Wednesday, 28 July 2010

Not my network

I know there's a balance between security and usability and that balance is called Usable Security (or hcisec for the acronym geeks). If done wrong, a product can be usable or secure, if done right, it can be both.

One good way to make a product more secure is to offer the user only secure choices, or at least make the less secure ones hard to choose. A stupid way to execute this guideline is to "dumb down" the product enough so that the user can't go wrong. I found such a lack-of-features today, with Windows 7.

I work as a "sysadmin on wheels", which is to say i travel between customers -- either physically or over the wire -- and take care of their computing infrastructure. I often need to connect my computer to the customers' networks. Windows 7 (and Vista) has realized this with their Network Locations "Work", "Home" and "Public". When Windows connects to a hitherto unknown network, a dialog box pops up, prompting me to set the appropriate Location for that network, with some help text. This is, of course, an improvement from the "one rule set to rule them all" mindset, and a considerable improvement from the old days of XP when Windows came with no firewall at all.

But here i am on a customer network. It is a work network, but it is not my work's network. This means that i need to be able to discover "professional" windows infrastructure services and computers, but it doesn't mean that i trust the network enough that i'd want it to find me. Or put in a more mild scenario, i would not want my customers' network to believe they have an unknown computer on their net. I for one would be freaked out if it did, and in all effect, i am the netadmin of that network, who should get freaked out.

So thus, i am hoping to find an extension to Windows 7's firewall profiles, the Customer location. And it may be that Windows has thought of this already.

Windows has something called "Windows Firewall with Advanced Security" and i know it talks about the Profiles "domain", "private" and "public". According to an article on 4sysops, these do not map 1:1 to the network Locations work, home and public which you can set from the for-mortals interface i mentioned earlier. Whereas the public profile is equivalent to the public location, the private profile maps to the home and work profiles, and the domain profile is "when a domain-joined workstation detects a domain controller". Which is nice. Now the Work location really may mean a work network and Windows will automagically realize whether it's my work network. But shouldn't there be some difference between a customer network and a home network.

I guess i need to think about that.

Now back to work.