Slashdot Mirror
Windows Users Ignoring LUA Security
blankify writes "eWeek is running a story about the least-privilege, no-admin option available in Windows (2000/XP/2003) that has been mostly ignored by end users. From the article: '"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."'"
Well no shit. It's ignored by the user because everyone else ignores it.
How about, embracing and extending good practice...
Deleted
"Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."
I wonder if this could have anything to do with the fact that the user interfaces, OS messages, and help files are not "user friendly" and written in mysterious GeekSpeak that the average user doesn't understand.
Ignorance is curable, stupid is forever.
most likely because this option breaks most applications
There's a reason why most people don't use it. Microsoft's implementation is flawed to say the least. When a user sets themselves up this way and then installs programs as an Administrator, they find that they can't run the programs completely or correctly as the lower privilege user. Some of this is due to Windows application programmers doing boneheaded things. Much of it has to do with the programming practices Microsoft has fostered - like writing to global registry keys in the Windows 95 and 98 days. Contrast this will Apple which has gotten the APIs right, put out tutorials on how to do this and most importantly made the whole process of installing as Administrator but running as a User as painless as possible.
If their software doesn't work in least priveleged mode doesn't it defeat the whole purpose of the system?
Users ignore it, because it's a horrible pain to use XP using a normal user account.
There are numerous games that cannot be installed without admin rights, and plenty who cannot even be EXECUTED without admin rights. All because the devs are lazy morons.
Same goes with numerous applications.
Not to mention the fact that in many case applications break in random ways, without actually telling why they break.
So right now if you actually want to use XP, you pretty much are stuck with admin mode (or you have way more patience than I do in using 'run as..' or switching users)
your programs will still function when you run on a account without administrator priveledges. Wake me up when m9crosoft's own programs work properly under a user account.
administrators accounts should only be used for administrating the o/s, unofurtunately many windows software don't play ball forcing windows users to run under admin accounts. If the tech savvy didn't need to do this maybe they might start advocating the general masses to do the same. Until ms lifts their act this isnt going to change any time soon.
~Kalinga
Everything you need to know http://nonadmin.editme.com/
http://www.sandstorming.com
Most users just don't know they can escalate least-privilege accounts in Windows today, and that's just a sad reality
I'm sure the default setting of creating an admin level user with no password at install time, and then having it set to automatically log them in has nothing to do with it...
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
Could it be "the sad reality" because Windows up until XP (ignoring 2000 and NT) there was no user-priviledges differences?
Maybe MS should start educating the population and force them to create passworded least-priviledged accounts and choose a password for the administrator account when installing or booting an OEM for the first time. Maybe also the administrator should be blocked out of surfing the web and playing games so that people just don't use the admin account for everything.
As much as I'd like to use a more restrictive account on my Windows box, I find it absolutely impossible to do so with many games and various other applications.
One typical example is Dark Age of Camelot by Mythic Entertainment. The game itself is installed to a C:\Mythic\ directory usually, as well as all the profiles for every character. Even World of Warcraft is just as bad, all the profiles are stored in a subdirectory in the C:\Program Files\World of Warcraft\!
Until developers start supporting limited user accounts with their games/applications, people will just be lazy and stick to an admin account - which will always work.
thats because windows doesnt default the user's account to the limited user account. duh.
most people dont even know how to create accounts or that their are different account types.
When most of the software (caveat... that I use anyway) running on XP will not run in user mode, is it no wonder that this is happening?
Heck, some programs will not even run with elevated privs (run as...) no matter what you do.
In the end, it is much easier to just have the systems in priv mode and monitor it to ensure it remains clean.
"The avalanche has already started. It's too late for the pebbles to vote." - Kosh
So you're telling me that not all Windows users do all they can to prevent unauthorized access and such?
IMPOSSIBLE!
Note to mods: I'm probably being sarcastic.
The non-admin account on Windows is fine and dandy, but in a real environment where people need different tools to get the job done and are allowed to install software to accomplish their daily tasks - things get a whole lot more complicated.
Sure, giving someone a laptop with 5 programs and the ability to do absolutely nothing will secure your system, but this kind of setup is very limited and will eventually cause a lot of support issues due to users being unable to install browser plugins, updates to existing software and even device drivers (for those handy enough to actually know what they're doing).
One big obstacle is that too many applications I see require administrator privileges not just to install but also to run. Your end users figure that out, set themselves up as administrators, and leave it at that.
This is nothing new...
Soli Deo Gloria
Oh, I'm sorry for installing the system and using it as the default. Please continue to blame the users for paying you for a borderline operating system. It is not an education issue as much as it is a crappy software issue. You should not continue to turn a deaf ear, but I already know you will. Just send out an email that looks like a Phishing email but contains a system lockdown. That way, only the stupid people will click on it, and we can decrease the surplus population on the internet.
If so many Windows developers weren't so utterly lazy, and learned how to code an application that doesn't require administrator rights to run, things would be a lot easier. As it is, there are so many poorly-written apps out there that write to admin-only places in the registry, or dump files that need to be modified into system folders, that in a lot of large companies with a plethora of apps it's almost impossible to switch to a true LUA security model.
Of course, a lot of the blame goes to Microsoft for encouraging the idiotic "everyone's an admin!" mentality.
How many times has anyone else set up an app for a user, had problems, contacted tech support only to find out the app MUST be run as admin? So then you end up with a hodge-podge of some apps running as admin, some not, different permissions all over the drive...a mess that is not easy to maintain.
This is why during the set-up of Longhorn it'd be a really cool idea to create all the accounts for the welcome screen, or it's equivelent, as non-adminstrative users. In fact, it should go further than this, it shouldn't give you the option of creating an administrative account at all on this screen. The administrative user should be banned from internet access by default (with the exception of Windows Update) and if you decide to add another administrive account it should warn you profusely that this isn't a smart idea.
In .NET there are attributes that allow you to define permissions on methods. For example, if I know that my method only
ever does algebra then I can ban it from network IO, File IO etc. It'd be a good idea to make these attributes required before the source will actually compile. You could have intellisense in Visual Studio autogenerate the most restrictive settings whenever you create a new method.
Some security counter-measures can be really a pain in the ass but these couple i've mentioned here would really help bring windows security under control. Windows security is not bad, per se, it just needs more configuration than we can expect from Joe Sixpack. We need to make security easier for them and that's in everyones best interest, Microsoft included.
Simon.
The reasons users are "ignoring" it are at least twofold.
There's the old standby of making it harder to do some things (which is the point) as an unprivileged user. To be honest, I'm okay with that; it's the reason for being unprivileged in the first place. My significant other's Windows XP account is set up as a "Limited Account", and she has no problems using it to check email, run Firefox and MS Money, and so forth.
The biggest issue, however, is that's it's not the default for new accounts, and that it's actually difficult to make some accounts "Limited". I'd be perfectly happy running my own account as a "Limited account" everyday and using a tool like those mentioned in the FA for installing or doing other tasks as a "Computer administrator". When I try to change my account in the Windows XP User Accounts tool, however, the option of a "Limited account" is unavailable, and instead I get the message:
That's all well and good, but I haven't changed the default Administrator account. There are ways around this, but I've lost interest---perhaps Microsoft can see why people are "ignoring" this option?
Christian Jones
Medicine. Mathematics. Mediocrity.
I use XP Home on a PC and have found that the "limited" account too limited to even do things like play games (which read from the CD-ROM). After two days of trying to find ways to allow the limited users access to the CD-ROM I gave up all together and made all of the accounts 'administrators' again.
Defeats the purpose. Upgrading to XP Pro isn't an option because that costs too much money (YMMV). When I first used Linux, I found it easier to allow and restrict access to devices and files. In Linux it was more straight forward (E.g. deny write access and no one can burn a CD - and once you understand groups you can customize any users rights pretty easily). Of course, with Windows 2000 it is pretty straight forward but the functionality/setup in XP is pretty much hidden or not there. And there is not a lot of home users with 2000 installed.
Yeah, it's sad that when setting up a new computer for a friend I had to make her kids (12, 14) administrators. If I hadn't there would be no way they could really take advantage of the computer as they install more software than anyone else.
Get your Unix fortune now!
Honestly. Up until Windows XP working inside windows without admin options was a constant annoyance.
:) What adds to it is that windows really lowered the bar on "advanced options". Stuff like hiding c:\Program Files per default makes every newbie feel like a powerful admin since he gets the concept of driveletters.
Even now it's not really comfortable. It's not that the users wouldn't care. It's just barely useable.
Since Windows needs lot of maintenance throughout it's silent decay until reinstallation, most users feel they are better of working as admin right away.
Furthermore it is not obvious that even professionals should work as normal users as best practice. And windows setup doesn't really help much with a smoke and mirrors way of creating users and rights.
This may come as a surprise to many but, the vast majority of computer users do in fact treat their computers like appliances.
In the non-geek world computers are not worshipped. The fact that these non-geeks do not know and do not want to know about non admin accounts is not "sad" in my view. You shouldn't need to know how to fix your car in order to drive it.
"Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."
I wonder, if Michael Howard is aware, that most of windows software requires admin priviledge to be succesfully installed?
Is it somehow also users problem, not architecture problem?
Dephine URL
... I'm a true blue Windows user, but I've tried linux. Red Hat 8, to be specific. I remember the FIRST thing it told when I logged in as root, was to create a new non-power account. It even showed me how to. Whenever I wanted to change/install something, a nice prompty would come up asking for my password to give it the proper priviliges.
M$ should learn from this, and their little article there, that instead of the stupid tour that appears when you first login after a fresh install, there should be a message alerting the user to create a new account.
Let the commencement BEGINULATE!
In my experience, lots of old Windows 95/98/Me software fails to run properly without administrator rights due to nasty habits like writing lots of stuff all over the system registry and/or Windows directory. XP Home also makes the problem worse by making it very hard to set file access privileges. All in all, the problem here is that running most Windows software with lower privileges doesn't work, so nobody sets up their system with limited privileges. Also, there is too much stuff you have to do manually to switch to the right privilege level for every task that you have to understand to actually gain anything for the added complexity.
In contexts where the system administrator and user are two different people (and the system administrator is on the job), things usually work smoothly. These contexts are also those for which software is properly written; how much office software needs administrator access to run? The problem comes when you have a clueless user who is also admin for a machine; you try explaining to people why they should have to type a password (administrator password) to install something and when they should enter this password without confusing them or discouraging them from using limited privilege accounts altogether. Unfortunately, this sort of protection is almost useless if the user with the admin password is clueless.
However, I see no reason why Internet-facing software shouldn't be written to drop privileges on startup, much like a lot of suid root binaries open the files they need and then drop to normal user privilege levels. For example, preventing IE from installing or modifying stuff all over the OS would help a lot.
On Windows 2000 fresh system installation, a game title Star Wars Galactic Battlegrounds (running on Age of Empires engine), published by Microsoft executes only in administrator account, not in user. Many other games of other publishers doing cd check or strange networking too.
There you are, staring at me again.
It's a fault that non-util software also requires admin to run, but whether that's Windows' fault or the developer of the software is open to question at best. Personally I'd say that's the developer's fault. A great example of this is Quicken - I have to run from an admin account just to do my accounts? Nope, I don't blame Microsoft for that. I blame Intuit.
Cheers,
Ian
I reinstalled Win2k on my main workstation and tried to live with out admin priviledges.
that lasted for about... a day.
Logging in and out of 2k just to do maintenence sucked ass in ways that can't be described.
Even though WinXP has a "Run As..." option, I'm hesitant to take it up on it's offer in fear it'll break something else.
Non impediti ratione cogitationus.
"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."
ok, is it just me or do you need Admin to do every damn little thing on the windows platform?
to install MSN Messenger, you need to be Admin
- how much more stupid can it get? atleast in any *nix os, you have a revloutionary 'new' concept (see: sarchasm) called userspace.
so why doesn't MicroSoft know about the appeal of a userspace where it doesn't take admin to do EVERYTHING?
--kingpunk
"... Windows today, and that's just a sad reality."
We live, as we dream -- alone....
When a friend of mine got a new Windows XP (Pro, not Home) box, he asked me to help him get it set up. I told him that he should have two accounts: one admin (He has a strong password for his admin account and the username has been changed from default.) and one regular user. I explained the whole issue of how an exploited machine with the user running as admin could cause more problems than if he ran as a regular user. I cautioned him that he'd have to deal with the pain of switching between the accounts whenever he needed to do stuff that required admin rights. Since he's been trojaned before, he agreed. We also set up the Windows XP firewall for extra security since he was directonly connected to the net.
Within a month, I got a call where he said, "Dude! Can we get rid of this admin account and the goddamn firewall? Everytime I want to do anything useful, I have log into the admin account. And I'm always having to log into admin and turn the firewall off to play online games". So, I suggested that he spend the money to get an external hardware DSL/Cable router. He did, and we turned off the firewall. But he still wanted his regular user account to be admin because that's where all his data was. After arguing with him for a bit, I told him we could set it up as an admin user (he didn't want power user because we'd tried that and there were still a few programs he claimed he couldn't run even as power user. CDRWIN was one of them) but that if anything resembling the worm/trojan that hit him in Win98 happened, it would be a full reinstall. I wouldn't try to figure out what happened. He agreed. It's been a year and a half since then. He's really good about applying the latest critical updates and that hardware router has probably saved him numerous times. But I still think he's in a risky position.
Most people just don't want to have to deal with the hassle of switching between two user accounts or learning to use "runas". It will always be this way. End users need full privs on their boxes. The only way around this is to set OSes up so that each user's "desktop" is actually a full VM. Then if it gets hosed by them running as admin, the only thing that needs to be wiped is their profile and that VM's image. Much cleaner than having to do an OS reinstall or a postmortem.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
1) Windows XP has a crap default setup for user preferences; candy apple theme, "hide known file extensions", icons view, hide "my computer" etc.
Once the admin account is set, it is a PITA to do the same stuff for other accounts. XP needs a button that says "make ALL accounts use this as default" button on those settings.
2) No damn rhyme or reason behind what requires admin access and what doesn't. Sure, adding Office or Baldurs Gate should require admin, changing screen resolution? Hell no. Half the spyware normal users get uses privledge escalation holes anyway so it does not keep that crap down.
Make the stuff make sense.
Anyway, I have been told (but have not tried) that making the "temp" folder trees "Everyone" read/write explicitly, and adding each account explicitly fixes most of the "run as admin" problems. Most programs dont do much registry editing, but a lot need scratch space and if they use the temp folders, they need access to them.
DOS 3.3 was the first MS OS I understood, so much so that, when the first DOSSHELL came out, I asked why would someone need that? I jumped on the NT technology because, when it first came out, it was well documented, (vis a vis my experience) and it allowed a whole new playing field. When NT 4 came out MS moved Video and Printer drivers from User mode to kernel mode. This was, IIRC, about the time Bill Gates had his vision of the PC integrated multi media household. I believe the PC version of Windows has persued this vision of multimedia OS to the point of having become in WinXP an ugly, bloated kludge, but it does, as much as possible, deliver in an ugly way, as a backward compatible multimedia OS.
Win 2K was the last OS to maintain the promise that Win New Technology brought with it. Win XP saw the culimnation of MS' effort to integrate Win95/98/ME with some of the benefits of NT, but the end result is an all and everything everyman's stew meant to satisfy the cravings of the masses.
I run WinXP on a web box for multimedia but thanks to the lessons gleaned online (/.:) I'm moving on to a *BSD, or one of the upcoming microkernel OSes to do research.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
I tried to do that for my son's computer. 98% games will not install withour "root". And if you install them as Admin, 90% will not run from a different user :((((
They have this joke, called "run as", but I wish they had "chmod +s" as well (or maybe they do? couldn't find it in 15 sec)
No, but you shouldn't be allowed to drive without taking a driving test.
So, how many people really have machines that have multiple users, anyway? I don't see why I should set up a non-admin account on a Windows XP box that only I use.
By the way, I'm constantly frustrated by my new Windows XP machine that won't let me do what would be normal tasks under Windows 98, even as the administrator (running legacy programs that need access to the parallel port, for example).
It is not a fault that software requires administrator rights to install into the default location (c:\Program Files on Windows, or /usr/bin on Linux), but it is a problem when you cannot even install and run it from your own home directory without entering the administrator password. This makes it impossible to run software without giving it full control of your machine.
I'll probably be modded down for this...
Well, I still have winXP on my box for social reasons (Lan Party). When I set up the system I created 2 users: root and non-admin. The thing is it's a lot of trouble for almost nothing. Personnally, I prefer the unix way of doing tasks as admin (su in a console and exit when it's over) rather than the "run as admin" way. That way was painfull and not confortable, so the non-admin user was dropped.
This "opt" out feature made millions to some ppl. It is well known thing for PC security ppl.
That site is great. It has articles on SUS/WSUS and LUA written my MVPs. They also have links to using FUS to flip between a LUA account and a DA or LA one. /If you understood what these meant, you'd stop complaining about how Windows doesn't have SU.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Seems they dont have a problem, as it *defaults* to secure.
Apple also tries to speak to the *user*, not 'yet another IT support person'.
---- Booth was a patriot ----
Most users don't know, understand or care about user accounts. They just want to use the machine to surf the web, check their e-mail, maybe play some games, dink with their photo albums and the like.
They don't understand the need for user accounts and privileges and how that relates to their machines not being breeding gounds for all of the malicious annoyances so prevalent on the web today.
The Windows account management interface is irrelevant until the majority of users know why they need to use it and then want to.
I had to make the 4 yr old a power user to run the educational programs she uses from such manufacturers as Jumpstart, Knowledge Adventure, and others.
On the other hand, my 17 year old is a limited user and everything he plays will work ok with that setup. Sometimes I have had to grant permissions to the program directory or on a couple even the registry key in the hive, but I don't know of a single game we haven't been able to get working that way, and he plays most of the current ones such as World of Warcraft, HL2, Doom 3, and many others. WoW requred granting him access to the program directory and the registry key so he could apply the updates but he still runs it under his basic user account.
I thought it funny that the 4 year old has more rights than the 17 year old, but that is the only way I could get her programs to run.
It's partially driven by software that won't install as a regular user (i can kinda live with that) and/or won't run as a regular user (unacceptable except for system utilities).
I can't even count right now how many clients I have running users with admin membership because of crappy software.
And the kicker is, it's not that hard a programming task to make software run in the regular user context! argh!
eric
MS - Hello intrepid user. I know I've always allowed you to run as root before but check this out! You computing experience could be filled with and endless array of confusing dialogue boxes all basically telling you you're not root.
User - That sounds like it might suck.
MS - No no no, it's great! And it's pretty hard to implement. Oh and a whole shitload of legacy apps won't even install.
User - Why would I want that?
MS - It's safer.
User - Do you still let programs run as System?
MS - Well yes.
User - Why?
MS - Symantec asked us to support the Open Source Virus Community and we are!
This
But IIRC when I installed Windows XP Pro on my PC, the installer only created one (visible) account by default. An administrator / superuser account, for my personal use. Very secure Microsoft. (I'm stupid enough to be using it of course, although I'd like to think I'm geeky enough to be safe).
The Mac OS X approach is better IMO. You can't actually create a true Super User account (and the UNIX root account is disabled), at least not without *nix hackery. Instead the default account created is an Administrator account, which can only do SU type things if the user inputs their password (in the GUI) or uses the sudo command in the Terminal. (AFAIK you can also to SU type things from normal accounts, if you enter a admin account username / password in the appropriate dialogs). Of course that doesn't really add much security, I'm sure if a malicous program wanted SU powers, most people would happily enter their password, it's a pretty standard thing to do if you're installing software or running Software Update.
Of course as other people have noted, quite a lot of Windows programmes aren't multi-user safe, whereas Mac OS X ones are, seeing as they had to be partly rewritten anyway for OS X. Perhaps what Microsoft really need to do is set Longhorn up so it doesn't install with a Superuser account as the default, and implement some sort of Mac OS X style ability for programmes to easily get SU powers when needed (during installation and that's it for most stuff). Of course programmes would break, but Microsoft now seem a bit less shy at breaking programs in the name of security, and they could add some sort of extra compatability option to run as SU for older programmes.
10 PRINT "LOOK AROUND YOU ";
20 GOTO 10
I work for a major company in the test engineer group. We have to install/uninstall/modify software on a regular basis, and because of this we each have our normal domain login(which is locked down) but we're also assigned an admin account to do these tasks under. This is completely understandable because of the type of work we do. But on a machine(not on a domain), at home, with one primary user, there's little incentive for the average user to have two accounts. I doubt most windows users even know about the RunAs feature. I guess the question is will the average user trade convienence for security? The majority of those I've met haven't and I doubt they ever will.
Man their systems are (kind of) locked down with the lower-privileged Win accounts. This article really doesn't make a lot sense because I seem to notice quite quickly when I'm working on a WIN box under an other than admin account - how about you??
... if music be fruit of love, play on
Compare the ease of use of a standard Linux logon in, say, KDE and the way that interacts with root level with the mess that you get with a low privilege account under Windows and it doesn't surprise me nobody uses it.
You can let your granny loose on KDE with little instruction, to set her up as LUE under Windows would invoke such a barrage of support calls it would be a simply insane choice.
I guess it's another one for the "Gut the facts" campaign..
Insert
In a 1979 document titled On the Security of UNIX, Dennis Ritchie wrote:
"The first fact to face is that UNIX was not developed with security, in any realistic sense, in mind; this fact alone guarantees a vast number of holes."
It's my computer, I can do whatever I want with it. Interactive confirmation is not really "less privilege". What is needed these days is "least privilege software", where each process runs in the most restricted sandbox that allows it to do its job and permissions can be granted interactively when needed. Ideally, each program will by default only have access to its own document directory, no network connections, no dangerous UI capabilities and so on.
By the way, I know full well that's not how existing operating systems work. But perhaps they should.
Until Microsoft makes it more uncomfortable to run in Admin than it does in User, everyone will run as Admin.
Currently, run as user, even power-user and youve got a mess of logouts, logging in, ensuring you tick the right boxes in install dialogs, and sometimes things won't even install for all users whatever options you give, so your stuck with only icons in admins start menu and not for users...
I run as Admin under windows, because it's such a pain in the arse not too.
Tons of software is so poorly written that you can't use it without admin rights. Many software installers don't handle rigts correctly and shell to the right user to install durring the install process.
LUA is useful in the corporate world, but my dad doesn't want to log in as admin for some things and himself for others.
Whatever window's equivelent to su or sudo is sucks so badly it's borderline useles, and on top of than... one would think you could right click and "run as user..." on an application like say the installer for the new version of Quicken...
Windows is so 1990s...
-- $G
For a while after we rolled out NT where I work, we debated if we should give users admin rights or not. Our decision was that it was easier just to give them admin rights to their workstations than to have them call in every time they want to install a piece of software. It was basic cost-benefit analysis - the time we would spent reimaging the machines that users screwed up was less than the time we would spend logging in as admin and installing software for users.
There are other reasons as well. like software "pushes" that we do via Novell ZenWorks which need admin rights to install.
I have blog like everyone else
I was trying to set up somethng that another user could log on to my machine with their account and run a simple program to reset something they access on the company network, as my machine is the host of that dongle- we are on a network.
After much of my time trying to figure out why he couldn't run the program - access denied...even after going thru all the security properties of the programs involved in this reset task I gave it to the company IT guy to try and solve...
After he basicly went thru all the same motions I did, he finially figured that my co-worker didn't have a local account on my system regardless of being able to log on to his account on the network from my machine.
I find this rather confusing. My question at this point, is this local account the same or tied to the network account? And does it mean that any system I want to log on to and have ability to run programs require me to have a another local account... (IE, there are three machines I use, do I need 4 accounts and the need to maintain all four separately on some things - though named the same and all????
as things get smaller:
All I really need is a flash drive that carries my system on it, with tools I personally purchased, where I plug it into any system I may use in the company. Where company purchased programs are made available on those systems for me to use at those stations specific for such work, and if the network administrator has given me clearance to use them. Of course company own files I my create would be on storage somewhere in teh company network.
This is plain common sence, its not novel or innovative and certainly not patentable in any sort of way, for it is no different then what I can expect of a company as a bench carpenter having my own personal tool set that I use along with company owned tools for which either the department leads of shop manager determine my access to. And of course any jigging I create for teh company becomes company property in a location of their choice.
What really pisses me off is the difficulty of being able to use my own tools without having to install them on company systems...And nobody made this a problem except for those with power tripping control freak problems...... FUCK, on teh Amiga a program wasn't really "installed" in such a wide integration of the system and its file structure, but rather installed into its own directory (where ever that may be) and runnable from there.... like today it might be a usb stick...
Security in computing today is really overcomplicated BS... when it should be more like car keys where you take them with you.
with a home user (1 or a few people) windows box, there's usually no *need* to secure the box with different level user accounts...apps and the os can be reloaded, but if the user's data gets hosed, it's gone no matter who they were logged in as. (and data matters far more to the average user than anything else --- and they **more than likely** don't have backups).
with a *nix box, it's probably multi-user, meaning that application / system integrity is as important as any user's home directory. hence the need for limited accounts...to ensure no one can fuck up anything beyond their home directory.
"Evil will always triumph because good is dumb." -- Dark Helmet
Like many of the slashdot readers, the last sentence of this post caught my eye: "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."' What a very strange perspective to think of this as a sad reality. For two reason really. First, for someone to be distraught that someone feels this is what is wrong in the world of administration, computer security, or the world as a whole is a bit distorted. The second reason I found this strange is that the fault lies with the user and other administrators for not know this aspect of a software package. Seems that there is a problem with disseminating the information, or as many previous readers have mentioned, there is a problem with the functionality itself. "Sad reality" - no so much. Overlooked tidbit, maybe. Another action item for microsofts training center - most likely.
...exactly what I said in my previous post: least-priviledged admin-password-asking security systems are useless for home users. Make a user type his password n times a week and he'll type it in every single dialog window that asks for his password. Even the malicious ones.
So now you have your user enclosed inside an annoying stainless steel safe, except for the fact that it isn't safe at all, because he'll yell the door code at anyone standing outside.
Home users don't need annoying internal security. They need transparent outside access security. That's all. Give an annoying security tool to someone who is only interested in bein left alone to use his computer, and he'll break it in a minute.
Face it, people: users will always want to be in charge of their computer, to install the latest (card/3d/simulation/fishing) game, "multimedia" tutorial or whatever. So now you have two choices: 1. Give them a crippled (no admin access) computer and they'll give you the finger. 2. Give them the admin password and they'll render it useless.
And no, this is not a matter of education. Even the most experienced geek can get distracted and annoyed as hell with password prompts. Create a security system that gives you routinely security prompts and they're going to be... routine.
What we need to fix is the way computers execute applications. We need a secure list of routine applications and procedures and a secure code signing system. A system where funny-cat-game is really from a company that was previously-approved by -SOME SERVICE-. So that way we'll only have important security prompts at important situations.
No, this is not the solution for most security-related problems, but it's a rough notion of the direction we should be heading at: create a system, any system, that allows the computer to stop asking (the home user) passwords all the time.
The problem here might be Microsoft NOT abusing their monopoly enough. If they were forcing a single installation system for all software (a la Gentoo's Portage), they could transparently modify privileges for all software. "Remember, in order to play games you have to be a member of the 'games' group". And furthermore, make admin not being able to play games or surf the web by default and the users will understand.
The sad reality of the situation is it is IMPOSSIBLE to run as a non-admin and actually get anything done.
As a savvy PC user I tried to setup my XP system following best practices. Only run as admin when necessary. However, the two applications I use everyday make this impossible. Quicken and NewsBin Pro. Both of these applicatons require write access to their respective program files directories which forces you to run the application with elevated priviliges.
Until either application developers create proper software that actually obeys the security model or Microsoft enforces this policy then Windows users will always be admins.
The fact of the matters is that this simply is not the fault of the users. Windows XP just really isn't designed around the idea of running in a Limited User Account.
To begin with, during install, WinXP will create an Administrator account with no password and then have that account automatically log in when you start up the computer. For many users there's never even a realization that you can have more than one account.
Then there's the fact that you're not allowed to create Limited accounts unless you've already created an Administrator account - the built-in "Administrator" account doesn't count. You need to create another account yourself and give it admin access before WinXP will allow you to create limited accounts.
Finally, a lot of things simply do not work when you're in a Limited User Account. Many programs (mostly games) still don't save their files to a user-specific directory, meaning that all users need full administrator access to wherever that program decides to save things. A lot of software likes to write to the registry, when other solutions are definitely possible. Web page plug-ins...ActiveX controls...passing video streams off to a player...lots of things just plain don't work when you're in a Limited User Account.
Is it any wonder that people don't run in Limited mode? Most folks like to actually be able to use the software they've got installed...
Security is an afterthought with Microsoft's stuff. Yes the security capabilities are in place but they're a major hurdle to operability, so for the average user they seem hardly worth using (if the user is even made aware of the capabilities). Microsoft's legacy of offering no security at all (until about five years ago) now requires them to retrain thousands of developers and millions of users who have grown quite accustomed to the way things are. Microsoft has to overcome an enormous(!) momentum of un-security consciousness.
Unix and its offspring, on the other hand, were built with security in mind from day one (more or less). As a result Unix requires a bit more thought from the user but (as mentioned earlier) Redhat and others have demonstrated quite effectively, IMO, that the machine can ask for elevated privileges when necessary at which point things magically "just work."
The question now is whether Microsoft gets enough of it right in their next major release to finally bridge that hurdle, and whether they do it in a new and different way from Unix that doesn't help users jump from one O/S to the other.
--Udo.
"Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."
I know pretty damn well how to set up this thing. It's easy. A sad reality is, if you are not an admin on a windows machine, you can't do shit except surfing the web and checking mail. Problems installing software, software installed by admin won't run on your account, etc.
Mod me bitter.
When you don't know how to do something that the computer can do, it's "hacking" to figure it out and do it anyway. Practically no one wants to hack - that's what makes geeks special. And especially since the Bubble, all the normals think "hacking" is scary - especially when it's in any way related to security. Microsoft, the greatest social engineering corporation ever, must have some awareness of those realities. They also must therefore have other priorities, like just being able to say they have a "secure mode", even if no one uses it.
What do we call the opposite of "vaporware": real features that no one ever uses? "Cellarware"?
--
make install -not war
Go into a Linux IRC chat session as root and you'll be kicked and receive a message that says,"Don't IRC as root!"
Go into a Windows IRC chat session as administrator and someone might gain root access.
I did a lot of research on this subject while working on a college campus migration to windows xp a few years ago. The non-admin accounts simply broke too many pieces of functionality (particularly in the realm of peripheral access). Power User accounts and "run as" scripts are (like most kludges) just too much for the average user. We ended up giving everyone administrative accounts. Everyone runs as administrator because it works. I don't want to be a windows troll (I happen to like windows), but os x and most linux distros have much better facilities in place to provide administrative access without running as a fully-privileged account. On windows you really have to run as admin or experience a lot of hassle.
One big problem with Windows is that there are too many local exploits that allow for priviledge escalation. These turn remote exploits into remote, rootable exploits
This has its roots in Windows's history (e.g. Shatter attack). Microsoft has made some effort to patch up local exploits (e.g. the shatter attacks are fixed -- supposedly), but to the extent that they are there, if people do start using LUA, that's going to get banged on like crazy, and there will be a further slew of exploits.
Given the problems of running LUA, this will really make people like they're morons: they'll be wearing the hair-shirt of a LUA experience, and then getting bukkake'd(*) with malware anyway.
Billy's going to have to try it again, with feeling.
* Bukkake: a Japanese word meaning, "to splash".
http://www.thebricktestament.com/the_law/when_to_
OS X will prompt the user with a login prompt when attempting to do something that needs an Admin account. In OS X root is disabled by default and Admin accounts are used instead. You can sudo only if you are an admin. But everything else prompts with a GUI authentication prompt.
OS X even provides a more limited account that can be locked down even further which is ideal for KIOSK setups and young children.
Because software installation is an administrative function, moron [...] (Installation implies system-wide access.)
Then why should software need to be installed at all in order to run?
Perhaps if companies like HP weren't releasing printer and scanner software that only works as an admin user, things would be better. Ditto if MS didn't make new computer accounts admin by default!
...is not that windows users don't know you can do it, it's that most users wouldn't understand why you would want to do it. and neither does most windows software.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
last I checked you can't even tie an executable to launch at startup (basic requirement for always on software) using LUA.
Why not? Doesn't Windows automatically run all programs listed in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run or in the ...\Start Menu\Programs\Startup folder? Or is a limited user not granted permission to modify her own HKCU and her own Start Menu?
The core issue is, that windows is not a multi user OS, and while it is developing into one, on the other hand it fails so many ways.
The reason programs do not work in restricted mode is that restricted mode did not exist by the time they were written! Most of windows programs are witten with assuming they will run on a single user OS. On XP you can log on as different user while the other users tasks are running: too bad ICQ can only be run one instance. And so on.
vajk
The place where they chose to draw the line between user and admin restrictions in the API is so asinine that it's virtually impossible to write any sort of complex app that *doesn't* require some admin functionality to run.
Other than the restriction on writing to HKEY_LOCAL_MACHINE and HKEY_CLASSES_ROOT, which restrictions are you talking about? And aren't there equivalents in HKEY_CURRENT_USER for most of the HKLM keys that a typical app's installer needs?
I've had the enjoyment of learning all about LUA about two months ago. A very umm.. textbook example of a small network -- Win2k3 server, WinXP Pro clients.
.. it throws up a dialog after an admin does some changes but for a user and does not acknowledge the user's response (silently fails when writing to a system registry key). I have no idea why a user is prompted when an admin does a modification. Same thing with user defaults -- the system, even though it prompts to set a browser as default, silently fails when setting registry keys (again, not a user registry key). Apparently there is no way to adjust registry key security from a GPO or script to grant users this access (w/o going to each system manually)..
.. hehe.. that is so not even close to su/sudo -- while there appears to be lots of little workarounds (ie logging into administrative network shares of drives) its cumbersome and adds so much extra time to troubleshooting.
.. I really don't understand why users don't have their own fonts folder. I had to manually go into each computer, modify the registry to give permission to add fonts, adjust the fonts folder permissions, yada yada.. PITA. A user font folder (that follows them if roaming profiles is enabled) would have been a piece-of-cake while leaving the system font folder small and fast.
Needless to say, this was not even CLOSE to what a UNIX user account is like.
Few thoughts..
1. App compatibility - very annoying. While some apps are kind enough to out-right say they suck and are not compatible, there are LOTS of apps that fail in *silent* ways. Mostly writing to folders and registry w/o checking for access rights. There are many apps that attempt to write temporary files outside of user folders (ie the Program Files folder) or even store user prefs in the system registry.
2. Along with #1 -- there are many things INSIDE WinXP that fail. One very annoying example is msconfig
3. runas
4. Fonts
Also, a way to boot the system in admin mode from the beginning with for example the Longhorn CD in your drive would allow to save some situations, and would NOT be a breach of security (it is possible to read an NTFS partition when booting with a Linux CD anyway, and when you own the hardware, you own the data, unless properly encrypted, which is unaffected by the fact you can log in as admin then)
Physical access to a computer and to a CD that contains the same OS that the computer is running do not imply rightful ownership of the computer. For instance, under your scenario (unless I deeply misunderstand it), you could have a Windows CD from your home computer, bring it to work, and use it on a work computer owned by your employer.
[If you let other people use a computer that you own,] do you want unprivileged users to be able to install software, except for in their own accounts' space?
Problem is that too many commercial programs do not have the option to install to a single user's account. Why is there no folder with a name like C:\Documents and Settings\tepples\My Program Files?
When I first installed Windows on my new system, I tried creating a seperate non-admin account that I'd use for my day-to-day computing. Shortly thereafter, I added it to the Administrators group because I just couldn't take it anymore.
Installing applications was mostly a non-issue, with Windows prompting me for my Administrator password when I tried to install something that needed Administrator permissions.
However, almost everything else was a giant pain in the ass. If I wanted to use any of the control panels, I either had to log out/log back in as Administrator, use Terminal Services to connect to localhost and log in as Administrator, create yet another shortcut to run it as Administrator, or use the runas command. None of those options are nearly as slick as Windows Installer asking me for my Administrator password. Why they couldn't use the same model is beyond me.
It's not only the control panels that I had problems with. If I wanted to use Windows Update, I had to be Administrator, and it gave me no easy way to become Administrator. If I wanted to develop and debug something in Visual Studio, I either had to be Administrator or be in the debuggers group, which essentially gives you free access to poke at the system any way you like. And of course, numerous applications and games have copy protection systems that require system drivers and services to work.
Of course, LUA doesn't do a damn thing against network-based attacks.
In the end, it's much easier to run as Administrator and drop priviledges when running certain applications.
except that it was impossible to view anything on the Internet because the DSL dialer _REQUIRES ADMINISTRATOR PRIVILEDGES TO CONNECT_.
DSL dialer? I thought one of the benefits of DSL over dial-up networking was that DSL is always on. If the dialer does require a proprietary method to get an IP address, then can't the dialer be set up to run as a service?
OS X will prompt the user with a login prompt when attempting to do something that needs an Admin account.
What prevents a program from spoofing this login prompt and phishing an admin password?
A lot of programs (even some that come with Windows), are not multi-user aware. The sad reality is, it's just not practical with Windows (without a lot of post install admin setup).
Try this.
Create a limited account with Windows 2000, or even XP. Log into this limited account, and open up the calculator program that comes with Windows. If it's on standard, change it to scientific, or vice versa. Close the program and reopen it. Voila! Your setting was not changed. This is because calc.exe uses HKLM to store it's settings, when it should be a per user setting. This is just a small example.
Now, you (as the administrator), could setup permissions in the registry to allow others to change the setting. But anyone who changes their calc will do it for ALL users. Now imagine having to set up these sorts of permissions for other programs you may have installed. This is a LOT of potential administration that may need to be done.
This is even less practical on Home editions of XP, because, by default, it severely limits what permissions you can set.
I think that the least privileged account would be used far more often if it did not break programs installed by administrators. It would also help if the method of setting users to this level were much easier, not requiring any sort of programming knowledge to accomplish.
INACTIVE ACCOUNT
Mod that man up.
:\
Intuit is criminal number 1 in this area (this month anyway, I have my targets change from time to time...)
Get this: The "enterprise" version of QuickBooks that will allow you to run in terminal services (gotta spend that extra cash to run the same software remotely you know!), requires that you have Power Users or Administrator priveleges.
Here's the catch however: I have a client running Small Business Server 2003, and they just went through a company restructuring where the CFO is going to be 200 miles away for the next few months, and needs to be able to hit QuickBooks from a terminal server session (yes, I know, VNC, PC Anywhere, bitmap pusher x..., work with me here though).
So, on an SBS, you can't have any trusts, no member servers (I might be wrong on that last one, apparently there'a hack that allows this, but again...), so the only server on the domain is the DC. You DC does not have "local" accounts and groups, only the AD users and groups. So a local power user doesn't exist. The only rights I can give them to be able to work is Admin.
The whole point of remote users is to.....access things remotely. You're requiring that every one of my users that wishes to use QuickBooks have Admin rights, and if they want to run in term serv, I have to allow dial in rights to that Admin account.
So I got on the phone with them. I suggested the following workaround:
"What if I just create a domain account, say ""QuickBooks User"". Set it to an obscenely secure password that no one but the admins could possibly know. Make it long, make it random, make it not-so-easy to remember. Grant that account Admin rights. Set Quickbooks to "Run As..." that user. Now Quickbooks gets the Admin privs it needs, but not the user."
After going through a supervisor, I was explained that this wouldn't work, and in fact they misconstrued it as an attempt on my part to subvert their licensing (because now I only have a single Quickbooks user, and we're supposed to pay per-seat for the license), and "Run As..." is intentionally broken to prevent this, along with the ability to run in Terminal Server if you haven't purchased the enterprise version.
Wow.
Cash more important than security.
Hey guys? What is so important at the system level that the *user* needs to make modifications to the OS? Why not store the data in the user's profile? Or in a shared directory with rights granted to the users in the "QuickBooks Users" group?
I just don't get it.
Karma: Chameleon (mostly due to the fact that you come and go).
Michael Howard wears a t-shirt with this inscription when he gives training on Windows. I saw him at some freebie M$ seminar. He's a good speaker, and overcomes the technical flaws in his presentations with glibness and flair. He spoke about not running as admin, but ignored the issue that many if not most Windows software doesn't work if you are not admin.
I don't think it's that they "don't know" about the non-admin account, it's probably that they don't want to mess with it.
:)
Running a non-admin account in Linux is easy. When you need to do some admin work from the non-admin account, you simply type "su" or "sudo" and you are given the opportunity to enter the admin password so you can do the admin work. This keeps you from having to log out of the non-admin account and into the admin account to get the work done.
In Windows, when you want to do some admin work, you have to log out of the non-admin account and into the admin account to do the work. Then you have to log out of the admin account when the work is done and back into the non-admin account. It's too much trouble because Windows does not give you the opportunity to enter the admin account password when you need to do admin work from a non-admin account.
Windows doesn't have true accounts anyway. I can log into any account and view/edit/delete the files and folders in other user accounts and Windows doesn't seperate the Start menu across accounts - the "All Users" account is a bad idea and shouldn't be there at all. I logged into a non-admin account yesterday and deleted enough files (fonts, Start menu, etc.) as to make the OS unusable to all users, even the admin.. then I installed Linux
Microsoft has a lot yet to learn and do before the Windows OS is anywhere near being similar (or a threat for that matter) to Linux.
I can tell you how many Macs running OS X i've seen with people logged in as essentially "root". Sure OS X prompts you for an admin password when critical things happen, but everyone I've seen blindly enters the root password. Most times, the user does not even read the dialog box.
The "least privileges" problem happens on all operating systems....most users of personal computers want to be "root". Until users become more security savvy, this will be a problem on all systems.
-ted
You don't need to install programs or change system settings so often on Linux.
Only because there are so few commercial games on Linux compared to Windows. Most commercial games for PC require installation before they can be used (unlike console games), and too many of those do not support installation to a limited user's home directory.
Sorry, had to get attention somehow. :)
:\
Seriously, I'm sitting here, sipping my coffee, and had this bad, gut-wrenching feeling sneak up on me.
Here's the deal: very soon a large portion of my business model is going to hinge on making Windows software run on *nix platforms. Be that through wine, compiling with winelib, or porting the software wholesale.
In the case of wine, and I think even moreso with winelib, I suddenly have this fear that all of this software that demands admin rights on Windows is also going to demand it on Unix. I don't think that's totally correct because we're providing a "fake windows" for the software to beat up on, and c:\ isn't really / on the filesystem. That said, if it is all owned by the user, then the user can effectively have admin rights on that wine app, but still have no rights to harm the system overall.
Sound right?
I hope so. If not I'm going to have to work around this somehow.
Karma: Chameleon (mostly due to the fact that you come and go).
This is how microsoft could fix this at a api level without breaking legacy code Step 1: When a non-privledged user installs a application install it the users space and create the req keys prefixed into the users area in the registry. A warning to the user when installing stating it will only be available to their account will be needed Step 2: When running a application first check the current user virtual registry then the true global registry Step 3: Add the rights necisary for accelorated video to work under the default user rights Step 4: Switch to linux/unix because they got this right 20 years ago!
"Running windows without admin rights is a nightmare."
It certainly isn't easy, unless you're willing to invest significant technical time and effort into the project -- which is, I'm sure, a big part of the reason why most people don't do it.
That being said, I'm the admin for an organization with about 60 or so Windoze stations, and I can say that it can be done for most things. It most often involves figuring out what the defective program is trying to do, and then allowing it access to just where it needs.
The two most vital tools are FileMon and RegMon, both free from SysInternals (http://www.sysinternals.com/). They monitor file system or registry accesses. In the vast majority of programs can be made to work just by applying some ACLs on program-specific registry or filesystem branches.
There's no way in hell your "typical home user" could do this, though, which is, I expect, the problem and point.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
The difference is that you're setting things up so one badly-written application can run as Admin when the user wants it, but most of your other programs are running as non-privileged-user, vs. setting the user to be Admin for everything they run. Sure, when you're running that one program, you're still exposed, but at least for most of your applications, they're less dangerous.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I bet ordinary (meaning non-us-type people) Apple OSX users fail to understand LUA principals at least as much as Windows users. The difference is that Apple sets up your user account to run with least priviges by default and prompts you for the root password when you try to overstep your bounds.
Why doesn't Windows do it that way? Microsoft made a choice.
"Lawyers are for sucks."
- Doug McKenzie
I'm not sure if that's always true, but it's certainly true for the VPN software version I use to access the network at work. Very, Very Annoying! It means that I can no longer set up my home PC to access the VPN the way I did when the home machine ran Win98/WinME, since I use XP's fast user switching between root, my non-priv account, and my wife's account.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I tried using it for myself but gave up because both of the games I play under XP require admin privs to run (and that's pretty much the only reason I have an XP box).
I tried using it for the kids accounts, but I ended up turning it off; seems every kids game in the world can't run without admin privs.
If I can't even turn it on for a kids account what bloody use is it? And why is it my fault for not using it?
Actually, the good old 'power user' from Win2k is still available in Windows XP. Unfortunately, you can't assign users to that group through the graphical 'User Accounts' in control panel, but you have to use the 'Local Users and Groups' section of the 'Computer Management' panel. Once you create a power user, they'll show up as 'Unknown account type' in the 'User Accounts' panel.
Considering that 'power user' was a reasonable (read: not horrible) compromise between convenience and security in Win2k, I was surprised that MS hid it so deeply in Windows XP. It must've been an aesthetic decision to match the new default "dog" search in explorer and the candy themed UI (thankfully, both of which can still be reverted back to Win2k styles!)
Imposing Libertarian views on everyone online since 1992.
http://www.unix.org.ua/orelly/networking/puis/ch01 _04.htm
""It was not designed from the start to be secure. It was designed with the necessary characteristics to make security serviceable.""
no idea who is right
Unfortunately, there are a bunch of applications for which this doesn't work right, including iTunes - the first piece of Apple software I've used that didn't "just work". When I installed iTunes, as root, it created an iTunes config for root, but when I logged in as myself, it created a separate iTunes config for me, and I not only had to input lots of long registration numbers again (:-), but the tunes I'd downloaded to root's account aren't accessible from my account and vice versa (or at least, it's well hidden if they are.) Very annoying.
Some things are worse about multiple users - my USB scanner gets hopelessly confused by having multiple people logged in. As far as I can tell, when I first log in as one user, its software scans the USB and finds it, and when I log in as a different user, it does the same thing, except something's locked up to the first person who logged in.
(As somebody else said about their home setup, I've got three accounts on the machine - root, my non-admin account, and my wife's account, which has admin privileges so she can install software and run picky software, and we use fast-user-switching between them.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
What is the difference between root and admin?
This is just one more example of why software binaries should be installed via drag and drop a la OS X. Also, given OS X's extensive permissions settings (access control lists, which go above and beyond any other unix by far), I can really control which folders people are allowed to access with ease.
extra, extra, "Windows Users Are Braindead Morons!"..
big surprise.
Ubuntu disables root by default too. Anything that needs to be run as root can be run using sudo. The GUI admin tools ask for the password just like in OS X.
There's a nugget of truth to that comment, but it misses both more significant points and differences between the GNU/Linux way and the Microsoft way.
It also misses the point that you can, largely, install binary software on different GNU/Linux systems, so long as core dependencies (usually your glibc version) are satisfied. E.g.: Macromedia Flash, Opera, Oracle, Realplayer, and the like, generally under /usr/local/ or /opt/. Though honestly I have very little proprietary software on my
system.
The real reason to go within your distro's package management system for software installation is that it's easier, faster, works better, and minimizes future administration needs -- rather than managing a slew of software packages independently, you do a systemwide update. You've also got a tremendous selection of software -- 15k+ packages in the most recent Debian stable. There's rarely a compelling reason to go outside the archive, though you can and are assured the packaging system won't interfere with your locally installed selections.
The reasons this is possible are largely: sources are available for the software you're installing (most GNU/Linux software is FSF Free Software / OSI Open Source), the distro itself doesn't have a horse in the race (it's not competing with the software developers, unlike the relationship between Microsoft and its ISVs), and systemwide policies can be implemented and enforced with a very high degree of uniformity (particularly in the case of Debian-based distros). There's also three clearly independent parties involved, each with a major voice in the process: the software developer, the distro / software packager, and the users. You get the benefit of review of the application by a users (independent of both the developer and the distro/packager). Microsoft simply doesn't have this degree of remove from the system as a whole -- it's competing with both software developers and its users over features and control.
The result isn't so much that users are forced to go within their distro's package management system for software, but that they choose to do so, and that a healthy distro culture (e.g.: Debian) provides very strong incentives and feedback loops for both developers and users to gain by this.
I've explored this at somewhat greater length in an article discussing malware on Microsoft and GNU/Linux systems respectively, Spyware, Adware, Windows, GNU/Linux, and Software Culture. Manoj Srivastava has a very good Why Linux, Why Debian talk covering the issue from a few other angles (and better technical understanding of the guts of Debian).
What part of "gestalt" don't you understand?
The reason people constantly run as admin is because of all the terribly programmed pieces of software that refuse to run without admin rights or lose function without admin rights (including almost all games, and half the time it's actually caused by the cd checking crap). And Windows' system for running a specific application as admin is a pain in the ass to use. I don't blame the users.
NT has had robust per user rights management for a long time. I think most of the arguments in this thread apply to home users only. You have to keep in mind that the Windows (1-3, 95, 98, Me) line and NT line (3-4, 2000, XP, 2003) are completely different code bases. The original Windows died with ME and the IBM/MS derived NT is the only line now.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
it was a bandaid just to fix a deeper structural problem - like the whole windows architecture.
As a Solution you can put the files in /home/shared and you shouldn't have any problems with them. But I do like how Apple handles a multi-user system. each person has one config for the application and are not shared (or should not be) between other users. If you need to install a program it will ask for your password, even if you are set up as an administrative account. in order to delete a file in /system or /Library it will again ask you for the password. To me that is a lot better security than Microsoft or linux distros) handle things. When you login as admin you can do everything, as a normal user you have no rights and you have to right click and runas. with linux it does ask you for the root password with most distros when you try to install an application, but it might not be the same password.
Microsoft needs to think about real user security because currently that don't even think about it. If you are the only user on the system you have no choice, but to be the administrator. Besides every place I have worked with Windows I have in time been given local admin rights in time, due to one or two applications that would not run without it.
Am I asking too much for Microsoft?
It doesn't run well when running with root account, imagine what happens if you run it as a a regular user ;-)
nobody:*:-2:-2:MojoJojo:/:/usr/bin/false
I love burekas in the morning
...see how fast they reach for Ctl-Alt-Del when you know it may be unnecesary.
The corporate user can call help desk and have professionally trained IT people take care of PC needs that require administrator-level privileges. The home user does not have the luxury unless they know someone who is willing to serve them in this role. The corporate user does not have to be an administrator to use their computer. The home user has to be one or, at least, has to run software occasionally with administrator privileges to do things like install device drivers for hardware, install new systems-level software (patches), etc. LUA is important, but sometimes LUA for the average home user *is* administrator, because home users are called upon to perform tasks that corporate users would never have to do themselves.
LP
all your bases are dumb!
... .. sad sad sad and "have you check your car trunk today yet?(tm)". ...
p.s. i don't want to elaborate but it's sad that
terra bytes of inter-network capacity are wasted
because of one radio button
p.p.s it the option of making a new account in
the so called "config panel" and you have the option of making it a "admin" account or a "limited user" account. good thing even this LSU thing mentioned in the article gives you a hint on this
p.p.p.s 'm really starting to get a hang of this "white trash" thing everybody keeps mentioning
People miss this right off the bat in an attempt at ignoring their lack of skills and admitting their need to beef up same in favor of bashing Microsoft.
Who cares what game requires admin? That's not the point.
The point is that dangerous portals to unknown code content should not be run as admin. If it is possible to run IE as anything but admin, it should be, no code should execute that the user does not agree to. IE should check by default the content and see what it does and tell the user flat out, "hey, this stuff says it is needed to display the page properly but it is also trying to install this other stuff...".
The point is that users and Microsoft are lax in their security mindset. Games won't install or run without admin? Who cares. Anything that will have inheritance to code started by it should not be bequeathing admin status.
But even then, LUA still doesn't eliminate the fact that the MS model is bad and doesn't truly have a cleavage between root and everyone else. It is easy for background system processes to be the progenitors of the inheritance and off go running the viruses as system level processes.
And if you want a look at how inane WinXP Home is set-up for security consider you have to log in using Safe Mode to get to the folder ACLs. Changing them by the command prompt is the only other way and that's a crap shoot. I find Windows ignores command line permissions changes about half the time. Not good when you're trying to run *nix-style apps like SSH.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
And whose fault is that? Really, who made it hard to use Windows built in security? Why is it I can run GTA: San Andreas as a normal user in Linux emulating windows but I have to be Administrator to run the same damn thing on a Windows box? Games and any other user program should not EVER require root access. When everybody else got it right, why does Microsoft dare to be wrong?
Help us build a better map!
I never understood why home users should not run as admin. All files of any value will be in the user's document folder anyway.
I use a non-root accout on my Linux box because everyone else do so. But I really don't care if my root account get compromised or just my user account. Both are eqally bad.
"It's because MS has never enforced the concept on developers or users that this has been an option."
Enforced? No. Encouraged? Yes. Any program with the 'Designed for Windows' logo must past third-party testing which ensures the program will run properly (after installation) without Admin privs. The guidelines are clear and concise.
So if you want to know whether it runs LUA, look for the logo. All programs with that logo MUST run LUA.
I saw some people posting that you can run another account with admin rights from the command line, it's also as easy as right clicking on the program you're about to run and click run as. You are then prompted to run the program as(in this case admin) and you enter the password and you're good to go, while all other programs and processes continue to run with limited rights. I think someone mentioned something about not being able to use fast user switching on a domain, but it has nothing to do with that. Server 2003 doesn't even offer fast user switching and you can do this "run as" without a hassle. In fact most books you read on Server 2003 tell you this is a good idea!
Am I the only one who thought of the Lua programming language when I first saw the article headline?
File under 'M' for 'Manic ranting'
The whole idea of defense-in-depth is that you design your system so that each layer is a complete sandbox. That is, you design the browser so there's no way to break its security model, then you assume someone will break it anyway so you design the multiuser security so there's no way out, then you add a firewall, then (though this isn't normally done it can be easily implemented) you assume that someone will break that so you build a jail that can only be opened from the outside... so for someone to break out they need to launch three or four separate independent attacks, one after the other, each of which requires different techniques and each of which can be fixed in turn. You limit your services to listen to local connection only, then you firewall them anyway.
In Windows, you can't configure your services to only listen locally, so the firewall is not an extra layer of security. You can't disable Active Content and close down all the "security zones" because then local stuff like the control panel breaks, so you use multiuser security as part of the sandbox.
Instead of having all these layers as redundant defenses that need to be attacked in serial, they're parallel efforts each shoring up a different part of the system. Which is why Windows users don't much care, running as an untrusted user still leaves all your local files subject to attack, running IE with reduced security will still leave an exploit able to attack your online assets, your paypal and email. And it's really inconvenient to do things this way, because too many applications expect to run with privileges...
1) A lot of windows programs refuse to run as anything but Admin. This is caused by architechtural baggage in Windows, baggage in the programs themselves, and idiot programmers who continue to write bad code. Since some of these programs are essential if you use them (eg AutoCAD), you have to run as admin: Thank you idiot programmers.
2) It seems that even some MS internal programs won't work under LUA: The corporate left hand doesn't know what right hand is doing. What else is new...
3) There is an enormous amount of inertia behind doing things the insecure way with Windows. Thank you MS.
4) There are a couple of posts asking why they should care about security even though they know about it. These jackasses are why the 'september that never ended' never ended. I hope they all choke on olives.
5) There are some people who want to use their computer for nothing more than e-mail, surfing the 'Net, music and the occasional text document. Linux + Evolution + Firefox + XMMS + StarOffice (to gaurantee winword compatibility) = all they need.
A program running with user privileges must be able to read the shortcut, and the admin passwd is in there as plaintext.
Runas is a pain in the ass since it's nowhere as near being usable AND secure than unix sudo, which requires misconfiguration to be insecure.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
For those who are working on making poorly written applications run in LUAs, rather than giving write permissions to specific directories or registry keys, you may want to look into using the redirect function of the Application Compatibility Toolkit. In a multi-user environment where you want each user to have their own config files, etc, ACT can redirect the application's file writing to each user's profile directory.
This is the biggest challenge our community faces. I run a small website for a Home Tech Support business in which I publish the odd tech tip. I get around fifty hits a day in the articles section and try hard to enforce best practices on users who do not know better. Education is the key, otherwise there will always be zombie nets DDoSing those of us who take precautions.
This article has more information on the pitfalls of running as admin, and information on how users can rectify this.
First they admit that end users don't comprehend NOT running as root.
THEN they introduce a dozen tools to "help" the end user not run as root, thereby introducing MORE COMPLEXITY into the concept.
What's wrong with this picture?
The bottom line is quite simple: DON'T CREATE USER ACCOUNTS AS ROOT BY DEFAULT! Every Linux distro can do that and Windows needs to do it, too. And the system needs to TELL users up front AS it's being installed WHY it's being done that way.
Introducing reduced-admin tools after the fact is just CYA horseshit.
That goddamn simple.
Stop treating the end users as dumb sheep to be spoon-fed pablum and fleeced of every dime they possess and security will improve.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Oh, really?
And Grandma, who isn't supposed to be able to even comprehend Linux or understand why running root is not desireable, is supposed to figure out Runas?
What's wrong with THIS picture?
Here's the bottom line: NO application which is not a SYSTEM application should need root privilege. Meaning an application that does not directly affect the kernel should not need root privilege.
I don't even like setuid and passwd - if the user needs to change his password on HIS machine, let him log in as root. If he needs to change his password on a multiuser machine or on a network, let the sys admin do it - corporate users shouldn't be using passwords anyway, they should be using PKI certificates and one-time password generators and tokens and be ASSIGNED security rather than letting the user handle his own security.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Is to come out with a common update system that is easy for games and other apps to use and make free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updaters and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need admin to run that common update system or even let it be setup to auto run in the back round at system level.
....but we don't use them because absolutely fuck-all works as it should.
eWeek is being unfair toward users.
The fact is, very little software actually runs without administrator privileges.
If you have ever had to sys admin Windows desktops, you know the headaches that this involves. Many programs run up to a point and then fail, often mysteriously, sometimes giving incorrect error messages.
Even Microsoft does not get it right. Take this screenshot, for example, of Word 97 running on top of Windows 2000, which is not an uncommon experience where I work. Every time a non-admin account tries to open an existing file, this is the stupid, incorrect error message that pops up. It's madness.
Obey me you stupid computer! I bought you! I own you!
It strikes me that Microsoft are pursuing a lower rights model in order to allow users to have Administrator privileges in their interactive session but restrict the privileges of specific processes (for example, Internet Explorer) within that session.
This approach is also evident in the unofficial, free tools being created by Microsoft developers.
This approach seems to be a "have my cake and eat it too" solution, and unfortunately seems to be making the same mistakes of attempting to identify and quarantine bad behaviour as those we have made in the past regarding the design of firewalls, antivirus tools and the like.
Remember when it was common practice to only firewall the "bad" ports, and let the "good" ports have free reign? Over time (and in no short measure due to certain worms utilising flaws in Microsoft, and occassionally other, software) we have realised that the only sane approach is to deny all and then selectively allow that which we want.
Likewise, the traditional approach of antivirus software, intrusion detection/prevention systems and the like in recognising "bad" phenomenon has been shown incapable of keeping up with new threats. We are slowly realising that we (somehow!) need to define what is "normal" behaviour in our systems/networks and then quarantine that which does not meet the norm.
Unfortunately it strikes me that Microsoft's current direction in terms of Least User Privilege seems to be to give up on it as an overriding principle, and instead "allow everything" as a default, and then selectively deny those processes which are seen as high-risk. I would have thought the parallels to my previously mentioned examples of firewalls, antivirus and IDS/IPS are clear.
Yeah, really, folks, as one who has dealt with many releases of Windows, MacIntosh, OS/2, and Linux, I'm telling you Windows is just as hard to install, configure, and use as any other operating system. Difficulty in operation doesn't depend on whether or not there's a "Windows" sticker on the outside of the case, it depends on the fact that computers themselves are inherently complicated machines.
No developer sits there saying "I really need to come up with a more complicated interface for this design; it's too easy to figure out!" And making a system hide all the details so that it appears easier doesn't make it so, any more than removing the red warning lights from the dashboard of your car would negate the necessity of having to put oil and transmission fluid and coolant in it to keep it running!
The default policies on a Windows 2000/XP box give Power Users the ability to schedule tasks. Try this as a Power User:
/interactive cmd.exe
at 00:00
Where "00:00" is a 24-hour time at which you'd like to escalate privileges; one minute in the future works well.
Wait a minute and up pops a command prompt on the console (may not be visible via TS/RDC), which is now running as Local System (NT_AUTHORITY\SYSTEM), which has full adminstrator permissions and more.
You can use this to kill errant services, among other things, however a malicious user can use this trick to then do pretty much whatever they want. This works *great* when you need to do things like recover from a corrupt Active Directory domain security policy.
Note that regular users cannot schedule tasks by default.
A better question might be "Why is non admin totally F&%$^$% broken in windows?"
Seriously. Most of ms's "security patches" are to break the legs of the admin account so it's harder to do stuff in the UI. FFS. Leave my damn UI alone. Set your gooey crappy XP shite ONLY on the standard user, and allow them to DO stuff like add hardware. Leave the admin account bare bones and unfriendly so that teh noob DOESN'T WANT IT.
I'm not sure exactly why I'm bothering to write this. MS won't read this and won't care if they do. Also, noone at slashdot will read it since it's posted AC. Ahhh the joy of letting your account lapse. Awesome.
toodles kids
bren
I tried using it, but it seems half the games out there won't work in this mode. What am I supposed to do?
(8-DCS)
Sorry, but your going to have one or two lines of code that won't even begin to tell you an eighth of what the .exe is doing with dependencies or what those depend upon.
.exe, .dll, .ocx, and .sys file name extensions.
Must be some good reason why Dependency Walker is in every resource kit.
Dependency Walker
Dependency Walker (Depends.exe) is a support tool that enables you to examine a selected application or component to determine what other components are required for the application to start. The tool lists the dependencies in a tree format.
For every component selected, Dependency Walker lists the programming functions of each primary and secondary module. Typically, the system modules have
Dependency Walker can also help you identify problems related to missing or corrupt modules, circular dependency errors, and mismatched module types.
For more information about Dependency Walker, click Tools in Help and Support Center, and then click Windows Support Tools. For more information about service dependencies, see "Troubleshooting Startup" in this book.
It's a hell of a lot easier than the convoluted crap your spouting.
Interesting for Microsoft to bring this up since the default XP install asks for a username and then gives that user administrator rights.
And yes, I know there's the "run as different user," which can and does work fine for me in >most circumstances, but a regular joe-user needs help double-clicking an icon, let alone right-click, run as... etc.
I believe further upthread, someone was bitching about how non-trivial Windows apps won't run unless you're running as a user with admin right.
Someone responded that filemon and regmon were quick and dirty tools to see what access app was trying to use.
Someone else bitched that those tolls are too raw to be useful.
I responded saying they were useful for the purpose they serve.
Method of processing duck feet
"No way in hell can anyone use RegMon from my experience with it... The windows registry is constantly being written to so fast..."
RegMon has filters. You tell it to filter on only the one application you've having trouble with. You start the RegMon capture, start the problem program, wait for the trouble, stop the capture. Then you use filters and search to find the problem. You only need to show the errors -- successful accesses are not problems and can be ignored.
"What you need is Dependency Walker."
How, exactly, does that help me find out what registry and filesystem locations a poorly-written program is trying to access? For that matter, how does it help me fix a program that doesn't want to run unless it has admin rights?
(No, I don't really expect a reply from an AC, but I wanted to make these points in case anyone else is reading this forum for good info.)
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
It appears we have someone trying to use this subthread as an advertising opportunity for "Dependency Walker". Aside from the parent post, look here and here. I don't know if this guy is a paid shill or just an over-enthusiastic fan-boy, but clearly, there is a pattern here. People would be well advised to be aware of this, and perhaps moderators should act.
This has been a public service message of the Listmaster General.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Anti-informative. Windows NT/2K/XP is not based on the Windows 3.1 codebase.