Windows Users Ignoring LUA Security

blankify writes "eWeek is running a story about the least-privilege, no-admin option available in Windows (2000/XP/2003) that has been mostly ignored by end users. From the article: '"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."'"

It could be the default option during install

[Colin+Smith]

How about, embracing and extending good practice...

Re:It could be the default option during install

[BoomerSooner]

Try it yourself some time. Running windows without admin rights is a nightmare. About 2/3 of my programs won't operate (I'm a software developer) at all. I've fixed almost everyones computers that knows me (I hate being free tech support but anything for a friend) and stupid programs like a damn cat breeding program this one girl had wouldn't run without admin rights (after fixing her computer 3-4 times I tried the No Admin route to no avail).

Until programs run without being admin this whole arguement is pointless.

OS X does it perfectly.

doh

most likely because this option breaks most applications

Re:doh

[deutschemonte]

Too bad you posted as AC because that's exactly why I don't use it.

A limited account in linux still allows you to do most things without a hitch. Plus, when you need root access, you can do that within the logged on account without logging off.

I also tried setting up my SO's account as limited but she ran into problems all the time. It is hard to explain (excuse?) something as a feature when it is such a pain in the ass.

Hopefully, they will get this one thing right in Longhorn.

Re:doh

[blackpaw]

You can start a Administrator cmd prompt in windows without logging off:

runas /profile /user:Administrator cmd.exe

Or any other program can be launched.

Cluelessness at Microsoft

[ts0003]

There's a reason why most people don't use it. Microsoft's implementation is flawed to say the least. When a user sets themselves up this way and then installs programs as an Administrator, they find that they can't run the programs completely or correctly as the lower privilege user. Some of this is due to Windows application programmers doing boneheaded things. Much of it has to do with the programming practices Microsoft has fostered - like writing to global registry keys in the Windows 95 and 98 days. Contrast this will Apple which has gotten the APIs right, put out tutorials on how to do this and most importantly made the whole process of installing as Administrator but running as a User as painless as possible.

Tell that to the developers

[dduardo]

If their software doesn't work in least priveleged mode doesn't it defeat the whole purpose of the system?

Re:Tell that to the developers

[value_added]

Hell, tell that to Microsoft.

Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account

Microsoft Flight Simulator 98
Microsoft Flight Simulator 2000
Microsoft Flight Simulator 2002 Professional
Microsoft Flight Simulator 2004 Century of Flight
Microsoft Train Simulator 1.x
Microsoft Money 2000
Microsoft Money 2001
Microsoft Money 2002
Microsoft Money 2003
MSN Messenger Service

Microsoft seems to have discovered the command-line, so maybe they'll discover the root account? Maybe they can fix their broken 'runas' soon thereafter.

Non-admin Wiki!

[sandstorming]

Everything you need to know http://nonadmin.editme.com/

Windows' fault

[Dacmot]

Could it be "the sad reality" because Windows up until XP (ignoring 2000 and NT) there was no user-priviledges differences?

Maybe MS should start educating the population and force them to create passworded least-priviledged accounts and choose a password for the administrator account when installing or booting an OEM for the first time. Maybe also the administrator should be blocked out of surfing the web and playing games so that people just don't use the admin account for everything.

Reminds me of Red Hat...

[Mister+Impressive]

... I'm a true blue Windows user, but I've tried linux. Red Hat 8, to be specific. I remember the FIRST thing it told when I logged in as root, was to create a new non-power account. It even showed me how to. Whenever I wanted to change/install something, a nice prompty would come up asking for my password to give it the proper priviliges.

M$ should learn from this, and their little article there, that instead of the stupid tour that appears when you first login after a fresh install, there should be a message alerting the user to create a new account.

Re:I wonder why

[dnoyeb]

Or the fact that 1/2 the programs only work with Admin rights.

Re:I wonder why

[n0-0p]

Lets not forget software just failing to work. Most third party applications simply will not run correctly in an LUA environment. Honestly, most MS software couldn't run this way before 2000. I run LUA and I have to use runas admin on far too many applications; how is that really LUA? And lets not forget that running IE with reduced rights will also cause many IE plugins and any IStream handoffs (like Media Player) to fail without explanation.

Of course, I totally agree that they claim of lack of user awareness when it is really a lack of MS support. Microsoft has also done nothing to simplify this issue for developers. There are no simple "test and prompt for elevation" routines. It's not a general Windows logo requirement; in fact it's buried in one paragraph in the enterprise logo. And to top it all off, aside from a few proactive devs making blog entries, there's been no attempt to educate users.

Way to go MS, blame user apathy for your own poor performance.