[There's a reason that Yoda is the unofficial mascot of SBS.  Size indeed matters not.] An OEM build - THE OFFICIAL BLOG OF THE SBS DIVA
Fri, Oct 27 2006 22:40 bradley

An OEM build

...so I was doing some testing on this workstation at home and couldn't figure out why it wasn't LUA freaking out like I expected it to.... well I think I found the answer...

http://www.threatcode.com/hp_oem.htm

That's an image of the permissions on the root of my HP Pavilion C drive here at home ....

Everyone - Full Control  now keep in mind this system already has a Data Execution Protection Exclusion for the Help and Support Center... and it has worse security on the C: drive than Windows 2000's default permissions:

Members of the Everyone and Users groups (normal users) do not have broad read/write permission as in Windows NT 4.0. These users have read-only permission to most parts of the system and read/write permission only in their own profile folders. Users cannot install applications that require modification to system directories nor can they perform administrative tasks.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgbe_sec_rzdw.mspx?mfr=true

On this .. nearly new, HP Pavilion computer... I might as well be running Windows 98.  Because on this system the Everyone group DOES have broad read/write permissions all over the place.

How can Microsoft support the home/end user when the permissions that they've worked SO HARD to ensure are tightened up are not implemented in the systems that are used by home users... the ones that turn into bots and what not.  What hope do we ever have in having security when manufacturers change defaults and NEVER TELL END USERS.

And go into any small business and we tend to not flatten these builds but use them "as is".

Can you tell I'm a bit shocked by HP's changing of the default permissions?  To me this is unacceptable...that this is not disclosed... and the permissions are weakened so much on a home PC.

(To Karen....yes, it's a home PC as I stated ... all the more reason to not change the ACLs to Everyone Full Control...but there have been reports from other Security MVPs that OEM 'consumer grade' builds of boxes have adjusted permissions and ACLs.... given that there are times that you walk in and the owner hands you the machine from Best Buy...but even with business class machines, I'm finding too much crud on the box for my liking.  Quicken, McAfee... there's too many other programs and crud on there that you don't have a standard image)

Filed under:

# re: An OEM build

Saturday, October 28, 2006 2:19 AM by sandi

Yowsers.  My HP Compaq nx6120 is not set up like that, but you can bet I'll be checking out all the new HPs in the office on Monday...

# re: An OEM build

Saturday, October 28, 2006 2:00 PM by Karen Christian

That's Media Center 2005 and that OS has no place in a business environment. By default it cannot join a domain.

# re: An OEM build

Saturday, October 28, 2006 8:14 PM by Chris Rue

I have an HP dv9005us running MCE 2005 "banana hacked" & fully connected to SBS 2003 here at the funcave. It works beautifully & doesn't have the perm issue Bitzie mentions. I'd also argue that MCE does have at least one place in a biz environment: the conference room.