Slashdot Mirror
Windows Users Ignoring LUA Security
blankify writes "eWeek is running a story about the least-privilege, no-admin option available in Windows (2000/XP/2003) that has been mostly ignored by end users. From the article: '"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."'"
How about, embracing and extending good practice...
Deleted
"Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."
I wonder if this could have anything to do with the fact that the user interfaces, OS messages, and help files are not "user friendly" and written in mysterious GeekSpeak that the average user doesn't understand.
Ignorance is curable, stupid is forever.
most likely because this option breaks most applications
There's a reason why most people don't use it. Microsoft's implementation is flawed to say the least. When a user sets themselves up this way and then installs programs as an Administrator, they find that they can't run the programs completely or correctly as the lower privilege user. Some of this is due to Windows application programmers doing boneheaded things. Much of it has to do with the programming practices Microsoft has fostered - like writing to global registry keys in the Windows 95 and 98 days. Contrast this will Apple which has gotten the APIs right, put out tutorials on how to do this and most importantly made the whole process of installing as Administrator but running as a User as painless as possible.
If their software doesn't work in least priveleged mode doesn't it defeat the whole purpose of the system?
Users ignore it, because it's a horrible pain to use XP using a normal user account.
There are numerous games that cannot be installed without admin rights, and plenty who cannot even be EXECUTED without admin rights. All because the devs are lazy morons.
Same goes with numerous applications.
Not to mention the fact that in many case applications break in random ways, without actually telling why they break.
So right now if you actually want to use XP, you pretty much are stuck with admin mode (or you have way more patience than I do in using 'run as..' or switching users)
Everything you need to know http://nonadmin.editme.com/
http://www.sandstorming.com
I'm sure the default setting of creating an admin level user with no password at install time, and then having it set to automatically log them in has nothing to do with it...
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
Could it be "the sad reality" because Windows up until XP (ignoring 2000 and NT) there was no user-priviledges differences?
Maybe MS should start educating the population and force them to create passworded least-priviledged accounts and choose a password for the administrator account when installing or booting an OEM for the first time. Maybe also the administrator should be blocked out of surfing the web and playing games so that people just don't use the admin account for everything.
As much as I'd like to use a more restrictive account on my Windows box, I find it absolutely impossible to do so with many games and various other applications.
One typical example is Dark Age of Camelot by Mythic Entertainment. The game itself is installed to a C:\Mythic\ directory usually, as well as all the profiles for every character. Even World of Warcraft is just as bad, all the profiles are stored in a subdirectory in the C:\Program Files\World of Warcraft\!
Until developers start supporting limited user accounts with their games/applications, people will just be lazy and stick to an admin account - which will always work.
One big obstacle is that too many applications I see require administrator privileges not just to install but also to run. Your end users figure that out, set themselves up as administrators, and leave it at that.
This is nothing new...
Soli Deo Gloria
Oh, I'm sorry for installing the system and using it as the default. Please continue to blame the users for paying you for a borderline operating system. It is not an education issue as much as it is a crappy software issue. You should not continue to turn a deaf ear, but I already know you will. Just send out an email that looks like a Phishing email but contains a system lockdown. That way, only the stupid people will click on it, and we can decrease the surplus population on the internet.
If so many Windows developers weren't so utterly lazy, and learned how to code an application that doesn't require administrator rights to run, things would be a lot easier. As it is, there are so many poorly-written apps out there that write to admin-only places in the registry, or dump files that need to be modified into system folders, that in a lot of large companies with a plethora of apps it's almost impossible to switch to a true LUA security model.
Of course, a lot of the blame goes to Microsoft for encouraging the idiotic "everyone's an admin!" mentality.
This is why during the set-up of Longhorn it'd be a really cool idea to create all the accounts for the welcome screen, or it's equivelent, as non-adminstrative users. In fact, it should go further than this, it shouldn't give you the option of creating an administrative account at all on this screen. The administrative user should be banned from internet access by default (with the exception of Windows Update) and if you decide to add another administrive account it should warn you profusely that this isn't a smart idea.
In .NET there are attributes that allow you to define permissions on methods. For example, if I know that my method only
ever does algebra then I can ban it from network IO, File IO etc. It'd be a good idea to make these attributes required before the source will actually compile. You could have intellisense in Visual Studio autogenerate the most restrictive settings whenever you create a new method.
Some security counter-measures can be really a pain in the ass but these couple i've mentioned here would really help bring windows security under control. Windows security is not bad, per se, it just needs more configuration than we can expect from Joe Sixpack. We need to make security easier for them and that's in everyones best interest, Microsoft included.
Simon.
"Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."
I wonder, if Michael Howard is aware, that most of windows software requires admin priviledge to be succesfully installed?
Is it somehow also users problem, not architecture problem?
Dephine URL
... I'm a true blue Windows user, but I've tried linux. Red Hat 8, to be specific. I remember the FIRST thing it told when I logged in as root, was to create a new non-power account. It even showed me how to. Whenever I wanted to change/install something, a nice prompty would come up asking for my password to give it the proper priviliges.
M$ should learn from this, and their little article there, that instead of the stupid tour that appears when you first login after a fresh install, there should be a message alerting the user to create a new account.
Let the commencement BEGINULATE!
In my experience, lots of old Windows 95/98/Me software fails to run properly without administrator rights due to nasty habits like writing lots of stuff all over the system registry and/or Windows directory. XP Home also makes the problem worse by making it very hard to set file access privileges. All in all, the problem here is that running most Windows software with lower privileges doesn't work, so nobody sets up their system with limited privileges. Also, there is too much stuff you have to do manually to switch to the right privilege level for every task that you have to understand to actually gain anything for the added complexity.
In contexts where the system administrator and user are two different people (and the system administrator is on the job), things usually work smoothly. These contexts are also those for which software is properly written; how much office software needs administrator access to run? The problem comes when you have a clueless user who is also admin for a machine; you try explaining to people why they should have to type a password (administrator password) to install something and when they should enter this password without confusing them or discouraging them from using limited privilege accounts altogether. Unfortunately, this sort of protection is almost useless if the user with the admin password is clueless.
However, I see no reason why Internet-facing software shouldn't be written to drop privileges on startup, much like a lot of suid root binaries open the files they need and then drop to normal user privilege levels. For example, preventing IE from installing or modifying stuff all over the OS would help a lot.
On Windows 2000 fresh system installation, a game title Star Wars Galactic Battlegrounds (running on Age of Empires engine), published by Microsoft executes only in administrator account, not in user. Many other games of other publishers doing cd check or strange networking too.
There you are, staring at me again.
It's a fault that non-util software also requires admin to run, but whether that's Windows' fault or the developer of the software is open to question at best. Personally I'd say that's the developer's fault. A great example of this is Quicken - I have to run from an admin account just to do my accounts? Nope, I don't blame Microsoft for that. I blame Intuit.
Cheers,
Ian
When a friend of mine got a new Windows XP (Pro, not Home) box, he asked me to help him get it set up. I told him that he should have two accounts: one admin (He has a strong password for his admin account and the username has been changed from default.) and one regular user. I explained the whole issue of how an exploited machine with the user running as admin could cause more problems than if he ran as a regular user. I cautioned him that he'd have to deal with the pain of switching between the accounts whenever he needed to do stuff that required admin rights. Since he's been trojaned before, he agreed. We also set up the Windows XP firewall for extra security since he was directonly connected to the net.
Within a month, I got a call where he said, "Dude! Can we get rid of this admin account and the goddamn firewall? Everytime I want to do anything useful, I have log into the admin account. And I'm always having to log into admin and turn the firewall off to play online games". So, I suggested that he spend the money to get an external hardware DSL/Cable router. He did, and we turned off the firewall. But he still wanted his regular user account to be admin because that's where all his data was. After arguing with him for a bit, I told him we could set it up as an admin user (he didn't want power user because we'd tried that and there were still a few programs he claimed he couldn't run even as power user. CDRWIN was one of them) but that if anything resembling the worm/trojan that hit him in Win98 happened, it would be a full reinstall. I wouldn't try to figure out what happened. He agreed. It's been a year and a half since then. He's really good about applying the latest critical updates and that hardware router has probably saved him numerous times. But I still think he's in a risky position.
Most people just don't want to have to deal with the hassle of switching between two user accounts or learning to use "runas". It will always be this way. End users need full privs on their boxes. The only way around this is to set OSes up so that each user's "desktop" is actually a full VM. Then if it gets hosed by them running as admin, the only thing that needs to be wiped is their profile and that VM's image. Much cleaner than having to do an OS reinstall or a postmortem.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
1) Windows XP has a crap default setup for user preferences; candy apple theme, "hide known file extensions", icons view, hide "my computer" etc.
Once the admin account is set, it is a PITA to do the same stuff for other accounts. XP needs a button that says "make ALL accounts use this as default" button on those settings.
2) No damn rhyme or reason behind what requires admin access and what doesn't. Sure, adding Office or Baldurs Gate should require admin, changing screen resolution? Hell no. Half the spyware normal users get uses privledge escalation holes anyway so it does not keep that crap down.
Make the stuff make sense.
Anyway, I have been told (but have not tried) that making the "temp" folder trees "Everyone" read/write explicitly, and adding each account explicitly fixes most of the "run as admin" problems. Most programs dont do much registry editing, but a lot need scratch space and if they use the temp folders, they need access to them.
DOS 3.3 was the first MS OS I understood, so much so that, when the first DOSSHELL came out, I asked why would someone need that? I jumped on the NT technology because, when it first came out, it was well documented, (vis a vis my experience) and it allowed a whole new playing field. When NT 4 came out MS moved Video and Printer drivers from User mode to kernel mode. This was, IIRC, about the time Bill Gates had his vision of the PC integrated multi media household. I believe the PC version of Windows has persued this vision of multimedia OS to the point of having become in WinXP an ugly, bloated kludge, but it does, as much as possible, deliver in an ugly way, as a backward compatible multimedia OS.
Win 2K was the last OS to maintain the promise that Win New Technology brought with it. Win XP saw the culimnation of MS' effort to integrate Win95/98/ME with some of the benefits of NT, but the end result is an all and everything everyman's stew meant to satisfy the cravings of the masses.
I run WinXP on a web box for multimedia but thanks to the lessons gleaned online (/.:) I'm moving on to a *BSD, or one of the upcoming microkernel OSes to do research.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
I personally use Windows (2000) for one thing and one thing only anymore: AutoCAD. You simply can NOT fully _use_ (not install) AutoCAD without admin privileges. XP or 2K. I venomously use 2000 over XP for one reason: take the _same_ hardware (P4 @ +3Ghz with 2G of memory and 256M video) and compare the two side by side: XP is noticeably slower and offers NOTHING in the way of me getting my job done, but that's of another issue.
:).
:) to Puma, Jaguar, Panther, and now Tiger.
[Yes, I do have to admit -- that for the home user all the fluff can be very useful]
"Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."
I say most users just don't know that other operating systems exist today that can easily out-perform anything Windows can offer with less setup time, daily hick-ups, and of course the BSOD still pops up every so often. That's just a sad reality.
Now imagine a world where I may _have_ to use Windows for some awful task -- a world where I have one computer (not two) with VMWare style software helping run OS.X and 2K side by side. Just image (it's coming
The sad part (with Windows bloat)? It is that I've watched old Mac hardware get FASTER with each release of OS X -- starting from the beta [Cheetah] (paid for it, disagreed, but paid
I will say -- I wish I could tell you how nicely Leopard runs on the MacTel box... Longhorn? Ha!
That site is great. It has articles on SUS/WSUS and LUA written my MVPs. They also have links to using FUS to flip between a LUA account and a DA or LA one. /If you understood what these meant, you'd stop complaining about how Windows doesn't have SU.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Close,
It's ignored because Windows was never designed with security in mind and grew to be the mess it is because that's the only way you can properly run Windows, as admin.
To come along much later and fix this, then blame the users is very poor on Microsoft's part.
I don't know the meaning of the word 'don't' - J
It's partially driven by software that won't install as a regular user (i can kinda live with that) and/or won't run as a regular user (unacceptable except for system utilities).
I can't even count right now how many clients I have running users with admin membership because of crappy software.
And the kicker is, it's not that hard a programming task to make software run in the regular user context! argh!
eric
MS - Hello intrepid user. I know I've always allowed you to run as root before but check this out! You computing experience could be filled with and endless array of confusing dialogue boxes all basically telling you you're not root.
User - That sounds like it might suck.
MS - No no no, it's great! And it's pretty hard to implement. Oh and a whole shitload of legacy apps won't even install.
User - Why would I want that?
MS - It's safer.
User - Do you still let programs run as System?
MS - Well yes.
User - Why?
MS - Symantec asked us to support the Open Source Virus Community and we are!
This
...exactly what I said in my previous post: least-priviledged admin-password-asking security systems are useless for home users. Make a user type his password n times a week and he'll type it in every single dialog window that asks for his password. Even the malicious ones.
So now you have your user enclosed inside an annoying stainless steel safe, except for the fact that it isn't safe at all, because he'll yell the door code at anyone standing outside.
Home users don't need annoying internal security. They need transparent outside access security. That's all. Give an annoying security tool to someone who is only interested in bein left alone to use his computer, and he'll break it in a minute.
Face it, people: users will always want to be in charge of their computer, to install the latest (card/3d/simulation/fishing) game, "multimedia" tutorial or whatever. So now you have two choices: 1. Give them a crippled (no admin access) computer and they'll give you the finger. 2. Give them the admin password and they'll render it useless.
And no, this is not a matter of education. Even the most experienced geek can get distracted and annoyed as hell with password prompts. Create a security system that gives you routinely security prompts and they're going to be... routine.
What we need to fix is the way computers execute applications. We need a secure list of routine applications and procedures and a secure code signing system. A system where funny-cat-game is really from a company that was previously-approved by -SOME SERVICE-. So that way we'll only have important security prompts at important situations.
No, this is not the solution for most security-related problems, but it's a rough notion of the direction we should be heading at: create a system, any system, that allows the computer to stop asking (the home user) passwords all the time.
The sad reality of the situation is it is IMPOSSIBLE to run as a non-admin and actually get anything done.
As a savvy PC user I tried to setup my XP system following best practices. Only run as admin when necessary. However, the two applications I use everyday make this impossible. Quicken and NewsBin Pro. Both of these applicatons require write access to their respective program files directories which forces you to run the application with elevated priviliges.
Until either application developers create proper software that actually obeys the security model or Microsoft enforces this policy then Windows users will always be admins.
I think you're over-simplifying this. The Windows NT kernel and core services were designed with security in mind. The real issue is that the shell, UI, and API's do a really poor job of enforcing and providing convenient access to that model. MS made a tough choice when they created they Win32 API; they kept developer compatability and convenience but made security a whole lot harder. There are too many default behaviors in Windows that are just dangerous.
Look how CreateProcess will progressively search for an executable at each space delimited chunk in an unquoted path; that makes a great trojan attack. Consider the shatter vulnerability and associated dangers that result from simple window input; that's why services have to be run on a seperate ACL'd desktop to be safe. Consider how trivially a power user can escalate to admin; look at how many apps need at least that privelege. Look how much code you have to write to set a simple multi-user DACL on an object.
The fact is that security is very hard to do properly in an MS environment, and historically MS has done a very poor job of promoting and simplifying it. I audit security software now, but when I wrote software I had a ton of homegrown libraries to handle things shouldn't have been necessary. So while I agree the tools are there, you almost have to be a security expert to use them properly.
I've had the enjoyment of learning all about LUA about two months ago. A very umm.. textbook example of a small network -- Win2k3 server, WinXP Pro clients.
.. it throws up a dialog after an admin does some changes but for a user and does not acknowledge the user's response (silently fails when writing to a system registry key). I have no idea why a user is prompted when an admin does a modification. Same thing with user defaults -- the system, even though it prompts to set a browser as default, silently fails when setting registry keys (again, not a user registry key). Apparently there is no way to adjust registry key security from a GPO or script to grant users this access (w/o going to each system manually)..
.. hehe.. that is so not even close to su/sudo -- while there appears to be lots of little workarounds (ie logging into administrative network shares of drives) its cumbersome and adds so much extra time to troubleshooting.
.. I really don't understand why users don't have their own fonts folder. I had to manually go into each computer, modify the registry to give permission to add fonts, adjust the fonts folder permissions, yada yada.. PITA. A user font folder (that follows them if roaming profiles is enabled) would have been a piece-of-cake while leaving the system font folder small and fast.
Needless to say, this was not even CLOSE to what a UNIX user account is like.
Few thoughts..
1. App compatibility - very annoying. While some apps are kind enough to out-right say they suck and are not compatible, there are LOTS of apps that fail in *silent* ways. Mostly writing to folders and registry w/o checking for access rights. There are many apps that attempt to write temporary files outside of user folders (ie the Program Files folder) or even store user prefs in the system registry.
2. Along with #1 -- there are many things INSIDE WinXP that fail. One very annoying example is msconfig
3. runas
4. Fonts
When I first installed Windows on my new system, I tried creating a seperate non-admin account that I'd use for my day-to-day computing. Shortly thereafter, I added it to the Administrators group because I just couldn't take it anymore.
Installing applications was mostly a non-issue, with Windows prompting me for my Administrator password when I tried to install something that needed Administrator permissions.
However, almost everything else was a giant pain in the ass. If I wanted to use any of the control panels, I either had to log out/log back in as Administrator, use Terminal Services to connect to localhost and log in as Administrator, create yet another shortcut to run it as Administrator, or use the runas command. None of those options are nearly as slick as Windows Installer asking me for my Administrator password. Why they couldn't use the same model is beyond me.
It's not only the control panels that I had problems with. If I wanted to use Windows Update, I had to be Administrator, and it gave me no easy way to become Administrator. If I wanted to develop and debug something in Visual Studio, I either had to be Administrator or be in the debuggers group, which essentially gives you free access to poke at the system any way you like. And of course, numerous applications and games have copy protection systems that require system drivers and services to work.
Of course, LUA doesn't do a damn thing against network-based attacks.
In the end, it's much easier to run as Administrator and drop priviledges when running certain applications.
Mod that man up.
:\
Intuit is criminal number 1 in this area (this month anyway, I have my targets change from time to time...)
Get this: The "enterprise" version of QuickBooks that will allow you to run in terminal services (gotta spend that extra cash to run the same software remotely you know!), requires that you have Power Users or Administrator priveleges.
Here's the catch however: I have a client running Small Business Server 2003, and they just went through a company restructuring where the CFO is going to be 200 miles away for the next few months, and needs to be able to hit QuickBooks from a terminal server session (yes, I know, VNC, PC Anywhere, bitmap pusher x..., work with me here though).
So, on an SBS, you can't have any trusts, no member servers (I might be wrong on that last one, apparently there'a hack that allows this, but again...), so the only server on the domain is the DC. You DC does not have "local" accounts and groups, only the AD users and groups. So a local power user doesn't exist. The only rights I can give them to be able to work is Admin.
The whole point of remote users is to.....access things remotely. You're requiring that every one of my users that wishes to use QuickBooks have Admin rights, and if they want to run in term serv, I have to allow dial in rights to that Admin account.
So I got on the phone with them. I suggested the following workaround:
"What if I just create a domain account, say ""QuickBooks User"". Set it to an obscenely secure password that no one but the admins could possibly know. Make it long, make it random, make it not-so-easy to remember. Grant that account Admin rights. Set Quickbooks to "Run As..." that user. Now Quickbooks gets the Admin privs it needs, but not the user."
After going through a supervisor, I was explained that this wouldn't work, and in fact they misconstrued it as an attempt on my part to subvert their licensing (because now I only have a single Quickbooks user, and we're supposed to pay per-seat for the license), and "Run As..." is intentionally broken to prevent this, along with the ability to run in Terminal Server if you haven't purchased the enterprise version.
Wow.
Cash more important than security.
Hey guys? What is so important at the system level that the *user* needs to make modifications to the OS? Why not store the data in the user's profile? Or in a shared directory with rights granted to the users in the "QuickBooks Users" group?
I just don't get it.
Karma: Chameleon (mostly due to the fact that you come and go).
This is how microsoft could fix this at a api level without breaking legacy code Step 1: When a non-privledged user installs a application install it the users space and create the req keys prefixed into the users area in the registry. A warning to the user when installing stating it will only be available to their account will be needed Step 2: When running a application first check the current user virtual registry then the true global registry Step 3: Add the rights necisary for accelorated video to work under the default user rights Step 4: Switch to linux/unix because they got this right 20 years ago!
"Running windows without admin rights is a nightmare."
It certainly isn't easy, unless you're willing to invest significant technical time and effort into the project -- which is, I'm sure, a big part of the reason why most people don't do it.
That being said, I'm the admin for an organization with about 60 or so Windoze stations, and I can say that it can be done for most things. It most often involves figuring out what the defective program is trying to do, and then allowing it access to just where it needs.
The two most vital tools are FileMon and RegMon, both free from SysInternals (http://www.sysinternals.com/). They monitor file system or registry accesses. In the vast majority of programs can be made to work just by applying some ACLs on program-specific registry or filesystem branches.
There's no way in hell your "typical home user" could do this, though, which is, I expect, the problem and point.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Unfortunately, there are a bunch of applications for which this doesn't work right, including iTunes - the first piece of Apple software I've used that didn't "just work". When I installed iTunes, as root, it created an iTunes config for root, but when I logged in as myself, it created a separate iTunes config for me, and I not only had to input lots of long registration numbers again (:-), but the tunes I'd downloaded to root's account aren't accessible from my account and vice versa (or at least, it's well hidden if they are.) Very annoying.
Some things are worse about multiple users - my USB scanner gets hopelessly confused by having multiple people logged in. As far as I can tell, when I first log in as one user, its software scans the USB and finds it, and when I log in as a different user, it does the same thing, except something's locked up to the first person who logged in.
(As somebody else said about their home setup, I've got three accounts on the machine - root, my non-admin account, and my wife's account, which has admin privileges so she can install software and run picky software, and we use fast-user-switching between them.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There's a nugget of truth to that comment, but it misses both more significant points and differences between the GNU/Linux way and the Microsoft way.
It also misses the point that you can, largely, install binary software on different GNU/Linux systems, so long as core dependencies (usually your glibc version) are satisfied. E.g.: Macromedia Flash, Opera, Oracle, Realplayer, and the like, generally under /usr/local/ or /opt/. Though honestly I have very little proprietary software on my
system.
The real reason to go within your distro's package management system for software installation is that it's easier, faster, works better, and minimizes future administration needs -- rather than managing a slew of software packages independently, you do a systemwide update. You've also got a tremendous selection of software -- 15k+ packages in the most recent Debian stable. There's rarely a compelling reason to go outside the archive, though you can and are assured the packaging system won't interfere with your locally installed selections.
The reasons this is possible are largely: sources are available for the software you're installing (most GNU/Linux software is FSF Free Software / OSI Open Source), the distro itself doesn't have a horse in the race (it's not competing with the software developers, unlike the relationship between Microsoft and its ISVs), and systemwide policies can be implemented and enforced with a very high degree of uniformity (particularly in the case of Debian-based distros). There's also three clearly independent parties involved, each with a major voice in the process: the software developer, the distro / software packager, and the users. You get the benefit of review of the application by a users (independent of both the developer and the distro/packager). Microsoft simply doesn't have this degree of remove from the system as a whole -- it's competing with both software developers and its users over features and control.
The result isn't so much that users are forced to go within their distro's package management system for software, but that they choose to do so, and that a healthy distro culture (e.g.: Debian) provides very strong incentives and feedback loops for both developers and users to gain by this.
I've explored this at somewhat greater length in an article discussing malware on Microsoft and GNU/Linux systems respectively, Spyware, Adware, Windows, GNU/Linux, and Software Culture. Manoj Srivastava has a very good Why Linux, Why Debian talk covering the issue from a few other angles (and better technical understanding of the guts of Debian).
What part of "gestalt" don't you understand?
In the UNIX world, the idea is that only the most carefully security-vetted code runs setuid, and still there are lots of local exploits that come from bugs in these programs. In the Windows world, apparently the idea is to make the least security-conscious programs setuid. Interesting philosophy. :-)
That may have been true in 1979, which, as you may be able to compute, was just a few years after UNIX was designed.
In case you aren't aware, the original UNIX HAD NO FILE SYSTEM AT ALL. It was intended to be a bunch of bytes on the system, being searching by grep and processed by tiny apps linked together with pipes!
The original UNIX was also where viruses were originally developed - because sys admins in those days didn't have to worry about them because they'd never heard of them.
None of that is true now after major redesigns - neither for security or the file system.
With Windows, it is STILL true that it was never designed for security and it STILL has little security after several major rewrites and so-called "security initiatives". And the next major rewrite will probably introduce such incredible complexity and consequently major security holes that it will be nearly unusable as anything but a standalone machine.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!