Windows Users Ignoring LUA Security

blankify writes "eWeek is running a story about the least-privilege, no-admin option available in Windows (2000/XP/2003) that has been mostly ignored by end users. From the article: '"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."'"

doh

most likely because this option breaks most applications

Re:doh

[blackpaw]

You can start a Administrator cmd prompt in windows without logging off:

runas /profile /user:Administrator cmd.exe

Or any other program can be launched.

Re:doh

[Curien]

Fast user switching doesn't work when your system is connected to a Windows domain.

Cluelessness at Microsoft

[ts0003]

There's a reason why most people don't use it. Microsoft's implementation is flawed to say the least. When a user sets themselves up this way and then installs programs as an Administrator, they find that they can't run the programs completely or correctly as the lower privilege user. Some of this is due to Windows application programmers doing boneheaded things. Much of it has to do with the programming practices Microsoft has fostered - like writing to global registry keys in the Windows 95 and 98 days. Contrast this will Apple which has gotten the APIs right, put out tutorials on how to do this and most importantly made the whole process of installing as Administrator but running as a User as painless as possible.

Non-admin Wiki!

[sandstorming]

Everything you need to know http://nonadmin.editme.com/

Too many apps won't run without Administrator Priv

[freeio]

One big obstacle is that too many applications I see require administrator privileges not just to install but also to run. Your end users figure that out, set themselves up as administrators, and leave it at that.

This is nothing new...

Re:It's also ignored by developers

[Cyberax]

It's not just developers, unfortunately. Some important things just can't be done under normal account. For example: COM-server registration (and consequently ActiveX controls) requires admin access , because permission to access HKCR and HKLM is neccesary.

Reminds me of Red Hat...

[Mister+Impressive]

... I'm a true blue Windows user, but I've tried linux. Red Hat 8, to be specific. I remember the FIRST thing it told when I logged in as root, was to create a new non-power account. It even showed me how to. Whenever I wanted to change/install something, a nice prompty would come up asking for my password to give it the proper priviliges.

M$ should learn from this, and their little article there, that instead of the stupid tour that appears when you first login after a fresh install, there should be a message alerting the user to create a new account.

Re:I wonder why

[jd142]

It isn't the unfriendliness of the UI or the help file.

By default, new accounts created during a windows install/first use interface are administrator accounts. As are new accounts created through the generic, task view Control Panel interface for account management.

It's one of the reasons that Windows is unsecure out of the box.

If MS merely made accounts user only be default, that would take care of it.

Of course, then you'd have to fix all of the crappy software out there that can only run as admin. And there's a lot of it. Major software packages like WordPerfect still don't handle user accounts and preferences correctly and it's a very simple thing to do.

Re:Tell that to the developers

[value_added]

Hell, tell that to Microsoft.

Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account

Microsoft Flight Simulator 98
Microsoft Flight Simulator 2000
Microsoft Flight Simulator 2002 Professional
Microsoft Flight Simulator 2004 Century of Flight
Microsoft Train Simulator 1.x
Microsoft Money 2000
Microsoft Money 2001
Microsoft Money 2002
Microsoft Money 2003
MSN Messenger Service

Microsoft seems to have discovered the command-line, so maybe they'll discover the root account? Maybe they can fix their broken 'runas' soon thereafter.

Re:I wonder why

[Transcendent]

Even a lot of MICROSOFT games (Age of Mythology, for example) don't work unless you have admin rights...

bah, I just ran out of mod points. :(

[numbski]

Mod that man up.

Intuit is criminal number 1 in this area (this month anyway, I have my targets change from time to time...)

Get this: The "enterprise" version of QuickBooks that will allow you to run in terminal services (gotta spend that extra cash to run the same software remotely you know!), requires that you have Power Users or Administrator priveleges.

Here's the catch however: I have a client running Small Business Server 2003, and they just went through a company restructuring where the CFO is going to be 200 miles away for the next few months, and needs to be able to hit QuickBooks from a terminal server session (yes, I know, VNC, PC Anywhere, bitmap pusher x..., work with me here though).

So, on an SBS, you can't have any trusts, no member servers (I might be wrong on that last one, apparently there'a hack that allows this, but again...), so the only server on the domain is the DC. You DC does not have "local" accounts and groups, only the AD users and groups. So a local power user doesn't exist. The only rights I can give them to be able to work is Admin.

The whole point of remote users is to.....access things remotely. You're requiring that every one of my users that wishes to use QuickBooks have Admin rights, and if they want to run in term serv, I have to allow dial in rights to that Admin account.

So I got on the phone with them. I suggested the following workaround:

"What if I just create a domain account, say ""QuickBooks User"". Set it to an obscenely secure password that no one but the admins could possibly know. Make it long, make it random, make it not-so-easy to remember. Grant that account Admin rights. Set Quickbooks to "Run As..." that user. Now Quickbooks gets the Admin privs it needs, but not the user."

After going through a supervisor, I was explained that this wouldn't work, and in fact they misconstrued it as an attempt on my part to subvert their licensing (because now I only have a single Quickbooks user, and we're supposed to pay per-seat for the license), and "Run As..." is intentionally broken to prevent this, along with the ability to run in Terminal Server if you haven't purchased the enterprise version.

Wow.

Cash more important than security.

Hey guys? What is so important at the system level that the *user* needs to make modifications to the OS? Why not store the data in the user's profile? Or in a shared directory with rights granted to the users in the "QuickBooks Users" group?

I just don't get it. :\

It certainly isn't easy

[DragonHawk]

"Running windows without admin rights is a nightmare."

It certainly isn't easy, unless you're willing to invest significant technical time and effort into the project -- which is, I'm sure, a big part of the reason why most people don't do it.

That being said, I'm the admin for an organization with about 60 or so Windoze stations, and I can say that it can be done for most things. It most often involves figuring out what the defective program is trying to do, and then allowing it access to just where it needs.

The two most vital tools are FileMon and RegMon, both free from SysInternals (http://www.sysinternals.com/). They monitor file system or registry accesses. In the vast majority of programs can be made to work just by applying some ACLs on program-specific registry or filesystem branches.

There's no way in hell your "typical home user" could do this, though, which is, I expect, the problem and point.