SanDroid (4/12/2011)
Steve,Great article and wonderful graphic.
One question I have always had about this new Policy of least privilege that M$ started pushing for in XP is this.
Are internal or supported products (like Install Shield, Remedy, Office, IE) following all these rules, or are they given exceptions that allow thier products to still work?
There are some products that we have developed in house where we work that allow us to seamlessly update everyone to the latest version of our current software.
With these changes, our only answer from M$ has been to purchase a partners product that does a limited what we want to do.
Don't get me wrong, I understand the need for this change in security and code execution levels and all the issues it resolves.
I would like to see better support from M$ when it breaks things that are working using previous design patterns they had provided.
I doubt that many of the MS products adhere to this, though a lot of that is different departments coding to meet their deadlines, without necessarily following some standard. I think a lot of this changed in the 2003-2004 time frame when MS stepped back, stopped development of some products like SQL Server, and re-engineered their processes to be more rigid, standard, and secure.
I definitely agree that MS has not necessarily been a great advocate here if best practices for security and incorporating that into their own development cycles.