Users' Admin Logins Make Most Windows Malware Worse 420
nandemoari writes "A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges — an issue Microsoft has been hotly debating recently. According to BeyondTrust Corp., the result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will 'close the window of opportunity' for attackers. This is particularly true for users of Internet Explorer and Microsoft Office."
TFA mentions the dup (Score:2, Informative)
From TFA:
In other words, it's a dup of the recent disussion about the Security Hole In Windows 7 UAC [slashdot.org].
Recycle your old comments here.
Simple prevention... (Score:2, Informative)
Run anything internet-facing with DropMyRights.exe.
http://voices.washingtonpost.com/securityfix/2006/04/windows_users_drop_your_rights.html
Re:Simple prevention... (Score:2, Informative)
Microsoft link to dropmyrights:
http://msdn.microsoft.com/en-us/library/ms972827.aspx
Re:You mean... (Score:4, Informative)
Realistically, running in a non-admin account is a pain in the ass. ...in Windows.
It's absurdly easy to do in Mac OS X - you don't even have to think about it. If you need to run as an admin, the OS figures it out and prompts you.
Actually it's so easy that it drives me nuts Apple hasn't taken the next step - something XP actually does - and have you first set up an admin account, then set up a "normal" account for day to day activities. If any single thing contributes to the first widespread Mac virus/worm/whatever, I bet it'll be the number of unnecessary admin accounts being used.
And before someone brings it up - it's not that difficult to work around the "it'll prompt you for your password" protection that supposedly will warn you if something tries to take advantage of your admin status. You just need to know a bit about the command line, since the Applications directory is writable to anyone in the admin group.
Re:Cancel or Allow (Score:1, Informative)
Re:Windows is busted (Score:4, Informative)
Random dlls, configs, assets and exes in WINDOWS dir.
Do a fresh installation of Windows, don't install anything on it, take a look at the Windows directory. I recommend you sort by file type. You'll notice it's actually quite organised; the "system32" directory for instance, notorious for being a huge mess, is something like 90% just "exe" and "dll" files, and very little else. It's all surprisingly organised. As soon as you start installing programs however, many will just decide to dump stuff in the Windows directory (and subdirs) for literally no good reason. The crap Creative drivers decide to drop is unbelievable, I found out first hand. There is VERY little that _needs_ to be in the Windows directory, application devs need to realise this.
dlls, data, configs and exes in Program Files.
Yes, good thing Unix systems only install programs in users home directories, and not in system-wide accessible directories.
Some data and configs in Documents and Settings.
You might notice each user has a sub directory in "Documents and Settings" (now "Users" in Vista and later), which contains all their personal documents and user-specific configuration files for the OS and applications. Definitely very single user.
Registry.
I'm guessing the distinction between HKLM (Local Machine) and HKCU (Current User) is lost on you? Current User, by the way, is a registry hive specific to the logged on user that is unique to their user profile.
Once again, this all stems from the OS supporting a feature, and the feature not being utilised. Windows NT didn't become a multi-user OS with Windows 2000, or NT 4.0, it was a multi-user OS from the very beginning, the first release being NT 3.1. In fact, that's in part why NT was developed, Microsoft realised that 9x was completely stuffed from a security perspective, and had no hope of ever becoming a serious multi-user OS, so, they started NT (along with various other objectives).
The mass migration of 9x applications designed for a single user environment to the multi-user NT of course resulted in many of these programs having very poor support for multi-user configurations, and were never really updated to support it. Then, there's just simple developer laziness, not caring to develop their application with a multi-user design in mind. Or theirs ignorance, resulting in poor implementation (this is one of the key reasons why so many programs "require" administrator priveleges. Not because they need them, but they use API's that are administrator only to achieve their goals, when there are other API's that can do what they want that have no administrator requirement.)
My point is, it's not Windows that's broken, it's several applications that run on it. It's important to lay the blame correctly, and when the OS has been a multi-user system since its original release in 1993, it's fairly clear to me that Microsoft hasn't been slow to adopt such a design principle.
Re:Ignorance on users part (including IT people) (Score:3, Informative)
Wrong way round .... where is the - I am running as a user and need to *always* run this one app as an admin and it will break if I forget
Re:Ignorance on users part (including IT people) (Score:4, Informative)
So, right click on your shortcut, click "Properties", click on the "Advanced" button, pick "Run with different credentials".
Now when you double click on your shortcut, you can change your credentials (to the Administrator).
-M
Re:You mean... (Score:3, Informative)
Actually it's so easy that it drives me nuts Apple hasn't taken the next step - something XP actually does - and have you first set up an admin account, then set up a "normal" account for day to day activities.
That'd be a step backwards. In Unix-based OSes, there's unprivileged users and root (superuser); root can do pretty much anything, ordinary users can't. The whole point of sudo (the password dialog thingy) is that the superuser access is given only when needed, and you can have perfectly ordinary user accounts that are allowed to do some administrative tasks. You can configure sudo to only allow certain programs to be run as root; this is far better than having the lazy users flip between normal accounts and administrator accounts and stay logged in as administrators because "that's where you don't need to fill in those annoying password prompts, duh".
The biggest clinch is that if you run a program as root, it will just work; run it through sudo with root privileges, it won't give you a password prompt, it will just run the program. The model is "if the user is logged in as root, we assume they know what they're doing, even when they want to do something that could damage the system; if an ordinary user runs something that could be damaging the system, we disallow it and only let it through through the sudo prompt."
Bleeding obvious (Score:4, Informative)
Our user population is split about 50/50 between desktops and laptops. Most laptop users have blagged admin rights at some point because they need to add printers, sometimes change LAN settings, install applications to hide their porn surfing, that sort of thing. Our desktop users are in a fully managed environment, and do not have admin rights.
We need to spend virtually zero time with malware problems on desktop machines. Any infections are generally minor and easy to fix. Laptops.. well, they are a complete nightmare of rootkits and stuff buried so deeply that we have to nuke the machine from orbit to clean it up.
The REALLY fun part is logging onto an infected machine with DOMAIN ADMIN rights... if it's a sophisticated bit of malware.. well.. Armageddon basically..
Re:running as admin? (Score:3, Informative)
You missed the obvious:
E: Invalid operation with.
Re:You mean... (Score:2, Informative)
something or other needed admin privs, and it was dying silently.
I had problems with Vista and WinRAR similar to this.
Whenever I unzipped a rar file into the C: Directory; it would have permission to create the folder structure of the rar file, but not the files therein. Instead of notifying me of this, it would fail silently after half an hour of decompressing (big files).
Personally I don't know which piece of software was to blame.
Re:Almost but not quite enough (Score:4, Informative)
Alright, I've read enough of your comments. The reason you won't get many (if ANY) downloads off of your cheap plugins is because as stated above it is "closed source" (really... plugging in closed source software on Slashdot?) and you're an untrusted source. Put the source code up or shut up... why do you want us to download 'YOUR' software so bad in the first place? Exactly... untrusted source with an untrusted answer. I have a hint: STOP ADVERTISING YOURSELF.
Re:The Problem lies elsewhere (Score:4, Informative)
Because file type associations don't have a user-level setting. They're system-wide.
Along with a whole load of similar crap.
Re:You mean... (Score:3, Informative)
I'd genuinely like to hear ideas for a fix that Microsoft could provide. How should Microsoft cope with software developers doing bad things like trying to dump files in %SYSTEMROOT%, writing to privileged areas of the registry, or wanting to do privileged things in the process space?
Re:Never thought of that before. (Score:3, Informative)
I can't say anything about The Sims 2.
But the feature request that got you modded to +5 Insightful already exists. It's called UAC. No, seriously.
If you're logged into an admin account in Vista/Win7, you actually get a limited user account, and the UAC mechanism temporarily elevates you to a full admin when you click the infamous "Allow" buttons. Yes, it's a pretty lame bit of UI design. I turn that mode of UAC off, so that my admin accounts have full admin powers from the moment I log in.
However! If you log in as a limited user, UAC works differently. When it would have given you the aforementioned infamous "Allow/Cancel" dialog, it instead asks you to supply a Real Admin's username and password. It is, in fact, pretty much exactly the same experience as using Ubuntu's GUI for sudo-type tasks. In fact, since about 2 days after I started using Vista, I've been using a limited user account - and it's been fine.
So, no, it doesn't need to be put in future versions of Windows. Instead, Windows users need to start using the features of the current version(s). And, you know, stop using admin accounts when they don't really need them.
Obviously, making Windows software developers be less lame (cf The Sims 2) is a whole 'nother kettle of fish. :)
It is amazing this crap gets moderated up (Score:1, Informative)
I mean really. I know you all like to bash Microsoft around here, but is this comment really insightful?
The future is 2 years old! What the fuck do you think UAC is?
Re:The Problem lies elsewhere (Score:1, Informative)
*only poorly written apps will require access to c:\windows.
*only poorly written apps will require access to any registry hive other than HKEY_LOCAL_MACHINE\SOFTWARE
*program files directory... same as linux lib i believe.
*local user directory... holy crap, you mean programs should be allowed to write to a users "home" folder to store settings? damn. I know *linux* would never let you do something so crazy and insecure.
in conclusion, blame the app writers, not the OS. the only reason you can still do half that crap is for compatibility with older programs.
Re:The Problem lies elsewhere (Score:3, Informative)
The reason why Windows is such a pain in the ass is because Windows was never designed for this.
Never designed for what? Windows has been a multiuser system since NT. Windows 95/98/ME was an evolutionary dead end if you will. Are you talking about an architectural flaw? If so, what exactly are you talking about?
Let's say that I install on Linux. The Linux app can either be installed locally per the user or for everybody. But it is a clear cut case.
Shared libraries?
Windows? WTF... I need to access the registry, the windows system directory, the program files directory, and the local user directory. It is a bleeding mess!
What's stopping you from installing programs on your Desktop, or in your My Documents folder? That's a clear cut case.
I don't think most programs require access to the windows/system directory, and heck, you mention OSX--some of my OSX applications DO require elevated permissions to install things to the system.
Most programs I've run in recent years are perfectly happy installing just to your personal registry area. Think of it as the multitude of dot directories in your ~ directory.
When you complain about the "local user directory" just think of that as your home directory. instead of /usr/home/you you have c:\Documents and Settings\you. Same thing. Instead of /usr/local you have "c:\program files". Same thing. Very clear cut.
It's not nearly as big a difference as you make it seem...