Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Operating Systems Software Windows IT

Windows Users Ignoring LUA Security 522

blankify writes "eWeek is running a story about the least-privilege, no-admin option available in Windows (2000/XP/2003) that has been mostly ignored by end users. From the article: '"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."'"
This discussion has been archived. No new comments can be posted.

Windows Users Ignoring LUA Security

Comments Filter:
  • by Colin Smith ( 2679 ) on Sunday June 26, 2005 @07:56AM (#12913569)
    How about, embracing and extending good practice...

    • by BoomerSooner ( 308737 ) on Sunday June 26, 2005 @09:04AM (#12913872) Homepage Journal
      Try it yourself some time. Running windows without admin rights is a nightmare. About 2/3 of my programs won't operate (I'm a software developer) at all. I've fixed almost everyones computers that knows me (I hate being free tech support but anything for a friend) and stupid programs like a damn cat breeding program this one girl had wouldn't run without admin rights (after fixing her computer 3-4 times I tried the No Admin route to no avail).

      Until programs run without being admin this whole arguement is pointless.

      OS X does it perfectly.
      • Try something next time...

        Change the shortcut to point to "runas /u Administator /p (the admin password) /e (the path to the exe) /a (whatever the arguments are)". That should let you run something as an Admin while still being an LU.
        • A step forward, for sure, but if you do this too much, it sort of invalidates the point of running as a user, rather than an admin.

          I'd be particualrly scared of running IE this way, for example. It's the programs that can get hijacked that you *don't* want to be running as admin. Of course, IE may run fine with non-elevated rights - I don't know because I don't use Windows.

          This is a very interesting point though: merely making a feature available isn't enough. You have to (and I'm talking about Microso
      • by DragonHawk ( 21256 ) on Sunday June 26, 2005 @11:35AM (#12914556) Homepage Journal
        "Running windows without admin rights is a nightmare."

        It certainly isn't easy, unless you're willing to invest significant technical time and effort into the project -- which is, I'm sure, a big part of the reason why most people don't do it.

        That being said, I'm the admin for an organization with about 60 or so Windoze stations, and I can say that it can be done for most things. It most often involves figuring out what the defective program is trying to do, and then allowing it access to just where it needs.

        The two most vital tools are FileMon and RegMon, both free from SysInternals (http://www.sysinternals.com/ [sysinternals.com]). They monitor file system or registry accesses. In the vast majority of programs can be made to work just by applying some ACLs on program-specific registry or filesystem branches.

        There's no way in hell your "typical home user" could do this, though, which is, I expect, the problem and point.
      • About 2/3 of my programs won't operate (I'm a software developer) at all.

        As others have said, this is the fault of the developers of that software.

        Microsoft has been telling developers for at least five years now to put user data/config/whatever in the My Documents folder for whoever is running it. *Not* doing this is really stupid, because as soon as you install an app that writes config data or whatever to its install folder, you run into problems on multi-user machines like termservers.

        I work in IT f
    • by crazyphilman ( 609923 ) on Sunday June 26, 2005 @05:21PM (#12916343) Journal
      Not to overdo the "sympathy for the devil" thing here, but I've been thinking about how screwed poor Microsoft is. Think about this; they've managed to paint themselves into a corner on security and stability issues, and they may not have any way to get out of it. Consider:

      1. They carried the same codebase forward from Windows 3.1, never completely scrapping it, always just bolting new parts on. This has caused Windows to end up like a Rube Goldberg machine, so complicated on the inside that "they" say nobody at Microsoft really knows what everything in there actually DOES.

      2. They really pounded the nails in the coffin when they deliberately bound IE into the O/S to frustrate the DOJ during the browser wars. By binding so many things right into the O/S, they glued themselves to their codebase. Can they even separate their GUI from the underlying O/S anymore?

      3. Given that this monstrous, mammoth codebase is a hideous nightmare to try and "fix", obviously the smart thing is to pull a Steve Jobs: scrap the whole beast and glue a beaufitul, stable frontend onto a FreeBSD backend with a Mach Microkernel. This would turn Windows into a thing of beauty and stability, like the Mac O/S. But, CAN they? Is it even possible?

      4. And, if they did that, they might face a revolt as virtually every software company, corporate IT department, and end user went completely ballistic. It could be suicide.

      So, think this over: Microsoft is pretty much screwed, locked utterly into the codebase they've got. If they stick with it, eventually they'll be replaced by more secure, stable alternatives. If they try to save themselves the Apple way, the end could come sooner instead of later.

      If YOU were Gates and Ballmer, what would YOU do?

      Aside from spending the weekend on the yacht, I mean... ;)

  • I wonder why (Score:3, Insightful)

    by TFGeditor ( 737839 ) on Sunday June 26, 2005 @07:57AM (#12913571) Homepage
    "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."

    I wonder if this could have anything to do with the fact that the user interfaces, OS messages, and help files are not "user friendly" and written in mysterious GeekSpeak that the average user doesn't understand.

    • Indeed.

      Now if the help info was just packaged in the eminently user-friendly 'info' system. . .
      • Re:I wonder why (Score:2, Interesting)

        by Ilgaz ( 86384 )
        "xxx requires your administrator password to install"

        "ok" "cancel" at bottom there is a tiny triangle can be opened and shows full path to whatever needs it.

        As they steal everything, why not steal that scheme of OS X so at least we mac users have a "more free" port 135? ;)
    • Re:I wonder why (Score:5, Insightful)

      by dnoyeb ( 547705 ) on Sunday June 26, 2005 @08:09AM (#12913635) Homepage Journal
      Or the fact that 1/2 the programs only work with Admin rights.
      • Re:I wonder why (Score:2, Insightful)

        by Syncrou ( 179670 )
        1/2 of the 3rd party software doesn't work in restricted mode. i.e. Itunes won't even import CD's.

        Thats enough reason there to ditch it.

      • Re:I wonder why (Score:5, Informative)

        by Transcendent ( 204992 ) on Sunday June 26, 2005 @09:28AM (#12913980)
        Even a lot of MICROSOFT games (Age of Mythology, for example) don't work unless you have admin rights...
    • Re:I wonder why (Score:5, Informative)

      by jd142 ( 129673 ) on Sunday June 26, 2005 @08:13AM (#12913644) Homepage
      It isn't the unfriendliness of the UI or the help file.

      By default, new accounts created during a windows install/first use interface are administrator accounts. As are new accounts created through the generic, task view Control Panel interface for account management.

      It's one of the reasons that Windows is unsecure out of the box.

      If MS merely made accounts user only be default, that would take care of it.

      Of course, then you'd have to fix all of the crappy software out there that can only run as admin. And there's a lot of it. Major software packages like WordPerfect still don't handle user accounts and preferences correctly and it's a very simple thing to do.
      • You have reinforced my point.

        Try saying what you wrote to a non-geek user. The ensuing blank stare could thwart the machinations of Medusa.

    • Re:I wonder why (Score:5, Insightful)

      by n0-0p ( 325773 ) on Sunday June 26, 2005 @08:22AM (#12913687)
      Lets not forget software just failing to work. Most third party applications simply will not run correctly in an LUA environment. Honestly, most MS software couldn't run this way before 2000. I run LUA and I have to use runas admin on far too many applications; how is that really LUA? And lets not forget that running IE with reduced rights will also cause many IE plugins and any IStream handoffs (like Media Player) to fail without explanation.

      Of course, I totally agree that they claim of lack of user awareness when it is really a lack of MS support. Microsoft has also done nothing to simplify this issue for developers. There are no simple "test and prompt for elevation" routines. It's not a general Windows logo requirement; in fact it's buried in one paragraph in the enterprise logo. And to top it all off, aside from a few proactive devs making blog entries, there's been no attempt to educate users.

      Way to go MS, blame user apathy for your own poor performance.

  • doh (Score:5, Informative)

    by Anonymous Coward on Sunday June 26, 2005 @07:57AM (#12913574)
    most likely because this option breaks most applications
    • Re:doh (Score:5, Insightful)

      by deutschemonte ( 764566 ) <lane.montgomeryNO@SPAMgmail.com> on Sunday June 26, 2005 @08:07AM (#12913625) Homepage
      Too bad you posted as AC because that's exactly why I don't use it.

      A limited account in linux still allows you to do most things without a hitch. Plus, when you need root access, you can do that within the logged on account without logging off.

      I also tried setting up my SO's account as limited but she ran into problems all the time. It is hard to explain (excuse?) something as a feature when it is such a pain in the ass.

      Hopefully, they will get this one thing right in Longhorn.
      • Re:doh (Score:5, Informative)

        by blackpaw ( 240313 ) on Sunday June 26, 2005 @08:14AM (#12913655)
        You can start a Administrator cmd prompt in windows without logging off:

        runas /profile /user:Administrator cmd.exe

        Or any other program can be launched.

        • Re:doh (Score:3, Interesting)

          by Hal_Porter ( 817932 )
          Actually the best way is to use Fast User Switching. Have an Admin account and your normal one. Do Adminy stuff in the Admin account and everything else in the normal one. Once you get used to it, it's a couple of keystrokes to flip between the two. Unlike Run As, the two zones are on different desktops, which means that you're invulnerable to Shatter attacks windows running with admin privileges [tombom.co.uk]

          Here's a good blog with much more info [msdn.com]

          Some people even prefer this to su.
        • Re:doh (Score:3, Insightful)

          Thereby defeating the purpose of having a least-rights account, when you have to run everything with elevated privileges.
    • Re:doh (Score:2, Informative)


      Exactly. Even the most mundane and trivial application or game these days tends to require some sort of adminstrative privileges or access during install and commonly also during use. Numerous small business accounting packages require adminstrator privileges, especially a much-maligned yet inexplicably common package that requires online activation.

      Look, I can understand that low-access user accounts are the way to go, but when the most common programs require admin rights to use and install, how can yo
    • Re:doh (Score:5, Interesting)

      by TopSpin ( 753 ) * on Sunday June 26, 2005 @08:26AM (#12913707) Journal
      most likely because this option breaks most applications

      This is why most people don't know about it; developers and vendors barely understand Windows security, so it's ignored. The users instinctively know this and they play along, ignoring the existing capabilities.

      The Microsoft platform is closed, poorly designed, obscure and ambiguous. Side effects are common and difficult to prevent or correct. Frobbing things that vendors aren't paying close attention to is a good way to invent new breakage.

      Go ahead, be the first on your block to harden Windows with naive LUA. Spend the next two years chasing down truly arcane breakage. Teach Microsoft and third party vendors how to promulgate securable products. Meanwhile, I'll be using software on platforms that figured out most of this stuff a decade ago.
    • I don't have enough WinXP-specific experience to know how many applications actually break when you're running them as non-root, but most of them require your to be admin to install them. One way to do this is to log off from your non-priv account, log on as admin, install the stuff, log off as admin, and log back in as yourself. I normally do that, and it usually works.

      Unfortunately, there are a bunch of applications for which this doesn't work right, including iTunes - the first piece of Apple softwar

  • by ts0003 ( 240556 ) on Sunday June 26, 2005 @07:58AM (#12913576)
    There's a reason why most people don't use it. Microsoft's implementation is flawed to say the least. When a user sets themselves up this way and then installs programs as an Administrator, they find that they can't run the programs completely or correctly as the lower privilege user. Some of this is due to Windows application programmers doing boneheaded things. Much of it has to do with the programming practices Microsoft has fostered - like writing to global registry keys in the Windows 95 and 98 days. Contrast this will Apple which has gotten the APIs right, put out tutorials on how to do this and most importantly made the whole process of installing as Administrator but running as a User as painless as possible.
  • by dduardo ( 592868 ) on Sunday June 26, 2005 @07:58AM (#12913578)
    If their software doesn't work in least priveleged mode doesn't it defeat the whole purpose of the system?
    • I second that one... I have everyone in my family (myself included) setup as limited users but most of my games, my palm sync software, and every single childrens' educational game I have will not run unless admin. So every time my kids want to play Blue's Clues I have to come up, use "Run as..." and enter my admin password. Pain in the arse.
    • by value_added ( 719364 ) on Sunday June 26, 2005 @08:21AM (#12913685)
      Hell, tell that to Microsoft [microsoft.com].

      Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account

      Microsoft Flight Simulator 98
      Microsoft Flight Simulator 2000
      Microsoft Flight Simulator 2002 Professional
      Microsoft Flight Simulator 2004 Century of Flight
      Microsoft Train Simulator 1.x
      Microsoft Money 2000
      Microsoft Money 2001
      Microsoft Money 2002
      Microsoft Money 2003
      MSN Messenger Service

      Microsoft seems to have discovered the command-line, so maybe they'll discover the root account? Maybe they can fix their broken 'runas' soon thereafter.

    • It certainly sets a terrible example.

      I think Howard is simply trying to shift the blame for the exceptional lack of security in Windows by default.

      To summarise the reasons for developers and users ignoring LAU mode:

      • Many applications, including some written by Microsoft themselves, don't work in part or whole under LAU mode
      • The first account created when booting Windows XP for the first time is given administrator privileges
      • Newly-created accounts are given administrator privileges by default
  • by Jarnis ( 266190 ) on Sunday June 26, 2005 @07:59AM (#12913580)
    Users ignore it, because it's a horrible pain to use XP using a normal user account.

    There are numerous games that cannot be installed without admin rights, and plenty who cannot even be EXECUTED without admin rights. All because the devs are lazy morons.

    Same goes with numerous applications.

    Not to mention the fact that in many case applications break in random ways, without actually telling why they break.

    So right now if you actually want to use XP, you pretty much are stuck with admin mode (or you have way more patience than I do in using 'run as..' or switching users)
    • Actually, in the case of a lot of games, the reason a non-admin account can't install or execute it is because of the moronic copy prevention scheme used, not because of the moronic game devs. (The scheme is also generally insisted upon by the publisher, not the game studio, so it's not even their boss's fault a lot of the time)
    • by Cyberax ( 705495 ) on Sunday June 26, 2005 @08:03AM (#12913608)
      It's not just developers, unfortunately. Some important things just can't be done under normal account. For example: COM-server registration (and consequently ActiveX controls) requires admin access , because permission to access HKCR and HKLM is neccesary.
    • There are numerous games that cannot be installed without admin rights, and plenty who cannot even be EXECUTED without admin rights.

      For execution I agree with you, but for installation I'd expect it to be impossible to install without admin rights.

      Cheers,
      Ian

    • Heh.. These accounts (non-priv / non-admin) are my corporations's default and it's an interesting battle trying to get admin privs on a local machine (need them to test several software packages we distribute). I've found that requesting an install of Adobe Photoshop will get admin privs easier than getting a piece of paper signed by immediate manager, department head, reviewed by IS, and various other sign offs.

      I'm a Gentoo user at home and I'm too used to being able to modify my system to suit my needs.
    • Although I agree that developers could exert more effort to make their software LUA friendly, note that most developers code to "common" standards. These standards, whether written or culturally imposed, are what people (including clients) expect.

      As a developer, if I want to code for LUA, I need to make sure that all of my dependant libraries are LUA friendly. Not a hard job for the likely system libraries, but next to imposbbile for most popular 3rd party libraries. Resons differ from case to case, but
    • Exactly. My company laptop arrived without admin access. I thought it'd be fine, since I didn't really plan on installing anything.

      Well, then it came time to take company training tests. They're based in Flash, and Flash couldn't install without admin access.

      Then I tried to install a printer. No go on that one.

      I ended up having to install VNC (since Remote Assistance was disabled) and have a tech install it as well, and connect to my computer to put in the admin password and grant me access.
    • by daVinci1980 ( 73174 ) on Sunday June 26, 2005 @08:56AM (#12913837) Homepage
      There are numerous games that cannot be installed without admin rights
      First off, this is true of *nix as well. Remember that lest step of installing new software, 'make install'? That one usually has to be done as a super-user, as it installs into common areas.

      and plenty who cannot even be EXECUTED without admin rights. All because the devs are lazy morons.
      Actually, this has nothing to do with the developers being lazy morons (which they're not). It has to do with MS' broken security model. The place where they chose to draw the line between user and admin restrictions in the API is so asinine that it's virtually impossible to write any sort of complex app that *doesn't* require some admin functionality to run.

      But to be honest, why does it even matter? A lot of the vulnerabilities on Windows have nothing to do with installing software, or who has the permissions to run operations. They have to do with services' exploits and buffer overruns, which are already running as 'System' level (super-user) in the background.
  • Non-admin Wiki! (Score:5, Informative)

    by sandstorming ( 850026 ) <johnsee@sLAPLACE ... m minus math_god> on Sunday June 26, 2005 @07:59AM (#12913582)
    Everything you need to know http://nonadmin.editme.com/ [editme.com]
    • Acronymtastic! (Score:2, Informative)

      by Hal_Porter ( 817932 )
      That site is great. It has articles on SUS/WSUS and LUA written my MVPs. They also have links to using FUS to flip between a LUA account and a DA or LA one. /If you understood what these meant, you'd stop complaining about how Windows doesn't have SU.
  • defaults (Score:4, Insightful)

    by justforaday ( 560408 ) on Sunday June 26, 2005 @07:59AM (#12913586)
    I'm sure the default setting of creating an admin level user with no password at install time, and then having it set to automatically log them in has nothing to do with it...
  • Windows' fault (Score:5, Interesting)

    by Dacmot ( 266348 ) on Sunday June 26, 2005 @07:59AM (#12913588)
    Could it be "the sad reality" because Windows up until XP (ignoring 2000 and NT) there was no user-priviledges differences?

    Maybe MS should start educating the population and force them to create passworded least-priviledged accounts and choose a password for the administrator account when installing or booting an OEM for the first time. Maybe also the administrator should be blocked out of surfing the web and playing games so that people just don't use the admin account for everything.
  • Too many broken apps (Score:2, Interesting)

    by Anonymous Coward
    As much as I'd like to use a more restrictive account on my Windows box, I find it absolutely impossible to do so with many games and various other applications.

    One typical example is Dark Age of Camelot [darkageofcamelot.com] by Mythic Entertainment. The game itself is installed to a C:\Mythic\ directory usually, as well as all the profiles for every character. Even World of Warcraft is just as bad, all the profiles are stored in a subdirectory in the C:\Program Files\World of Warcraft\!

    Until developers start supporting limi
  • by freeio ( 527954 ) on Sunday June 26, 2005 @08:02AM (#12913600) Homepage
    One big obstacle is that too many applications I see require administrator privileges not just to install but also to run. Your end users figure that out, set themselves up as administrators, and leave it at that.

    This is nothing new...
  • by Spackler ( 223562 ) on Sunday June 26, 2005 @08:02AM (#12913602) Journal
    Oh, I'm sorry for installing the system and using it as the default. Please continue to blame the users for paying you for a borderline operating system. It is not an education issue as much as it is a crappy software issue. You should not continue to turn a deaf ear, but I already know you will. Just send out an email that looks like a Phishing email but contains a system lockdown. That way, only the stupid people will click on it, and we can decrease the surplus population on the internet.
  • Lazy programmers (Score:3, Interesting)

    by TheRealFixer ( 552803 ) on Sunday June 26, 2005 @08:02AM (#12913603)
    If so many Windows developers weren't so utterly lazy, and learned how to code an application that doesn't require administrator rights to run, things would be a lot easier. As it is, there are so many poorly-written apps out there that write to admin-only places in the registry, or dump files that need to be modified into system folders, that in a lot of large companies with a plethora of apps it's almost impossible to switch to a true LUA security model.

    Of course, a lot of the blame goes to Microsoft for encouraging the idiotic "everyone's an admin!" mentality.
  • by Ckwop ( 707653 ) * on Sunday June 26, 2005 @08:03AM (#12913605) Homepage

    This is why during the set-up of Longhorn it'd be a really cool idea to create all the accounts for the welcome screen, or it's equivelent, as non-adminstrative users. In fact, it should go further than this, it shouldn't give you the option of creating an administrative account at all on this screen. The administrative user should be banned from internet access by default (with the exception of Windows Update) and if you decide to add another administrive account it should warn you profusely that this isn't a smart idea.

    In .NET there are attributes that allow you to define permissions on methods. For example, if I know that my method only ever does algebra then I can ban it from network IO, File IO etc. It'd be a good idea to make these attributes required before the source will actually compile. You could have intellisense in Visual Studio autogenerate the most restrictive settings whenever you create a new method.

    Some security counter-measures can be really a pain in the ass but these couple i've mentioned here would really help bring windows security under control. Windows security is not bad, per se, it just needs more configuration than we can expect from Joe Sixpack. We need to make security easier for them and that's in everyones best interest, Microsoft included.

    Simon.

  • The reasons users are "ignoring" it are at least twofold.

    There's the old standby of making it harder to do some things (which is the point) as an unprivileged user. To be honest, I'm okay with that; it's the reason for being unprivileged in the first place. My significant other's Windows XP account is set up as a "Limited Account", and she has no problems using it to check email, run Firefox and MS Money, and so forth.

    The biggest issue, however, is that's it's not the default for new accounts, and th

    • "My significant other's Windows XP account is set up as a "Limited Account", and she has no problems using it to check email, run Firefox and MS Money, and so forth."

      That's odd. I tried setting up a similar account for my girlfriend and she had no problem running Mozilla... except that it was impossible to view anything on the Internet because the DSL dialer _REQUIRES ADMINISTRATOR PRIVILEDGES TO CONNECT_.

      So you're right: for a few people running a few specific simple applications, you can manage with a n
  • I use XP Home on a PC and have found that the "limited" account too limited to even do things like play games (which read from the CD-ROM). After two days of trying to find ways to allow the limited users access to the CD-ROM I gave up all together and made all of the accounts 'administrators' again.

    Defeats the purpose. Upgrading to XP Pro isn't an option because that costs too much money (YMMV). When I first used Linux, I found it easier to allow and restrict access to devices and files. In Linux it was m
  • Honestly. Up until Windows XP working inside windows without admin options was a constant annoyance.

    Even now it's not really comfortable. It's not that the users wouldn't care. It's just barely useable.

    Since Windows needs lot of maintenance throughout it's silent decay until reinstallation, most users feel they are better of working as admin right away. :) What adds to it is that windows really lowered the bar on "advanced options". Stuff like hiding c:\Program Files per default makes every newbie feel li
    • And windows setup doesn't really help much with a smoke and mirrors way of creating users and rights.

      The thing I've always found bizarre is that for a user to "own" his/her files, a GPO needs to be set (running secpol.msc and clickity-clicking your way through Local Policies, Security Options, System Objects, and then changing "Default owner for objects created by members of the Administrators group" to "Object creator" instead of "Administrators group".) But that's just for XP systems. And for folks wh
  • "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."

    I wonder, if Michael Howard is aware, that most of windows software requires admin priviledge to be succesfully installed?

    Is it somehow also users problem, not architecture problem?
    • Not a fault (Score:3, Interesting)

      by mccalli ( 323026 )
      I've posted this further up as well - it certainly isn't an architectural fault that most software requires admin to install, in fact I'm rather glad it does. The Mac, for example, won't let you put stuff into the Applications folder unless you can supply an administrative password.

      It's a fault that non-util software also requires admin to run, but whether that's Windows' fault or the developer of the software is open to question at best. Personally I'd say that's the developer's fault. A great example of

      • It is not a fault that software requires administrator rights to install into the default location (c:\Program Files on Windows, or /usr/bin on Linux), but it is a problem when you cannot even install and run it from your own home directory without entering the administrator password. This makes it impossible to run software without giving it full control of your machine.
    • It's not a problem at all -- it's a feature, not a bug.

      If you're running a business with an IT department, or even have a household machine that you're responsible for fixing when someone breaks it, do you want unprivileged users to be able to install software, except for in their own accounts' space?
  • by Mister Impressive ( 875697 ) on Sunday June 26, 2005 @08:06AM (#12913622)
    ... I'm a true blue Windows user, but I've tried linux. Red Hat 8, to be specific. I remember the FIRST thing it told when I logged in as root, was to create a new non-power account. It even showed me how to. Whenever I wanted to change/install something, a nice prompty would come up asking for my password to give it the proper priviliges.

    M$ should learn from this, and their little article there, that instead of the stupid tour that appears when you first login after a fresh install, there should be a message alerting the user to create a new account.
    • Whenever I wanted to change/install something, a nice prompty would come up asking for my password to give it the proper priviliges.

      That's non-security. Make a user type his password n times a week and he'll type it in every single dialog window that asks for his password. Even the malicious ones.

      So now you have your user enclosed inside an annoying stainless steel safe, except for the fact that it isn't safe at all, because he'll yell the door code at anyone standing outside.

      Home users don't need

      • by ink ( 4325 ) *
        That's non-security.

        I disagree. Having the password prompt gives the user the power to decide when elevated privileges are required. If a user disregards this power, then that is their fault. On OSX, I get prompted about once a month for the admin password, and it's usually when I run Software Update. If I were simply browsing the web and a trojan sheet came down, asking for the administrator password to continue, it would obviously be a phishing attack. I've trained my users to not check the "rememb

  • by Novus ( 182265 ) on Sunday June 26, 2005 @08:07AM (#12913627)
    In my experience, lots of old Windows 95/98/Me software fails to run properly without administrator rights due to nasty habits like writing lots of stuff all over the system registry and/or Windows directory. XP Home also makes the problem worse by making it very hard to set file access privileges. All in all, the problem here is that running most Windows software with lower privileges doesn't work, so nobody sets up their system with limited privileges. Also, there is too much stuff you have to do manually to switch to the right privilege level for every task that you have to understand to actually gain anything for the added complexity.

    In contexts where the system administrator and user are two different people (and the system administrator is on the job), things usually work smoothly. These contexts are also those for which software is properly written; how much office software needs administrator access to run? The problem comes when you have a clueless user who is also admin for a machine; you try explaining to people why they should have to type a password (administrator password) to install something and when they should enter this password without confusing them or discouraging them from using limited privilege accounts altogether. Unfortunately, this sort of protection is almost useless if the user with the admin password is clueless.

    However, I see no reason why Internet-facing software shouldn't be written to drop privileges on startup, much like a lot of suid root binaries open the files they need and then drop to normal user privilege levels. For example, preventing IE from installing or modifying stuff all over the OS would help a lot.
  • An Example (Score:3, Informative)

    by Maljin Jolt ( 746064 ) on Sunday June 26, 2005 @08:07AM (#12913630) Journal
    On Windows 2000 fresh system installation, a game title Star Wars Galactic Battlegrounds (running on Age of Empires engine), published by Microsoft executes only in administrator account, not in user. Many other games of other publishers doing cd check or strange networking too.
  • I reinstalled Win2k on my main workstation and tried to live with out admin priviledges.

    that lasted for about... a day.

    Logging in and out of 2k just to do maintenence sucked ass in ways that can't be described.

    Even though WinXP has a "Run As..." option, I'm hesitant to take it up on it's offer in fear it'll break something else.
    • I personally use Windows (2000) for one thing and one thing only anymore: AutoCAD. You simply can NOT fully _use_ (not install) AutoCAD without admin privileges. XP or 2K. I venomously use 2000 over XP for one reason: take the _same_ hardware (P4 @ +3Ghz with 2G of memory and 256M video) and compare the two side by side: XP is noticeably slower and offers NOTHING in the way of me getting my job done, but that's of another issue.

      [Yes, I do have to admit -- that for the home user all the fluff can be very us
  • "... Windows today, and that's just a sad reality."
  • It's Intentional (Score:3, Insightful)

    by eno2001 ( 527078 ) on Sunday June 26, 2005 @08:19AM (#12913673) Homepage Journal
    When a friend of mine got a new Windows XP (Pro, not Home) box, he asked me to help him get it set up. I told him that he should have two accounts: one admin (He has a strong password for his admin account and the username has been changed from default.) and one regular user. I explained the whole issue of how an exploited machine with the user running as admin could cause more problems than if he ran as a regular user. I cautioned him that he'd have to deal with the pain of switching between the accounts whenever he needed to do stuff that required admin rights. Since he's been trojaned before, he agreed. We also set up the Windows XP firewall for extra security since he was directonly connected to the net.

    Within a month, I got a call where he said, "Dude! Can we get rid of this admin account and the goddamn firewall? Everytime I want to do anything useful, I have log into the admin account. And I'm always having to log into admin and turn the firewall off to play online games". So, I suggested that he spend the money to get an external hardware DSL/Cable router. He did, and we turned off the firewall. But he still wanted his regular user account to be admin because that's where all his data was. After arguing with him for a bit, I told him we could set it up as an admin user (he didn't want power user because we'd tried that and there were still a few programs he claimed he couldn't run even as power user. CDRWIN was one of them) but that if anything resembling the worm/trojan that hit him in Win98 happened, it would be a full reinstall. I wouldn't try to figure out what happened. He agreed. It's been a year and a half since then. He's really good about applying the latest critical updates and that hardware router has probably saved him numerous times. But I still think he's in a risky position.

    Most people just don't want to have to deal with the hassle of switching between two user accounts or learning to use "runas". It will always be this way. End users need full privs on their boxes. The only way around this is to set OSes up so that each user's "desktop" is actually a full VM. Then if it gets hosed by them running as admin, the only thing that needs to be wiped is their profile and that VM's image. Much cleaner than having to do an OS reinstall or a postmortem.
    • Re:It's Intentional (Score:3, Informative)

      by TrekkieGod ( 627867 )
      Most people just don't want to have to deal with the hassle of switching between two user accounts or learning to use "runas". It will always be this way. End users need full privs on their boxes.

      Well, you appear to pretty knowledgeable about windows, but I'm going to guess you don't have much linux experience (and there's nothing wrong with that).

      I'm not going to claim linux user-friendliness for end users, but at least you can still run every program you need under the non-admin accounts (and the prog

  • by jafiwam ( 310805 ) on Sunday June 26, 2005 @08:19AM (#12913677) Homepage Journal
    1) Windows XP has a crap default setup for user preferences; candy apple theme, "hide known file extensions", icons view, hide "my computer" etc.

    Once the admin account is set, it is a PITA to do the same stuff for other accounts. XP needs a button that says "make ALL accounts use this as default" button on those settings.

    2) No damn rhyme or reason behind what requires admin access and what doesn't. Sure, adding Office or Baldurs Gate should require admin, changing screen resolution? Hell no. Half the spyware normal users get uses privledge escalation holes anyway so it does not keep that crap down.

    Make the stuff make sense.

    Anyway, I have been told (but have not tried) that making the "temp" folder trees "Everyone" read/write explicitly, and adding each account explicitly fixes most of the "run as admin" problems. Most programs dont do much registry editing, but a lot need scratch space and if they use the temp folders, they need access to them.
    • No damn rhyme or reason behind what requires admin access and what doesn't. Sure, adding Office or Baldurs Gate should require admin, changing screen resolution? Hell no. Half the spyware normal users get uses privledge escalation holes anyway so it does not keep that crap down.

      Yep. Can't set the clock, but I can shut down the system!

    • Re:Some reasons... (Score:5, Insightful)

      by drsmithy ( 35869 ) <drsmithy@gm[ ].com ['ail' in gap]> on Sunday June 26, 2005 @09:01AM (#12913863)
      Sure, adding Office or Baldurs Gate should require admin, changing screen resolution? Hell no.

      Changing the screen resolution in Windows does not require admin privileges.

      Half the spyware normal users get uses privledge escalation holes anyway so it does not keep that crap down.

      Which ones ? Privilege escalation bugs aren't exactly common.

      Anyway, I have been told (but have not tried) that making the "temp" folder trees "Everyone" read/write explicitly, and adding each account explicitly fixes most of the "run as admin" problems.

      You've been told wrong. For starters, every user on the machine can create new files and modify existing files that belong to them in C:\Windows\Temp. Secondly, most all apps (even the badly written ones) use the per-user TMP variables that point to directories within the users profile (that they have "Full Control" over).

      Most programs dont do much registry editing, but a lot need scratch space and if they use the temp folders, they need access to them.

      No, in fact the most common problem is applications that try to store things that *should* go in HKEY_CURRENT_USER in HKEY_LOCAL_MACHINE. Bugs like this are actually a good indicator of the developer's lack of interest in updating their product, because per-user registry hives were introduced to Windows 9x back with Windows 98 (they've always been in NT AFAIK).

      The second most common problem is stupid developers trying to write to files (often user or application preferences) in either their program's directory or the Windows directory (DOOM 3 has this problem).

  • by Quirk ( 36086 ) on Sunday June 26, 2005 @08:24AM (#12913698) Homepage Journal
    While I was started on a TI 99/4 [oldcomputers.net] my parents got for me, sans monitor, and hooked up to an old 14 inch b&w TV, every machine following that was a wintel box up to being introduced to Mandrake (as it then was) 6.

    DOS 3.3 was the first MS OS I understood, so much so that, when the first DOSSHELL came out, I asked why would someone need that? I jumped on the NT technology because, when it first came out, it was well documented, (vis a vis my experience) and it allowed a whole new playing field. When NT 4 came out MS moved Video and Printer drivers from User mode to kernel mode. This was, IIRC, about the time Bill Gates had his vision of the PC integrated multi media household. I believe the PC version of Windows has persued this vision of multimedia OS to the point of having become in WinXP an ugly, bloated kludge, but it does, as much as possible, deliver in an ugly way, as a backward compatible multimedia OS.

    Win 2K was the last OS to maintain the promise that Win New Technology brought with it. Win XP saw the culimnation of MS' effort to integrate Win95/98/ME with some of the benefits of NT, but the end result is an all and everything everyman's stew meant to satisfy the cravings of the masses.

    I run WinXP on a web box for multimedia but thanks to the lessons gleaned online (/.:) I'm moving on to a *BSD, or one of the upcoming microkernel OSes to do research.

  • So, how many people really have machines that have multiple users, anyway? I don't see why I should set up a non-admin account on a Windows XP box that only I use.

    By the way, I'm constantly frustrated by my new Windows XP machine that won't let me do what would be normal tasks under Windows 98, even as the administrator (running legacy programs that need access to the parallel port, for example).
  • Seems they dont have a problem, as it *defaults* to secure.

    Apple also tries to speak to the *user*, not 'yet another IT support person'.
  • I had to make the 4 yr old a power user to run the educational programs she uses from such manufacturers as Jumpstart, Knowledge Adventure, and others.

    On the other hand, my 17 year old is a limited user and everything he plays will work ok with that setup. Sometimes I have had to grant permissions to the program directory or on a couple even the registry key in the hive, but I don't know of a single game we haven't been able to get working that way, and he plays most of the current ones such as World of
  • MS - Hello intrepid user. I know I've always allowed you to run as root before but check this out! You computing experience could be filled with and endless array of confusing dialogue boxes all basically telling you you're not root.

    User - That sounds like it might suck.

    MS - No no no, it's great! And it's pretty hard to implement. Oh and a whole shitload of legacy apps won't even install.

    User - Why would I want that?

    MS - It's safer.

    User - Do you still let programs run as System?

    MS - Well yes.

    User - Why?

    MS - Symantec asked us to support the Open Source Virus Community and we are!

  • But IIRC when I installed Windows XP Pro on my PC, the installer only created one (visible) account by default. An administrator / superuser account, for my personal use. Very secure Microsoft. (I'm stupid enough to be using it of course, although I'd like to think I'm geeky enough to be safe).

    The Mac OS X approach is better IMO. You can't actually create a true Super User account (and the UNIX root account is disabled), at least not without *nix hackery. Instead the default account created is an Administr
  • Compare the ease of use of a standard Linux logon in, say, KDE and the way that interacts with root level with the mess that you get with a low privilege account under Windows and it doesn't surprise me nobody uses it.

    You can let your granny loose on KDE with little instruction, to set her up as LUE under Windows would invoke such a barrage of support calls it would be a simply insane choice.

    I guess it's another one for the "Gut the facts" campaign..
  • by gregorio ( 520049 ) on Sunday June 26, 2005 @09:05AM (#12913876)
    ...exactly what I said in my previous post: least-priviledged admin-password-asking security systems are useless for home users. Make a user type his password n times a week and he'll type it in every single dialog window that asks for his password. Even the malicious ones.

    So now you have your user enclosed inside an annoying stainless steel safe, except for the fact that it isn't safe at all, because he'll yell the door code at anyone standing outside.

    Home users don't need annoying internal security. They need transparent outside access security. That's all. Give an annoying security tool to someone who is only interested in bein left alone to use his computer, and he'll break it in a minute.

    Face it, people: users will always want to be in charge of their computer, to install the latest (card/3d/simulation/fishing) game, "multimedia" tutorial or whatever. So now you have two choices: 1. Give them a crippled (no admin access) computer and they'll give you the finger. 2. Give them the admin password and they'll render it useless.

    And no, this is not a matter of education. Even the most experienced geek can get distracted and annoyed as hell with password prompts. Create a security system that gives you routinely security prompts and they're going to be... routine.

    What we need to fix is the way computers execute applications. We need a secure list of routine applications and procedures and a secure code signing system. A system where funny-cat-game is really from a company that was previously-approved by -SOME SERVICE-. So that way we'll only have important security prompts at important situations.

    No, this is not the solution for most security-related problems, but it's a rough notion of the direction we should be heading at: create a system, any system, that allows the computer to stop asking (the home user) passwords all the time.
  • The sad reality of the situation is it is IMPOSSIBLE to run as a non-admin and actually get anything done.

    As a savvy PC user I tried to setup my XP system following best practices. Only run as admin when necessary. However, the two applications I use everyday make this impossible. Quicken and NewsBin Pro. Both of these applicatons require write access to their respective program files directories which forces you to run the application with elevated priviliges.

    Until either application developers create proper software that actually obeys the security model or Microsoft enforces this policy then Windows users will always be admins.
  • LUA hahaha.. (Score:3, Informative)

    by naelurec ( 552384 ) on Sunday June 26, 2005 @10:01AM (#12914122) Homepage
    I've had the enjoyment of learning all about LUA about two months ago. A very umm.. textbook example of a small network -- Win2k3 server, WinXP Pro clients.

    Needless to say, this was not even CLOSE to what a UNIX user account is like.

    Few thoughts..

    1. App compatibility - very annoying. While some apps are kind enough to out-right say they suck and are not compatible, there are LOTS of apps that fail in *silent* ways. Mostly writing to folders and registry w/o checking for access rights. There are many apps that attempt to write temporary files outside of user folders (ie the Program Files folder) or even store user prefs in the system registry.

    2. Along with #1 -- there are many things INSIDE WinXP that fail. One very annoying example is msconfig .. it throws up a dialog after an admin does some changes but for a user and does not acknowledge the user's response (silently fails when writing to a system registry key). I have no idea why a user is prompted when an admin does a modification. Same thing with user defaults -- the system, even though it prompts to set a browser as default, silently fails when setting registry keys (again, not a user registry key). Apparently there is no way to adjust registry key security from a GPO or script to grant users this access (w/o going to each system manually)..

    3. runas .. hehe.. that is so not even close to su/sudo -- while there appears to be lots of little workarounds (ie logging into administrative network shares of drives) its cumbersome and adds so much extra time to troubleshooting.

    4. Fonts .. I really don't understand why users don't have their own fonts folder. I had to manually go into each computer, modify the registry to give permission to add fonts, adjust the fonts folder permissions, yada yada.. PITA. A user font folder (that follows them if roaming profiles is enabled) would have been a piece-of-cake while leaving the system font folder small and fast.

  • by supersat ( 639745 ) on Sunday June 26, 2005 @10:16AM (#12914192)
    When I first installed Windows on my new system, I tried creating a seperate non-admin account that I'd use for my day-to-day computing. Shortly thereafter, I added it to the Administrators group because I just couldn't take it anymore.

    Installing applications was mostly a non-issue, with Windows prompting me for my Administrator password when I tried to install something that needed Administrator permissions.

    However, almost everything else was a giant pain in the ass. If I wanted to use any of the control panels, I either had to log out/log back in as Administrator, use Terminal Services to connect to localhost and log in as Administrator, create yet another shortcut to run it as Administrator, or use the runas command. None of those options are nearly as slick as Windows Installer asking me for my Administrator password. Why they couldn't use the same model is beyond me.

    It's not only the control panels that I had problems with. If I wanted to use Windows Update, I had to be Administrator, and it gave me no easy way to become Administrator. If I wanted to develop and debug something in Visual Studio, I either had to be Administrator or be in the debuggers group, which essentially gives you free access to poke at the system any way you like. And of course, numerous applications and games have copy protection systems that require system drivers and services to work.

    Of course, LUA doesn't do a damn thing against network-based attacks.

    In the end, it's much easier to run as Administrator and drop priviledges when running certain applications.

Garbage In -- Gospel Out.

Working...