http://www.sepago.de/d/helge/2010/12/13/mandatory-profiles-ae-insecure-by-default
Read the solutions in your link and they don’t work or a not practical.
–1 Do not use mandatory profiles on multi-user systems. On single-user systems make sure that remote registry editing is limited to administrators.–
Ok so you cannot have a system for multi users. Great. By by terminal services by by machines with more than 1 user this includes switching users temp counts as 2 users. Not a very valid option in lots of cases.

–2 Block access to the registry via software restriction policies. This includes, but is not limited to, Regedit.exe, Cmd.exe, Reg.exe, scripts and batch files, custom (downloaded) tools. In essence, in order to fix this problem exclusive white-listing is required.–
So someone runs something like a word macro that calls a dll that edits the registry this does not help right.
http://msdn.microsoft.com/en-us/library/office/bb687915.aspx
http://www.ehow.com/how_8749944_edit-registry-excel-vba-macro.html
So no Macros in MS Office at all. This for some reason does not make users particularly happy with you.
But even then you cannot trust libreoffice from a python macro not to reach out to a dll.
http://www.python.net/crew/theller/ctypes/tutorial.html
So now you don’t have a office suite you can use fully since they all can reach out and mess with the registry.

In essence, in order to fix this problem exclusive white-listing is required problem is what is on the black list is everything people want to be using.

Once you make the true complete list of what applications you are not allowed to prevent registry modification in evil ways you cannot do much.

–3 Re-ACL each registry hive after it is loaded and replace “Everyone” with the current user.–

Ok is there a window at login where the cross link exists yes. Could it be possible to exploit this window yes. In that cross link time can you prevent Re-ACL to the correct user working yes there is. How simple start the Re-ACL to your own user before the login process starts its own. Make sure of course you leave everyone in read write but without rights to change permissions. End result is Re-ACL to correct user now fails. Again most Windows users will not report the error message. First to start the Re-ACL wins. Fun of a race condition.

This is why you must do section two. If section 2 don’t work your screwed. Any application with exposed macroing that can edit registry must be done be on the black list or its macroing must be disabled.

Brillo so you have a mitigation failure here. Someone thinks they have design mitigation but they really have not.

All that does not the worse address the worse problem.
http://support.microsoft.com/kb/264732
Everything using encryption services has just been disabled because you are using mandatory profiles because you are using mandatory profiles.

Linux Mandatory shared profiles work. You use a unionfs of some form if you want user to be able to edit in the Mandatory profile. This is truly sand boxed no option to exploit it. Everything in the unionfs owns the the correct user all the time there is no exploit window. Also Linux Mandatory shared profiles are read only in all ways to everyone bar administrator unless administrator allows unionfs or equal. Also everything create in memory from the Linux read only profile owns to the correct user. That is the windows mandatory profile problem items end up in memory owning to the wrong user then you try to fix it after the fact.

This is all a case that the sandbox has holes. Accessing regedit should not be a security risk in a mandatory profile if the mandatory profile is correctly design. Accessing a text editor does nothing against a Linux, Solaris… Mandatory profile.

Simple of Simple fixes. MS altered Mandorary profile hive loader to load with a Re-ACL so its never in memory and exploitable with the wrong ACL information so preventing the race condition. Two implements security features to allow disabling of registry modification by a user. Three why in hell can users who are not administrators even be able to see this HKU\. Different session to there own should be invisible.

Do this enable registry editing is harmless. Just fixing the Re-ACL so Mandorary profiles have to be loaded with your users id permissions.

As you can see the fix is simple alter how Mandatory profiles work minor-ally and security hole goes away. Yes the Re-ACL as default feature blocks the attacks. Since until the Re-ACL is done the hive needs to be hidden from display and access by users.

Brillo
“An what exactly would “that user” be writing into the profile? It seems that you are simply grasping at straw due to the apparent fact your experience with ADs are mostly fictitous.”

Really this is sometimes user sometimes windows. Sometimes windows is when windows has glitches logs of ntuser.dat. So it makes backup of logs creates a new log try’s to regenerate log and gets lost in a loop basic generating more and more files with ntuser.dat. That user is that user login.

Sometimes it can be simple case that user gets the idea of writing into the wrong place. Like a classic case of writing a 4G iso image into the same directory as ntuser.dat. Then wondering why their profile snails even that there documents folder and everything else is redirected. You cannot redirect it all.

Redirection folders presumes users are not idiots. Problem is you always will get 1 or 2 idiots who will do stupid things to you.

Brillo
“Cite something relevant, and then we shall discuss it in all its details.”
The lag is a simple inter-talk issue.

Kerberos need to refer to ADS when ticket issuing. To make sure machine is known. So if ADS is busy you are in trouble.

After you machine is connected. Also there is a catch that there is quite a large delay between sending a Kerberos ticket to a Windows server and finding out it expired but valid and a new one has to be sent.

http://www.sharepointblog.co.uk/2012/05/permissions-delay-when-using-kerberos-and-security-groups/ This is a related problem. You enable security groups on a per machine/user base the ADS lookup for Kerberos is now more complex if it should issue or not.

http://activedirectoryfaq.blogspot.com.au/2007/09/how-kerberos-authentication-works.html
Simple overview of ADS Kerberos and Permissions.

30 second delay comes about because the process is not straight forwards and waiting for locks and packets to make it around network all can consume time then you have to wait for cpu processing for encoding parts. Also note 4 threw 7. So you have more than 1 server you need to talk to you can require more than 1 key to access resources all consuming time. Also if something goes wrong after 1-3 are done

So the login is not going to fail once you get to 4. But you can be badly delayed.

Also some windows clients get lost in stupidity(user triggered) as well like requesting a ticket for each share on the same server(not required) and not mounting shares in until it has a ticket for every network share. Then mounting the shares one at a time. The requestion a Kerberos key pair for every resource is a bug that appears happens random-ally cause is user not waiting and attempting to click to access resource so windows responds by requesting another Kerberos key pair because it does not have a key pair for that yet. Result is Kerberos server can be a little bit busy answering requests to other users who are click happy to be answering yours so you can end up waiting too long for a kerberos answer so having to send another request. Not helping problem.

30 second delay has a causes there is no simple solution. One part can be fixed windows client side so users clicking on share that is not accessible yet does not result in client performing a DOS attack on the kerberos server(Key Distribution Center) because the client goes I have already sent in a request for that and the user is being stupid. Just to be fun the data for kerberos is stored in the ADS so someone is doing lot of other things with the ads it can be a little busy to answer.

Other bits being encryption and alteration using more powerful server can help. Just to be annoying not all the encryption is stable. Sign’n'seal MS uses sometimes fails for no good reason causing a retry even windows to windows.

So 30 second lag happens that is reality. Mostly because the login process of windows is complex.

Really correct answer is not to dispute the random 30 second delays. You can also see 30 second delays out of Linux when you use some of the more complex and more secure login methods. Price of login methods the more complex it is more extrema the worse case with real world delays is.

The delays of 30 seconds in ADS network appear random but if you can see the overall picture of what going on in the network when the 30 second delay happens you find causes. Sometimes exchange sharepoint or some other server hogging ADS or kerbero time. Some times a user who needs a good talking to about waiting for the system.

The delay glitch in the interaction of kerberos ADS and permissions basically does not have a cure. It will just happen at the worst possible times.

If not for the fact that you have gone as far as to making up your own language, I’d regard you as a slightly better science fiction writer than L. Ron Hubbard.

Cite something relevant, and then we shall discuss it in all its details.

Even doing the redirect folders that user still can write into the user profile causing it to explode in size so causing issue.

An what exactly would “that user” be writing into the profile? It seems that you are simply grasping at straw due to the apparent fact your experience with ADs are mostly fictitous.

Ok you will say use a read only mandatory profile sorry that is not a option in lots of cases.

And what would such “cases” be?

Anyway, I ain’t going to waste any more time with your hand-waving, but rather I’ll just leave you with this in the hope that people will just look at you funny when you start conjuring up more fictitous scenarios and explanations.

In fact they are not random.

http://www.sharepointblog.co.uk/2012/05/permissions-delay-when-using-kerberos-and-security-groups/
Its a source of another problem.

There is a nice super glitch with ads Kerberos and permissions. When you many kerberos tickets issued it can take ages to confirm that all tickets for particular machines have been activated. It can also cause other shock-wave problems through an ADS network.

Brillo
“LOL. Someone obviously missed the memo about redirected folders and mandatory profiles, but what gives?”
Even doing the redirect folders that user still can write into the user profile causing it to explode in size so causing issue. Ok you will say use a read only mandatory profile sorry that is not a option in lots of cases.
http://www.sepago.de/d/helge/2009/02/17/mandatory-profiles-the-good-the-bad-and-the-ugly

Yes good write up on the topic short and covers the downsides perfectly.

Roaming profiles and 30 sec delays are basically design issues with Windows networking with no simple way around problem.

Also kb835222 Brillo is no longer required with more modern samba and winbind unless for some reason you are using SASL.

“During the authentication protocol exchange, SASL defines or negotiates the maximum cipher-text buffer size that each side can receive. The problem occurs because the SASL implementation of Windows 2000 Active Directory does not support the maximum cipher-text buffer size that is negotiated between the client and the server. When this negotiation is unsuccessful, the Linux client software disables the connection.”

Read the bug. Notice down the page is http://www.ietf.org/rfc/rfc2222.txt Released 1997. Linux attempts to talk to Windows 2000 as per standard and yes its area that Windows developers thought it would be good to forget standard and go fixed size its slightly faster right. In fact there is a security flaw right there allowing buffer overflow. If you have windows 2000 server and it last service pack that bug you are referring to is fixed.

Your Google is failing you Brillo. Please read completely before using. That bug is exactly why windows suxs. MS disregards common standards.

Exactly what reason does SASL do a size catch backwards and forwards first. Lets say you have a case of network that drops packets for some reason either over or under a particular size. Proper SASL will connect. MS implementation of SASL in windows 2000 would fail if the fixed size would not go through. Correctly working SASL is better. MS fixed it in newer version of windows.

Yes VPN failure from windows 2000 client to windows 2000 server using SASL happened as well. Not a Linux only issue this one. Unix clients also had the same problem.

Oh, I see. Mr Knows-it-all mixed up revenues and stock value. Well, given the level of knowledge you’ve demonstrated so far, I probably should have expected something like that.

So what happened to your “standard units”, “measurements” and “analysis of errors”? Or is it now OK to forgo all those and resort to pure anecdotes? These same things have in fact been demanded from both you and dougman over and over for I don’t even remember how long, and what have we got here thus far? Nothing. That’s what.

One lady with malware actually was accepting as “normal” a system that took five minutes to respond to a click.

Again, is there an example where you don’t compare a Windows system that has been loaded down by malware or even just third-party apps to a clean install of Linux? (Didn’t you also mention “really stupid administrators”? What happened to that now?) This apples-to-oranges comparison of yours is getting really old.

I was in one place with “roaming profiles” that took 2 minutes for clients to boot.

LOL. Someone obviously missed the memo about redirected folders and mandatory profiles, but what gives?

I hooked up some GNU/Linux clients to AD and found random ~30s delays for authentication from 2003.

ROFL. Did you check the back log of the client? There are a lot of arcana in making Linux clinets work correctly with AD. A patch is also required if your are using older Windows server releases for SASL binds.

Brillo wrote some stuff.

You break me up. If I weren’t so tired after labouring for the little woman all day, I would be ROFL and gasping for breath.

I have seen better bluffs than this sorry piece of an excuse. If you are not ready for a response, just say so. Honesty is a virtue, albeit rare.

You break me up. If I weren’t so tired after labouring for the little woman all day, I would be ROFL and gasping for breath.

Nope. Real people qualitatively and quantitatively found that other OS was a drag. Some operations like booting to a useful desktop were three times faster with GNU/Linux. Same for opening applications like the office suites. One lady with malware actually was accepting as “normal” a system that took five minutes to respond to a click. She resisted switching until all her work was done for the year. She was amazed at the difference even though students were using GNU/Linux PCs in her classroom for months. I was in one place with “roaming profiles” that took 2 minutes for clients to boot. Apparently, the server just made them wait. I hooked up some GNU/Linux clients to AD and found random ~30s delays for authentication from 2003. No malware was found… People who found that kind of performance “normal” for XP told me they hated Vista and “7″. I can’t imagine what they think of “8″ when they see it…

There are two levels of responses to security flaws. Repair and Mitigation.

Repair is how fast patches to flaw can be reached. In this metric FOSS is about average to everything else.

Mitigation is items like Mandatory Access Control(fully functional of course to be counted), in OS virtualistation (cgroups from Linux, Zones from Solaris, Jails from BSD) . What is windows in OS virtualistations solution it don’t have one. Microsoft is still working on creating one. Sad part is OS virtualisation is in the NT base design just early on Microsoft took performance over security and broke it.

Stronger the Mitigation solution. The more odds a flaw will be non functional or can be rendered non functional without repairing the defect in the binary itself. So giving longer time to repair the defect properly and faster response time to stop the problem.

Yes a lot of development servers were run with Mitigation systems off. Linux world paid a price in down time for this. Kernel.org there are no more user shell accounts. So Mitigation the path used to get into kernel.org is closed for good. Next attack will have to come in by a new vector completely. Lot of other Mitigation was set up at kernel.org.

Brillo by the way one of the reasons why I like postgresql over mysql is the fact its has extra flaw Mitigation options.

I could assemble a long list of Microsoft breaches as well.

Kernel.org redesigned to system after its breach. It was running with most of Linux Mitigation turned off.

Brillo
“Linux does not guarantee stability or security above any other operating system.”
Any other is wrong the line should read.
“Linux does not guarantee stability or security above any other operating system properly design for security.”
At times Linux is worse than the proper secure made OS’s.

Windows and OS X have not been designed or constructed to be secure. The options to perform flaw mitigation in both OS’s is either completely missing or broken in the form of lacking features so cannot be used it mitigate. UAC is classic example of this with the number of holes to bypass it.

UAC like putting up a gate to let the cattle in and out of the paddock and forgetting to put up a fence around paddock the cattle and wondering why the cattle you had in that paddock are gone because gate stops cattle. Security is does take building fences in the OS.

This kind of flawed logic is all over MS Windows mitigation options. MS Windows is part a virus plague because Windows popular but Windows also part a virus plague because it mitigation systems don’t work.

Android is also having trouble because the mitigation option goggle is using is may times too weak.

Anti-virus scanning is not mitigation.

Brillo you can pull example after example of Linux failing somewhere but that does not change the fact that Windows is lacking key features to build a secure operating system.

Reality we need to be trueful. If Windows had fully working MAC and in OS virtualisation and all the other pieces that are normal to a trusted class OS. You would be able to claim that Linux is not better than it.

I do give just because using Linux does not equal secure. Using Linux + its mitigation is about equal to the best out there. Linux without its mitigation system still beats windows because sudo is correctly done.

Brillo the true fact of the Matter the Market does not care about security because if it did Google Android, OS X and Windows would not sell because there are far better items to use. So there is really no reason to lie about it. Linux is mostly used as lower cost.

http://selinuxproject.org/page/SEAndroid SELinux Android or equal everyone would have on their phones if people truly did care about security.

Brillo
http://archive.arstechnica.com/wankerdesk/03q2/ms-hack-image.html
Of course people like you want to forget that Microsoft themselves has been broken into many times by hackers as well. Difference here kernel.org did a public audit, Microsoft did a internal audits that were not reviewed by third parties.

Brillo glass house don’t throw stones. The list I can dig up on Microsoft own breaches is quite large. First one was 1994. Every about 3 to 4 years something of Microsoft’s gets breached.

ch, I posted the values of MSFT a few articles ago, for your benefit here they are:

M$ valuation of $620.6 billion back in Dec. 30, 1999, today M$ is at ~$260 billion

One thing I failed to mention, Apple is not the biggest or most valuable company in history—not by a longshot. Due to inflation, It takes $1.38 in today’s dollars to equal the same value as one 1999 dollar. That means Microsoft’s peak market cap in 1999 was actually about $856 billion in constant dollars, $235 billion more than Apple’s current market cap.

If it were me, I would ride the crest for another 6-months, but these patent suits will reflect negatively upon Apple. Some think they can squeeze another $400 billion from the market by 2014. I am not so sure about that.

Here is a chart showing a comparison between AAPL and MSFT, see where M$ has already peaked and now stagnant and Apple is now just peaking? Those are signs one should sell.

http://finance.yahoo.com/charts?s=AAPL#symbol=aapl;range=my;compare=msft;indicator=volume;charttype=area;crosshair=on;ohlcvalues=0;logscale=off;source=undefined;