Slashdot Mirror
Windows Users Ignoring LUA Security
blankify writes "eWeek is running a story about the least-privilege, no-admin option available in Windows (2000/XP/2003) that has been mostly ignored by end users. From the article: '"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."'"
"Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."
I wonder if this could have anything to do with the fact that the user interfaces, OS messages, and help files are not "user friendly" and written in mysterious GeekSpeak that the average user doesn't understand.
Ignorance is curable, stupid is forever.
If their software doesn't work in least priveleged mode doesn't it defeat the whole purpose of the system?
Users ignore it, because it's a horrible pain to use XP using a normal user account.
There are numerous games that cannot be installed without admin rights, and plenty who cannot even be EXECUTED without admin rights. All because the devs are lazy morons.
Same goes with numerous applications.
Not to mention the fact that in many case applications break in random ways, without actually telling why they break.
So right now if you actually want to use XP, you pretty much are stuck with admin mode (or you have way more patience than I do in using 'run as..' or switching users)
your programs will still function when you run on a account without administrator priveledges. Wake me up when m9crosoft's own programs work properly under a user account.
administrators accounts should only be used for administrating the o/s, unofurtunately many windows software don't play ball forcing windows users to run under admin accounts. If the tech savvy didn't need to do this maybe they might start advocating the general masses to do the same. Until ms lifts their act this isnt going to change any time soon.
~Kalinga
I'm sure the default setting of creating an admin level user with no password at install time, and then having it set to automatically log them in has nothing to do with it...
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
Oh, I'm sorry for installing the system and using it as the default. Please continue to blame the users for paying you for a borderline operating system. It is not an education issue as much as it is a crappy software issue. You should not continue to turn a deaf ear, but I already know you will. Just send out an email that looks like a Phishing email but contains a system lockdown. That way, only the stupid people will click on it, and we can decrease the surplus population on the internet.
Too bad you posted as AC because that's exactly why I don't use it.
A limited account in linux still allows you to do most things without a hitch. Plus, when you need root access, you can do that within the logged on account without logging off.
I also tried setting up my SO's account as limited but she ran into problems all the time. It is hard to explain (excuse?) something as a feature when it is such a pain in the ass.
Hopefully, they will get this one thing right in Longhorn.
The preceding message was based on actual events. Only the names, locations and events have been changed.
When a friend of mine got a new Windows XP (Pro, not Home) box, he asked me to help him get it set up. I told him that he should have two accounts: one admin (He has a strong password for his admin account and the username has been changed from default.) and one regular user. I explained the whole issue of how an exploited machine with the user running as admin could cause more problems than if he ran as a regular user. I cautioned him that he'd have to deal with the pain of switching between the accounts whenever he needed to do stuff that required admin rights. Since he's been trojaned before, he agreed. We also set up the Windows XP firewall for extra security since he was directonly connected to the net.
Within a month, I got a call where he said, "Dude! Can we get rid of this admin account and the goddamn firewall? Everytime I want to do anything useful, I have log into the admin account. And I'm always having to log into admin and turn the firewall off to play online games". So, I suggested that he spend the money to get an external hardware DSL/Cable router. He did, and we turned off the firewall. But he still wanted his regular user account to be admin because that's where all his data was. After arguing with him for a bit, I told him we could set it up as an admin user (he didn't want power user because we'd tried that and there were still a few programs he claimed he couldn't run even as power user. CDRWIN was one of them) but that if anything resembling the worm/trojan that hit him in Win98 happened, it would be a full reinstall. I wouldn't try to figure out what happened. He agreed. It's been a year and a half since then. He's really good about applying the latest critical updates and that hardware router has probably saved him numerous times. But I still think he's in a risky position.
Most people just don't want to have to deal with the hassle of switching between two user accounts or learning to use "runas". It will always be this way. End users need full privs on their boxes. The only way around this is to set OSes up so that each user's "desktop" is actually a full VM. Then if it gets hosed by them running as admin, the only thing that needs to be wiped is their profile and that VM's image. Much cleaner than having to do an OS reinstall or a postmortem.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Close,
It's ignored because Windows was never designed with security in mind and grew to be the mess it is because that's the only way you can properly run Windows, as admin.
To come along much later and fix this, then blame the users is very poor on Microsoft's part.
I don't know the meaning of the word 'don't' - J
It's partially driven by software that won't install as a regular user (i can kinda live with that) and/or won't run as a regular user (unacceptable except for system utilities).
I can't even count right now how many clients I have running users with admin membership because of crappy software.
And the kicker is, it's not that hard a programming task to make software run in the regular user context! argh!
eric
So now you have your user enclosed inside an annoying stainless steel safe, except for the fact that it isn't safe at all, because he'll yell the door code at anyone standing outside.
Home users don't need annoying internal security. They need transparent outside access security. That's all. Give an annoying security tool to someone who is only interested in bein left alone to use his computer, and he'll break it in a minute.
Face it, people: users will always want to be in charge of their computer, to install the latest (card/3d/simulation/fishing) game, "multimedia" tutorial or whatever. So now you have two choices: 1. Give them a crippled (no admin access) computer and they'll give you the finger. 2. Give them the admin password and they'll render it useless.
Changing the screen resolution in Windows does not require admin privileges.
Half the spyware normal users get uses privledge escalation holes anyway so it does not keep that crap down.
Which ones ? Privilege escalation bugs aren't exactly common.
Anyway, I have been told (but have not tried) that making the "temp" folder trees "Everyone" read/write explicitly, and adding each account explicitly fixes most of the "run as admin" problems.
You've been told wrong. For starters, every user on the machine can create new files and modify existing files that belong to them in C:\Windows\Temp. Secondly, most all apps (even the badly written ones) use the per-user TMP variables that point to directories within the users profile (that they have "Full Control" over).
Most programs dont do much registry editing, but a lot need scratch space and if they use the temp folders, they need access to them.
No, in fact the most common problem is applications that try to store things that *should* go in HKEY_CURRENT_USER in HKEY_LOCAL_MACHINE. Bugs like this are actually a good indicator of the developer's lack of interest in updating their product, because per-user registry hives were introduced to Windows 9x back with Windows 98 (they've always been in NT AFAIK).
The second most common problem is stupid developers trying to write to files (often user or application preferences) in either their program's directory or the Windows directory (DOOM 3 has this problem).
Try it yourself some time. Running windows without admin rights is a nightmare. About 2/3 of my programs won't operate (I'm a software developer) at all. I've fixed almost everyones computers that knows me (I hate being free tech support but anything for a friend) and stupid programs like a damn cat breeding program this one girl had wouldn't run without admin rights (after fixing her computer 3-4 times I tried the No Admin route to no avail).
Until programs run without being admin this whole arguement is pointless.
OS X does it perfectly.
...exactly what I said in my previous post: least-priviledged admin-password-asking security systems are useless for home users. Make a user type his password n times a week and he'll type it in every single dialog window that asks for his password. Even the malicious ones.
So now you have your user enclosed inside an annoying stainless steel safe, except for the fact that it isn't safe at all, because he'll yell the door code at anyone standing outside.
Home users don't need annoying internal security. They need transparent outside access security. That's all. Give an annoying security tool to someone who is only interested in bein left alone to use his computer, and he'll break it in a minute.
Face it, people: users will always want to be in charge of their computer, to install the latest (card/3d/simulation/fishing) game, "multimedia" tutorial or whatever. So now you have two choices: 1. Give them a crippled (no admin access) computer and they'll give you the finger. 2. Give them the admin password and they'll render it useless.
And no, this is not a matter of education. Even the most experienced geek can get distracted and annoyed as hell with password prompts. Create a security system that gives you routinely security prompts and they're going to be... routine.
What we need to fix is the way computers execute applications. We need a secure list of routine applications and procedures and a secure code signing system. A system where funny-cat-game is really from a company that was previously-approved by -SOME SERVICE-. So that way we'll only have important security prompts at important situations.
No, this is not the solution for most security-related problems, but it's a rough notion of the direction we should be heading at: create a system, any system, that allows the computer to stop asking (the home user) passwords all the time.
I think most of the problems come from the effort for backwards compatablity. They have such a large base of older apps (written when security was not an issue) that they try to maintain for the user, that it hoses the security model needed today.
I think if a user installed a fresh OS with limited user rights, then installed their five to eight year old application, and it did not work. There would be lots of pissing and moaning.
I have setup many XP's with limited access and it works OK until someone installs some older Windows 95/98 type program or some poorly written VB program. For those types of programs the registery is a central place to hold settings. That's it, security was and is not the issue.
Maybe they should take the Apple approch and just forget about the older applications people have and move on to the newer stratagies. Want your old app to run?, keep your old machine.
As for Games That's what (IMHO) game consoles are for.
Maybe the era of the all around machine is over, we will have machines for Entertainment, another for Business etc. etc.
Just saying....
The sad reality of the situation is it is IMPOSSIBLE to run as a non-admin and actually get anything done.
As a savvy PC user I tried to setup my XP system following best practices. Only run as admin when necessary. However, the two applications I use everyday make this impossible. Quicken and NewsBin Pro. Both of these applicatons require write access to their respective program files directories which forces you to run the application with elevated priviliges.
Until either application developers create proper software that actually obeys the security model or Microsoft enforces this policy then Windows users will always be admins.
The main problem MS has with breaking backwards compatibility is that too many users use Windows only because their software won't run properly on other OSes. The new system would need a heavy push to get enough app support to work. It'd be on even footing with Linux then.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
Well, the average user could just right-click on a shortcut to cmd.exe and choose "Run as..." from the menu.
You're forgetting, though, that the average user will only ever use a command prompt under strict instruction of someone else who is walking them through the process. The same is true of an "average user" that runs Linux. (That's "average user", not "average Linux user" - the two are very different)
It's official. Most of you are morons.
Thereby defeating the purpose of having a least-rights account, when you have to run everything with elevated privileges.
When I first installed Windows on my new system, I tried creating a seperate non-admin account that I'd use for my day-to-day computing. Shortly thereafter, I added it to the Administrators group because I just couldn't take it anymore.
Installing applications was mostly a non-issue, with Windows prompting me for my Administrator password when I tried to install something that needed Administrator permissions.
However, almost everything else was a giant pain in the ass. If I wanted to use any of the control panels, I either had to log out/log back in as Administrator, use Terminal Services to connect to localhost and log in as Administrator, create yet another shortcut to run it as Administrator, or use the runas command. None of those options are nearly as slick as Windows Installer asking me for my Administrator password. Why they couldn't use the same model is beyond me.
It's not only the control panels that I had problems with. If I wanted to use Windows Update, I had to be Administrator, and it gave me no easy way to become Administrator. If I wanted to develop and debug something in Visual Studio, I either had to be Administrator or be in the debuggers group, which essentially gives you free access to poke at the system any way you like. And of course, numerous applications and games have copy protection systems that require system drivers and services to work.
Of course, LUA doesn't do a damn thing against network-based attacks.
In the end, it's much easier to run as Administrator and drop priviledges when running certain applications.
The whole installation model is broken...
You can't install anything without being an administrator, however most programs install to the current user not the global user settings...
So, user installs program as admin, logs back into user - program gone!!!
That's damned stupid..
I disagree. Having the password prompt gives the user the power to decide when elevated privileges are required. If a user disregards this power, then that is their fault. On OSX, I get prompted about once a month for the admin password, and it's usually when I run Software Update. If I were simply browsing the web and a trojan sheet came down, asking for the administrator password to continue, it would obviously be a phishing attack. I've trained my users to not check the "remember my password" in email/web applications -- people aren't stupid. People don't "always want to be in charge of their computer", including myself.
Just because a security tool can be defeated, doesn't mean it's worthless. Redhat/GNOME's approach may not be perfect, but I'll take that over code signing any day (which is the "ultimate solution" to your quandry).
The wheel is turning, but the hamster is dead.
I can tell you how many Macs running OS X i've seen with people logged in as essentially "root". Sure OS X prompts you for an admin password when critical things happen, but everyone I've seen blindly enters the root password. Most times, the user does not even read the dialog box.
The "least privileges" problem happens on all operating systems....most users of personal computers want to be "root". Until users become more security savvy, this will be a problem on all systems.
-ted
When a user sets themselves up this way and then installs programs as an Administrator, they find that they can't run the programs completely or correctly as the lower privilege user.
Try installing some of Microsoft's software in Windows, as Administrator, and then log in as a user and see if you can use it.
You'll be able to use it just fine. Perfectly well. Exactly as if you were logged in as an Admin, save you'll have a few files you can't update or change.
The problem with Windows isn't Microsoft, it's everybody else. The folks who wrote that cat care program didn't bother to read up on the software-side changes, and so they do things like storing user-editable information in the registry, keeping documents in the program's subfolder, or just generally writing horrible software.
As an easy fix for crappy software, btw, is to install it into a folder such as c:\insecure\ or somesuch, and allow everyone to have full access to that folder. Usually fixes the problem with running as guest, and less likley to bork windows itself.
FWIW, though, yes, MS messed up on the fix for these things. There SHOULD be a log kept of programs that didn't run, including the files they accessed and who tried to run them. A small administrator program that can set permissions for all of those would be a boon, too.
There's a nugget of truth to that comment, but it misses both more significant points and differences between the GNU/Linux way and the Microsoft way.
It also misses the point that you can, largely, install binary software on different GNU/Linux systems, so long as core dependencies (usually your glibc version) are satisfied. E.g.: Macromedia Flash, Opera, Oracle, Realplayer, and the like, generally under /usr/local/ or /opt/. Though honestly I have very little proprietary software on my
system.
The real reason to go within your distro's package management system for software installation is that it's easier, faster, works better, and minimizes future administration needs -- rather than managing a slew of software packages independently, you do a systemwide update. You've also got a tremendous selection of software -- 15k+ packages in the most recent Debian stable. There's rarely a compelling reason to go outside the archive, though you can and are assured the packaging system won't interfere with your locally installed selections.
The reasons this is possible are largely: sources are available for the software you're installing (most GNU/Linux software is FSF Free Software / OSI Open Source), the distro itself doesn't have a horse in the race (it's not competing with the software developers, unlike the relationship between Microsoft and its ISVs), and systemwide policies can be implemented and enforced with a very high degree of uniformity (particularly in the case of Debian-based distros). There's also three clearly independent parties involved, each with a major voice in the process: the software developer, the distro / software packager, and the users. You get the benefit of review of the application by a users (independent of both the developer and the distro/packager). Microsoft simply doesn't have this degree of remove from the system as a whole -- it's competing with both software developers and its users over features and control.
The result isn't so much that users are forced to go within their distro's package management system for software, but that they choose to do so, and that a healthy distro culture (e.g.: Debian) provides very strong incentives and feedback loops for both developers and users to gain by this.
I've explored this at somewhat greater length in an article discussing malware on Microsoft and GNU/Linux systems respectively, Spyware, Adware, Windows, GNU/Linux, and Software Culture. Manoj Srivastava has a very good Why Linux, Why Debian talk covering the issue from a few other angles (and better technical understanding of the guts of Debian).
What part of "gestalt" don't you understand?
Please explain how "the OS itself is built around you being an admin"? This is an application, not OS, problem. The OS provides the mechanisms for LUP
Try running mainstream apps and see for yourself. Stuff like peachtree, or any other business app breaks like hell if you don't have admin priveleges. The problem IS in the OS, as the permissions in Windows is incredibly stupid (which is why Longhorn is changing to a Unix style permissions setup...)
Even XP is based upon the old premise that one person uses a computer. The default is no login, no password needed. Adding a domain server after you already have the box installed is a pain too, since windows wants to rename the login, and considers "bob on the local machine" different than "bob when he is on the network". Its a total pain in the ass compared to unix.
Tequila: It's not just for breakfast anymore!
In the UNIX world, the idea is that only the most carefully security-vetted code runs setuid, and still there are lots of local exploits that come from bugs in these programs. In the Windows world, apparently the idea is to make the least security-conscious programs setuid. Interesting philosophy. :-)
That may have been true in 1979, which, as you may be able to compute, was just a few years after UNIX was designed.
In case you aren't aware, the original UNIX HAD NO FILE SYSTEM AT ALL. It was intended to be a bunch of bytes on the system, being searching by grep and processed by tiny apps linked together with pipes!
The original UNIX was also where viruses were originally developed - because sys admins in those days didn't have to worry about them because they'd never heard of them.
None of that is true now after major redesigns - neither for security or the file system.
With Windows, it is STILL true that it was never designed for security and it STILL has little security after several major rewrites and so-called "security initiatives". And the next major rewrite will probably introduce such incredible complexity and consequently major security holes that it will be nearly unusable as anything but a standalone machine.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Not to overdo the "sympathy for the devil" thing here, but I've been thinking about how screwed poor Microsoft is. Think about this; they've managed to paint themselves into a corner on security and stability issues, and they may not have any way to get out of it. Consider:
;)
1. They carried the same codebase forward from Windows 3.1, never completely scrapping it, always just bolting new parts on. This has caused Windows to end up like a Rube Goldberg machine, so complicated on the inside that "they" say nobody at Microsoft really knows what everything in there actually DOES.
2. They really pounded the nails in the coffin when they deliberately bound IE into the O/S to frustrate the DOJ during the browser wars. By binding so many things right into the O/S, they glued themselves to their codebase. Can they even separate their GUI from the underlying O/S anymore?
3. Given that this monstrous, mammoth codebase is a hideous nightmare to try and "fix", obviously the smart thing is to pull a Steve Jobs: scrap the whole beast and glue a beaufitul, stable frontend onto a FreeBSD backend with a Mach Microkernel. This would turn Windows into a thing of beauty and stability, like the Mac O/S. But, CAN they? Is it even possible?
4. And, if they did that, they might face a revolt as virtually every software company, corporate IT department, and end user went completely ballistic. It could be suicide.
So, think this over: Microsoft is pretty much screwed, locked utterly into the codebase they've got. If they stick with it, eventually they'll be replaced by more secure, stable alternatives. If they try to save themselves the Apple way, the end could come sooner instead of later.
If YOU were Gates and Ballmer, what would YOU do?
Aside from spending the weekend on the yacht, I mean...
Farewell! It's been a fine buncha years!
Uh huh. Clean? here's a fun article for your perusal about that "programming talent" you mentioned:
5
:)
http://www.kuro5hin.org/story/2004/2/15/71552/779
They curse like sailors, they don't even like their OWN codebase, they code around errors... Yeah, sounds pretty clean to me.
I guess we'll see what happens. I give 'em five years, tops. I don't think the company's going out of business entirely, I just think they'll end up abandoning the PC OS business for other markets.
But, we can agree to disagree.
Farewell! It's been a fine buncha years!