Operated by JHU Central IT, SAFE Desktop (Secure Analytic Framework Environment) is a virtual machine (VM) cloud-based platform that is fully HIPAA compliant. Access both the data and software for working with the data within the secure environment, avoiding the transmission of files to individual desktops. Collaborators with JHED ID can manage shared access to files within the VM. In most cases, SAFE Desktop is the best infrastructure at JHU to satisfy IRB and JHM Data Trust Council's criteria for a secure shared space for working with data containing PII/PHIs.
Describes the best practices, location, values, policy management and security considerations for the User Account Control: Switch to the secure desktop when prompting for elevation security policy setting.
Enable the User Account Control: Switch to the secure desktop when prompting for elevation setting. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system processes.
SAFE, the Secure Analytic Framework Environment (formerly called the Secure Data Desktop/SDD) is a virtual desktop that provides Johns Hopkins Medicine investigators (whether engaged in research or other data-intensive activities) with a secure environment to analyze and share sensitive data with colleagues.
Security starts with you, the user. Keeping written lists of passwords on scraps of paper, or in a text document on your desktop is unsafe and is easily viewed by prying eyes (both cyber-based and human). Using the same password over and over again across a wide spectrum of systems and web sites creates the nightmare scenario where once someone has figured out one password, they have figured out all your passwords and now have access to every part of your life (system, e-mail, retail, financial, work).
Hi, the Idea here would be create an environment safe from vulnerabilities and exploits where screenshots or keylogging might be a factor. I have only seen this done in VeraCrypt and don't know how this works exactly or how effective it would be, but I consider Keepass to be an extremely sensitive entry app to a persons entire password/login database. In VeraCrypt, a bluescreen pops up with the password entry field, I am sure something in the background prevents screenshots from malicious apps, and maybe keylogging obfuscation is implemented as well? Not sure but I think these ideas are useful for something as sensitive as a master password with an entire database of all passwords, I appreciate the considerations. Thank you for your hard work so far!
A very brief perusal of the source shows they are using CreateDesktop(), SwitchDesktop() and CloseDesktop() to create a second desktop connected to the physical viewing device you're on. In English, they're asking the kernel to create for them an isolated desktop whose hWnd objects are outside of the findable range of any other application's SendMessage().
I should point out that SwitchDesktop suspends the updating of the UI of the default desktop. I'm not sure if the message loops are also frozen - I suspect not since the desktop is created as a new thread.
In this instance, KeePass is drawing the UI, so the execution is not, as I understand it, as NT AUTHORITY/SYSTEM. Instead, the new desktop is created in isolation from basically the rest of the current desktop, which protects it. I'll be happy to be corrected on that. However, see the MSDN for SwitchDesktop:
The SwitchDesktop function fails if the desktop belongs to an invisible window station. SwitchDesktop also fails when called from a process that is associated with a secured desktop such as the WinLogon and ScreenSaver desktops. Processes that are associated with a secured desktop include custom UserInit processes. Such calls typically fail with an "access denied" error.
Escalating privileges as a process I don't have the specifics of, but here is what I think I understand: I believe the process of privilege escalation in the Windows API causes a process running as NT AUTHORITY/SYSTEM (therefore able to execute the new process under whatever privileges it wants to, in this case an Administrator). When an application asks for higher privileges, that question is asked to you on a new desktop locally, to which none of your applications can get either the Desktop Handle or any of the GUI element handles. When you consent, consent.exe creates the process as the privileged user. Thus, the process running as NT AUTHORITY\SYSTEM is a consequence of the need to create a new privileged process, not as a method of creating a secure desktop. The fact the desktop is different to the default is what adds security in both cases.
From this you can see that in fact in order to mimic consent.exe, KeePass takes a screenshot of the background, dims it and creates its new desktop with the background of the old desktop. I therefore suspect the old desktop continues running even while it isn't being rendered. This I think confirms that no magic NT AUTHORITY\SYSTEM action is happening both with KeePass and consent.exe (I suspect consent.exe is doing the same thing UI-wise, it just happens to be launched in the context of NT AUTHORITY\SYSTEM).
In Windows, a desktop is a view that allows you to interact with processes. When you log into Windows (the log in prompt) you are on a desktop. When you are logged in, and see the start menu, you are on a seperate desktop. When you lock your PC, you are on yet another desktop. When UAC pops up you are on another desktop. There are quite a few different desktops in Windows.
A Secure Desktop is a desktop that is out of scope of other applications accessibility. The Log In desktop is a secure desktop (created by winlogon.exe), as is the UAC desktop. No other process can interact with the desktop, so therefore no other process can do things like activate a button, or read the contents of a textbox. This is why UAC is (in theory) useful.
Third party applications can create a secure desktop to request information (such as a master password) and then pass it into the application in question. This way no other process can, in theory, snoop the password.
secure desktop runs under local system account and no other process can interact with it except OSK,Narrator etc,it is started by winlogon.exe and you can disable it in registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System by changing the value of PromptOnSecureDesktop from 1 to 0 if you run cmd.exe under system account it still won't interact with secure desktop and the dim desktop you see when you click run as administrator below UAC prompt is secure desktop and when you press ctrl+Alt+Del and the skyblue screen you see with few options like lock this compter etc is also secure desktop,windows by default has three desktop 1 winlogon 2 screensaver 3 userdesktop
I got a dell laptop and recently it got a lot of viruses, so I had to reformat the hard drive. I talked to the Indian dell tech support guy and he said that I shouldn't download things directly to the desktop.
Unfortunately, this is the kind of urban legend nonsense that's all too typical from level 1 support folks. The desktop is nothing more than a shortcut to a location on your hard drive and is no different than any other folder.
Files on your desktop are not very secure. These files are in plain view to any person that sits down at your computer if you remain logged on. Not only can they read them, they may inadvertently delete them.
Files saved to the desktop are stored in your user profile. This increases the size of your profile. If you are using roaming profiles, the files follow you around regardless of which computer you log on to.
I personally find files on my desktop distracting. I want to see pretty pictures on my desktop, not file icons. So I hide all files on my desktop. But then I use a toolbar in the taskbar to give me access to those files without having to go very far or minimize windows.
As everyone has suggested, this is entirely a personal preference. If you get a virus, it will harm your PC, not just what's on your desktop. Personally, I like to use Windows 7's libraries ( -US/windows7/products/features/libraries). They're pretty handy.
From what I recall with previous versions of Windows, storing files on your desktop will at the very least slow down your boot time. Reason being is that as Windows loads the desktop at boot, it has to load all the files contained there as well. Less files = less load time. I would assume this is true for Windows 7 also.
Actually - there is a valid reason for not storing files on your desktop. Here's the answer you'll see from Microsoft if you ask them directly (or search for 'storing files on the desktop' at answers.microsoft.com):
"The desktop is not designed to store personal data files - it is intended for shortcuts and gadgets only. The best way to store your personal data files is in the Windows 7 Libraries and any sub-folders thereof. You can then simply create desktop shortcuts to these libraries/folders."
When you log into your computer - even if you don't require a password - you are logging into a 'user profile'. The User profile is largely made up, not surprisingly, your desktop! The desktop is where all those roads lead back to. The larger your desktop is - the larger your user profile is - the longer it can take you to boot, shut down, search indexed files, etc. Change an item on your desktop and Windows needs to re-index it. If your desktop is relatively small - that's not a problem, but if it's so large that it can't index your files before another change occurs it can create a cascade of errors, slowing or even crashing your computer.
I've had several people come to me with a computer crashing repeatedly for no apparent reason - until I boot up the computer and see gigabytes of data on the desktop. Simply copy and paste to the 'My Documents' folder, then send shortcuts to the still highlighted items on the desktop has remedied this every single time.
dd2b598166