accept the change), do you know what the chances are of accidental mouse clicks to actually do this by accident? Most users don't even know there are security zones.
So once again, Microsoft is doing the wrong thing - it's assuming ALL of its users are complete idiots that need to be protected from themselves. We've seen this with Visual Studio and now we're seeing it with the rest of their applications. Soon there will be no Cancel buttons, so users can't accidentally cancel their actions. Choice is a forbidden word at Microsoft...
And Mike - you don't build secure software by not allowing users to control it. You build it by fixing bugs (there will always be bugs since nobody's perfect), and fixing them quick. It's been a long time in bug fixing terms since http://www.microsoft.com/security/incident/download_ject.mspx was posted, and even a longer time since this issue is known, where's the fix? I'm repeating myself but we'd be all much better off if you put your energy into protecting users from your issues instead of trying to come up with ways to protect users from their actions. - Anonymous
June 27, 2004
>>do you know what the chances are of accidental mouse clicks to actually do this by accident
again, you are reading too much into my comments. i never said, "by accident" - Anonymous
June 28, 2004
The comment has been removed