brblueser

But, is it really an account? I mean, it doesn't appear under any of the user mgmt tools... (not that it really matters, I am just trying to understand it) Quote: In this case, a properly configured service under Windows could be more secure than the *nix counterpart, since most processes/services in *nix run as Root and if compromised have Root-level access to the system Well, IIRC it's not that bad: you have many different users for many different services: apache, xfs, dnscache, mysql etc. Some of them might indeed share root privileges (through suid or by belonging to specific groups), but it doesn't have to be that way for all of them. Also, some services run on chroot jails. However, for services running as root (or under suid), you're right -- same, as you said, for services running as 'system' on Win2k. And AFAIK you shouldn't need kernel-level modifications to apply such a policy for most of the services (although properly configuring this by hand could turn out to be impossible for some cases or at least tricky for others, demanding creation of specific users -- easy part -- and proper file permissions configuration -- the hard part, depending on how far you're willing to go or how complex is your setup). Anyway, thank you very much for the tips and insights, it has been really enlightening, I have definitely improved my Win2k knowledge.

Quote: Most of the core ones (the MS defaults) don't need to be bothered with (and probably shouldn't) so I wouldn't worry about those. The real need to adjust these is with applications that run a service in which you have installed after the fact (RDBMS systems, web servers, ftp servers, etc) that you want full control over. Mmmh... from what I can see, there's not really much I would need to change, then. I have AVG from Grisoft (a free AV app), Sygate Personal Firewall, NVIDIA Driver Helper and a bunch of Iomega services (for my ZIP drive) all running as LocalSystem. Should I change this? Quote: What I have done is created accounts for each of these services, then give them only what they need for permissions (such as "Power Users" so they can launch but not install anything on their own). Also, whenever in a domain environment, I make these accounts locally on the machine rather than in the domain so that if a service is compromised, it can't be used to move across the network or create accounts in the domain. That's clever. Maybe I will play with this later. ... I just realized this: there is no such a thing as 'system user', is it? (I am trying to make a comparison with root/non-root users). Thks again.

Quote: Unless there's a real method to handling dependencies in RPMs, then it will always be a major failure and thorn to Linux users everywhere. Right. I subscribed to the RPM mailing list a while ago, and some guys that actually develop RPM are also members. They are really aware this is the Achilles heel of RPM, and they would also love to implement a decent solution for it. However, from what I could see, there are some other 'deep' (conceptual) probls that need to be fixed first. Quote: Oh, and your account here is also valid at www.linuxcompatible.org, in case you or others didn't already know . Cool! Didn't know about it, will drop by to see what's going on.

Hi clutch, [ thks for bearing with the ongoing discussion but, again, it's not my intention to turn this into a Linux-related thread (I didn't even mention Linux on my original post! ) ] Nicely put. Indeed, "dependency hell" with RPM-based distros can be quite a PITA. apt-get abilities are legendary, and I believe it is one of Debian's strongest points -- the weakest being the installation process IMHO. I've followed a Debian installation once at my last job, and it was awfully hard to even find desired packages on the cds. However, I always heard that once you get used to the installation process, you won't replace your Debian for nothing Regarding apt4rpm, I believe its main probl is the lack of repositories, since it is sort of "unofficial" (only Conectiva claims full support for it, since they are the ones responsible for porting apt to RPM-world). It seems to be gaining popularity, though, maybe things improve in the future... (it should take a while, since a port to RPM 4.x is facing some probls AFAIK). RedCarpet, from Ximian, also does automatic dependency checking, but it is still buggy (at least here on my system it doesn't run right). The "self-building" distros are really interesting, but you have to be "in the mood" to wait the whole thing to finish... (and, as you said, you'd better have a good hardware to back you up) I am still running RH 7.1 here, but it hardly resembles the original 7.1. I upgrade some basic system tools and apps using up2date, but I still do most of my upgrading by hand. I never used RH tools for configuration (aside from initial installation). However, I agree, it is specially well-suited for newbies -- and this is their goal in order to try to make Linux more "suitable for the masses". I am not against this, but I can't say I am totally for it either... but that's another story Quote: With respect to the security layouts, I find the *nix model to be rather limited. You can setup objects, and then use those objects (such as users) as containers (groups) for other objects. And that's about where it stops. Agreed. Here is where it shows its age: this is the same model invented way back in the 70s. Simpler (and therefore more common) needs are usually well-served by this simple model, but more complex setups, even though not impossible, indeed demand extra groups creation and admin. Quote: In order to change the logon credentials of a service, you just go to the services panel (right click on "my computer", select "manage", then go to "services") and open the properties of a given services. At that point, you should see a log on tab, and you can change the credentials of the service. Cool, now I'm making some progress All my services are currently running as 'LocalSystem'. If I got it right, this should be changed to 'Admin', right? (or whatever name I gave it). Don't I risk failing starting some services if I change this? Thks for your help and patience.

(Mmmh... I have a felling this is getting really OT for this forum... ) Underneath, Linux distros are essentially the same (after all, its the Linux kernel behind all of them), but they usually differ mainly on the instalation and configuration tools and package management (Debian uses .deb files, RH, SuSE, Mandrake and others use RH's RPM etc.). Distros also differ on the amount of bundled apps, as well as on how bleeding edge they are (some prefer to include the very latest versions of apps, while others are usually a little behind). Finally, there are specific versions of distros tuned for specific purposes, just like with Win2k Pro, Win2k Server etc. Installation/configuration tools have direct impact on ease of configuration, specially depending on the hardware you have (like graphics boards, digital cameras, scanners etc.) I have never tried Mandrake, but from what I've heard its tools are very efficient and user-friendly, and it does a good job in keeping pace with latest versions of apps.

Quote: The security models are completely different, and many of the exploits/viruses/worms attack services that are already running with admin (or worse, "system" priveledges if never changed by the admin) credentials and thus makes no difference what account was logged in at the time. Few people have made a point to really understand both models, and these misconceptions about not using admin privies on Windows systems keep rolling foward. Just setup another account for yourself, and make it a member of the administrators group. And then rename the "administrator" account to something else to help slow down the more obvious attacks. Thks for the tip. This is actually what I am doing: I use a 'normal' (non-admin) account, but I am a member of the Admin group instead of PowerUsers. So, is this a reasonable setup when it comes to security? Now, changing privileges from 'system' to (?) is something that I definitely haven't done. Could you please elaborate a little further (or point me to some documentation)? I haven't renamed Adminstrator account, will do that. Thks again

Quote: Sorry about the Linux comment, I'm running Mandrake 9 myself. I've tried SuSE and Red Hat also. Hey, no need for apologies, no harm done Also, please, folks, don't get the idea I came here with the intention to light up a flame war. I did not intend to compare Win and Linux (although I wouldn't mind doing that, I am still learning technical aspects of Win2k and any information is a bonus, maybe this just isn't the right place), it's just that Linux is a natural reference to me. Quote: To put it another way... I can slam my W2K system around all day long without a problem. Programs in/out, multiple reboots, all sorts of weird configurations, and it just keeps chugging along. Linux tends to be a lot more brittle environment which I've often seen break with that same abuse. Strange... I've never had this kind of probl with Linux. Aside from new hardware installations, which might require some fine-tunning on the config files (and, I have to agree, depending on the type of hardware it can really be a PITA) and definitely requires a reboot, I only reboot Linux boxes when I upgrade the kernel. YMMV. Quote: On the other hand when left in a set configuration, well, we all have heard how a walled up Linux (or UNIX) box is found running years later... Believe me, I've seen this happen -- the machine was an amazingly old and beaten PII, it was hosting a set of CGI scripts for user registration and data submission, and this machine was forgotten. We only remembered it existed when filesystem became full and service stopped (but not the OS). It stayed like this for almost two years! Quote: the other issue is the security one [snip] Now I'm not saying that I don't use security, but, required parameters are much different in that small business than in the large impersonal workplace. Agreed. Nevertheless, the risk is there, and even though I don't have any sensitive data in my home computer, I would get really pissed off if some nasty IE exploit wipes out files from my HD... (and even more if I contributed to it in any way with careless administration) Quote: So, I guess I'll keep Mandrake as a second system on the computer. And, if anyone is determined to run Linux, I'd definitely recommend Mandrake. But, I think that W2K will remain as my main workstation environment for the foreseeable future. It's always good to keep an open mind (that's what I am trying to do ). In my case, it's the other way around -- my good old RedHat is my preferred system on my box. OT: Mandrake has ranked again as #1 distro according to a Linux Journal survey... I should definitely give it a try. Thks again for the ideas and the nice conversation.

Quote: If you're a standalone or a small network, why is it bad to run as Administrator??? You been listening to these Linux guys too much ;-). Hey, I am one of these Linux guys! Quote: In a small (home) networked enviorment sub accounts are for your wife or kids. Agreed. My main concern is that, by running everything as admin I might be increasing the chances that if I do some damage (either by myself -- less likely, but... -- or "manipulated" by some virus/exploit), it could be orders of magnitude worse than if I was logged as average Joe user. I try to keep myself up-to-date with AV signatures and AFAIK my firewall is well configured, but you never know with virii/exploits coming out every 2 weeks... I am just finding it hard to properly configure permissions, because apps seem to act weird if I switch to a non-admin group, and I can't seem to get the pattern -- even if I uninstall them as admin and try to reinstall them as a 'power user', things don't go fine. In the meantime, I will keep playing God here... (not that I don't like it, but... ) And, yes, given the environment here, no doubt I would be admin anyway (I am just not sure I should be all the time!) Thks for the reply.

I need some help with setting admin rights on Win2000 Pro... I used to belong do Admin group, which allowed me to do everything. This is a bad thing, and I decided to play Mr. Nice Guy and switch back to default "Power Users" group. According to its description, I should be allowed to install progs and such, but this is not happening: most of the apps I try to install either simply fail or explicitely say they need admin rights in order to be installed ;( Even worse: 'runas' is not helping me at all, and all sorts of weird things happen: apps silently refusing to run as normal user, games showing weird behavior (my mouse goes crazy if I run Jedi Knight II with 'runas') and such ;( Given this incredible mess, I will revert to being a member of admin group until I figure out how to deal with this the correct way... ;( Any help will be much appreciated. BTW: This is a single user machine (home use only), but it is connected to a cable modem, so security concerns apply. TIA Andre

Hi everybody: it seems I finally was able to copy a CD using Nero . In order to do that, I did what we were all assuming was necessary: removed Adaptec's ASPI drivers and let Nero use its own. Thks to thatsteveguy's info on how to uninstall Adaptec's drivers, I got rid of them, rebooted my machine and tried Nero Info Tool. It reported system ASPI drivers were missing, but its own drivers were ok. I then tried duplicating one of my audio CDs, and all went fine! I am still skeptical about Nero being 100% free of trouble, but I got a good feeling about it this time. A couple more burning tests will get rid of any remaining doubts. So, thks to all who helped, your support was decisive and very much appreciated. See ya, Andre FYI: My old Easy CD Creator copy was definitely a no-go: it was v3.5, which is the oldest version of ECDC, and for which there is no free upgrade to newer versions. Too bad... ;( FYI2: Don't ask me how, but even CDex is recognizing my VeloCD this time... ;( Maybe the registry fixes I applied for Adaptec's drivers are helping, I don't know...

Just checked: DMA is on for the drive (at least, so says Nero Info Tool). I hadn't payed attention to this detail, thks for drawing attention to it anyway. UPDATES: I just tried installing my old Easy CD Creator, and installation aborts with a 'general file transfer error' (wow...). This happens right after trying to update the registry. This version is so old it is NT4.0 only, maybe that's the reason why it is aborting. I guess this is a no-go. I re-installed Nero, hoping that this time it would recognize Adaptec's ASPI drivers and would not try to use its own. No good: Info Tool still shows both ASPI drivers (BTW: it says that "ASPI is installed and working properly"). aspi_you.exe outputs this: Code: Num Adapters = 2Ho/ID/Lu Manufac Model Rev Type ---------------------------------------------------------0,0,0 ST340823 A 3.39 Disk 0,1,0 FUJITSU MPE3084AE EE-C Disk 1,0,0 TDK CDRW8432 1.07 CD-Rom 1,1,0 IOMEGA ZIP 100 24.D Disk All data above seems to be right AFAICS. Ideas? TIA PS: I am still trying to figure out how to uninstall Adaptec's ASPI drivers, if anyone could point me to some directions I would be really thankful.

Nero comes with its own WINASPI32.DLL, so, from a certain point of view, it also uses its own drivers (Nero Info Tool lists both its own and Adaptec's). Of course, generally comparing Linux to Win2k is nonsense, I just meant to say that the hardware is not faulty, and that being both top of the line OSs, it should be reasonable to expect it work on both (specially with Microsoft's legendary support to all kinds of hardware) Funny thing is that I just confirmed that my old VeloCD is listed on Nero's supported writers page on this page... Anyway, upgrading my old copy of Easy CD Creator seems to be the best solution, indeed. I will see if I can find my cd among my old stuff Thks again.

Hi, Quote: You say that Nero didn't recognize your burner before you put in the aspi fix. I would be somewhat suspicious that Nero would much rather use its own drivers, but doesn't have direct support for the TDK VeloCD CD-RW. And, as you say, your asking for trouble with the two drivers. Right, I intend to uninstall Adaptec drivers and do some further testing with Nero and its own drivers alone. The probl is: Adaptec doesn't provide instructions on how to uninstall ASPI drivers. aspicheck tool lists 4 DLLs, are these the only ones I need to delete? Any reg entries I need to modify/delete? Anyone out there ever did that? I have an old copy of Easy CD Creator that came with my VeloCD, I will see if I can update it to work with Win2k. Anyway, I might replace the unit, but only as a last resource -- as I said, it works with Linux, I can't see why it shouldn't work with Win2k Pro. Thks for the reply. Andre

Ok, just did that, thks for the tip. I really hope Win2k will allow me to do something before rebooting -- all reboots have happened so fast I would consider hardware fault a possibility, but the fact is that I am able to record cds with Linux on this very same machine (it's a dual-boot one). Again, thks for replying. I will do some tests ASAP (within a couple of hours, hopefully), and will report back any news. Best, Andre

Hi all, I've seen posts related to similar questions, but none seemed to give me a final solution to my probl, so here I am seeking for help from the gurus... I have Windows 2000 Pro on a Athlon XP, with a TDK VeloCD CD-RW (old model, 8x write). I have installed Nero 5.5.9.17 and latest ASPI drivers from Adaptec, because CDex simply did not detect veloCD prior to installing it. I have installed the ASPI fix for Win2000. Both apps (Nero and CDex) seem to be working fine at first, they all detect my TDK burner beautifully. Nero Info Tool even reports the right info, and so does aspi_you. However, if I try to copy a CD, my computer reboots soon after CD reading starts (when about 50% of the reading buffer is full). This, as you can imagine, is pissing me off ;( So, can anyone help this poor soul? Having two different ASPI drivers (Nero's and Adaptec's) seems like asking for trouble, but how can I manage to have both Nero and CDex working the other way? TIA Andre