(Since we've thought about it.)
\IM{64-bit Windows} 64-bit Windows
\IM{64-bit Windows} Windows, 64-bit
\IM{64-bit Windows} 64-bit Windows
\IM{64-bit Windows} Windows, 64-bit
+
+\IM{Windows process ACL} Windows process ACL
+\IM{Windows process ACL} process ACL (Windows)
+\IM{Windows process ACL} ACL, process (Windows)
proxy settings.
\S2{using-cmdline-restrict-acl} \i\c{-restrict-acl}: restrict the
proxy settings.
\S2{using-cmdline-restrict-acl} \i\c{-restrict-acl}: restrict the
-This option (on Windows only) causes PuTTY to try to lock down the
-operating system's access control on its own process. If this
-succeeds, it should present an extra obstacle to malware that has
-managed to run under the same user id as the PuTTY process, by
-preventing it from attaching to PuTTY using the same interfaces
-debuggers use and either reading sensitive information out of its
-memory or hijacking its network session.
+This option (on Windows only) causes PuTTY (or another PuTTY tool) to
+try to lock down the operating system's access control on its own
+process. If this succeeds, it should present an extra obstacle to
+malware that has managed to run under the same user id as the PuTTY
+process, by preventing it from attaching to PuTTY using the same
+interfaces debuggers use and either reading sensitive information out
+of its memory or hijacking its network session.
This option is not enabled by default, because this form of
interaction between Windows programs has many legitimate uses,
This option is not enabled by default, because this form of
interaction between Windows programs has many legitimate uses,
startup and lockdown. So it trades away noticeable convenience, and
delivers less real security than you might want. However, if you do
want to make that tradeoff anyway, the option is available.
startup and lockdown. So it trades away noticeable convenience, and
delivers less real security than you might want. However, if you do
want to make that tradeoff anyway, the option is available.
+
+A PuTTY process started with \c{-restrict-acl} will pass that on to
+any processes started with Duplicate Session, New Session etc.
+(However, if you're invoking PuTTY tools explicitly, for instance as a
+proxy command, you'll need to arrange to pass them the
+\c{-restrict-acl} option yourself, if that's what you want.)