Slashdot Mirror
Users' Admin Logins Make Most Windows Malware Worse
nandemoari writes "A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges — an issue Microsoft has been hotly debating recently. According to BeyondTrust Corp., the result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will 'close the window of opportunity' for attackers. This is particularly true for users of Internet Explorer and Microsoft Office."
Would you like to install a virus? [Cancel/Allow]
From TFA:
In other words, it's a dup of the recent disussion about the Security Hole In Windows 7 UAC.
Recycle your old comments here.
Not running as a fully-privileged user reduces your security risk? Who knew!
This is not news. The question is why it hasn't been meaningfully addressed in Windows for such a long time.
To fight the war on terror, stop being afraid.
sudo apt-get with the times, microsoft!
-I only code in BASIC.-
Everyone knows from recent news that microsoft has removed the innards of windows 7 and replaced them with "gerald", a lovable computer literate field mouse.
Gerald is cheap, congenial, and zippy, but unfortunately has very poor judgment.
-my apologies to plasmacutter
Well, good think I disabled UAC then. Now I feel safe.
If you build it, nerds will come. Soylentnews.org
Run anything internet-facing with DropMyRights.exe.
http://voices.washingtonpost.com/securityfix/2006/04/windows_users_drop_your_rights.html
The vulnerability is in Windows 7's UAC, not Vista's, so that part of the story is not only wrong but a dupe of the previous "UAC vulnerability" article. As for the rest of the story, it's just marketing copy for BeyondTrust Corp. Congratulations samzenpus, you've posted perhaps the first article that's wrong, dupe, blogspam, and slashvertisement all at the same time!
The history and culture of Windows is at least as responsible for the "run as root" problem as any shortcomings, and there were many over the years, in the OS itself and although Windows OSes has progressively improved security over the years there is only so much to be done, on any system, when users have been trained to run as root and click "yes" everytime. Of course, malicious programs like downadup and the infamous ClickYesToContinue ActiveX certificate debacle don't help matters.
facepalm.jpg
Idiotic title aside, UAC normalizes the experience for Administrator and for Standard User. With UAC, it's easier than it has ever been before to be a standard user on a Windows platform. I'm not sure what the article is driving at.
Having no open ports.
Having a reliable software repository.
Sanitizing your inputs.
The question is why it hasn't been meaningfully addressed in Windows for such a long time.
I can agree with that if by "for such a long time" you mean since before Microsoft was a company. They've ignored security best practice for their entire history. It's been a winning strategy before now. Why change?
Help stamp out iliturcy.
Two vulnerabilities were found in the beta OS Windows 7, neither of which were present in Windows Vista. One of those vulnerabilities has been remedied in more recent builds.
Unfortunately, the ComputerWorld source for the linked article is no better than what's presented here. How does this rubbish get published?
Why don't they just add a little code to IE and Office and maybe other microsoft products, that checks for admin privileges and refuses to run and pops up a little message explaining why they should not use a privileged account for day to day stuff, if somebody is logged in with an admin privileged account.
and maybe provide some easy to use graphical sudo type tool, for when they have to do something admin like. maybe even set it up so it virus scans the file before running it as admin, and possibly even a regularly updated black list of programs known to be unsafe.(though I don't trust microsoft not to abuse that)
What's really annoying is that too many programs still insist on "administrator" privileges for installation. Installation needs to be a far more contained process, with limited authority. Most applications don't really need the ability to manipulate elements of the system outside their own directory subtree and their own subtree of the Registry. Installation of "normal" applications (especially games) should be contained accordingly. Most applications are, in a security sense, "leaf nodes"; nothing else depends on them. But Microsoft doesn't make that distinction. (Nor do most Linux application installers, even though Linux/UNIX doesn't have the registry issues that Windows does.)
What they need to do is limit all users to not be administrators. They should create the admin account so that it can ONLY do admin tasks. It cannot run programs like office or games. It can only run security and diagnostic apps, adding-remove apps. If they restricted admin users from using their account for daily use and only for admin use, that would significantly reduce the attack surface for crackers.
I am sure this is not news to anyone whether you love or hate Microsoft. The fact is the coding practices commonly followed under DOS and then under Windows have been rather poor. The reasons for it are many, but largely because of a thirst for performance. But in order to keep people hooked on Windows, they have to keep supporting the mistakes of others as well as their own. This is what they call "backward compatibility."
But there is a way out of it and for some reason they seem unwilling to do it. Write a new OS, virtualize old Windows for "legacy support" and eventually all the software vendors will port their code to work with the new Microsoft OS natively just as they did with Mac OS X. I can't imagine why Microsoft is unwilling to do that... got any suggestions anyone?
Lame blogs aside, The Fucking Article is damn near worthless. Highlights include:
In conclusion: Running everything with admin privileges is bad, which is why Microsoft fixed this 2 years ago with UAC. It's a lame PR piece about an equally lame study from a company that wants to sell you stuff to do things that MS did years ago. If you are here reading Slashdot, there's nothing here you didn't already know.
Am I the only one who finds it odd that the Slashdot RSS headline for this is "UAC Vulnerability Found In Windows Vista" while the actual article headline is "Users' Admin Logins Make Most Windows Malware Worse" ?
What you suggest is either impossible, extremely undesirable, or both, assuming that by "they" you mean Microsoft.
For them to prevent certain classes of applications from running, without special knowledge, would require a kind of analysis similar in nature to solving the halting problem - a problem well known to be unsolvable.
Then the course of action is to require applications requiring root privileges to be signed by Microsoft, essentially making Windows a closed platform for developers. Furthermore, any applications they sign would have to be bullet-proof, getting back to the halting problem.
Insert self-referential sig here.
if users were not allowed to log on to their computers at all. I've got a better idea, Microsoft: Why don't you fix your crappy insecure software full of C++ holes, and stop trying to tell us how to use our computers to patch over your problems.
Even admin. level in windows doesn't have the power that I need. This is why I only use windows for taking notes (increased battery life and better tablet support) and a few CAD programs. For everything else I switched to linux because my computer trust me sorta, "sudo" but at least I don't get a million and one messages about "are you sure?" or "this option only for advanced users". I should be allowed to install a program I wrote without being hassled for an hour about safety and all that crap.
Just look at a windows system:
- Random dlls, configs, assets and exes in WINDOWS dir.
- dlls, data, configs and exes in Program Files.
- Some data and configs in Documents and Settings.
- Registry.
There's no getting past the single user heritage.
POKE 36879,8
Problem is that they assume that when the security bulletin says that successful exploitation will allow the attacker to run as the current user, this does not mean that the attacker will be able to run as admin, even though the user is an admin.
Indeed (with UAC on) IE7 runs in protected mode which is a "sandbox" where the users' security tokens have very limited rights, thus intrinsically protecting the OS.
The Vista protected mode effectively runs the process as a limited user, even though it preserves the users identity.
Even if the attacker can somehow trick the browser or user into downloading a malicious file and start it, it will still need elevation (yes, the cancel/allow thingy) to assert admin privileges.
So, another way to spin this would be "Vista UAC protects against exploitation of 92% of vulnerabilities".
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
It would require far more re-writing of the windows OS than anyone is willing to do. but at least a thin layer of abstraction between standard users and administrators on windows machines is essential. the people who know what they are doing can know how to turn it off, and everyone else needs to be logged in as a regular user. typing your password in when you install something is not the worst thing in the world. the amount of things you're going to need to type in reconfiguring your computer once you have to reformat it is going to be much worse.
I swear those guys are like that guy who just installed Linux, runs it as root all the time because he "knows what (he's) doing" and enables telnet and hands out logins to all his friends. Except that guy learns after the first or second time his system gets rooted that maybe he should stop being such a goddamn jackass and run his system the right way from now on. Microsoft never got past the jackass phase. They keep implementing half-assed fixes because they think they can do it better. You'd think 30 years of failure would convince them otherwise...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Problem Exist Between Redmond And Press. Sometimes is not user fault.
They're paid off by the Anti-Virus companies. If not for administrative login, who would buy their crap?
This isn't Windows' fault. A user with root priviliges on a Linux can be just as dangerous as a Windows user with the admin privileges.
Of course, the difference is that Windows is not usable for anything non-trivial without admin rights. Linux is.
A Mac fan extolling the merits of the command line.
It's going to take some time to get used to. Forgive me.
Help stamp out iliturcy.
Comment removed based on user account deletion
But Valve will go after you for trying.
My question:
Customer 06/11/2006 04:15 AM
I am not willing to play (and let other people play) HL2 using the Admin account on my computer because of the obvious security implications (I don't want my computer infested with malware).
Is there any way to run it without admin privileges? I installed it using admin privileges and went back to my unprivileged account but turns out it needs to write data to the install folder (bad programmer - no donut for you).
Which are the files STEAM tries to write to in the install folder?
If it turns out to be too complicated I'll just download the no-steam version with BitTorrent ;-).
Their response:
Response (Josh) 06/13/2006 01:34 PM
Thiago, It cannot be run without admin privileges. I know you were probably joking, but I would also encourage you to avoid any product that claims to get around Steam. We take cheating and hacking very seriously.
suits make purchase decisions.
end users make no decisions - purchase or whatever.
"Where's my Word?"
And those people keep buying without asking.
Hail the free market economy!
I sent them back to the company that develops the software to fix it.
I would do the same if I was working with Windows.
I know not everybody can do this, but tech heads working in big companies have a moral duty to force manufacturers to change their insecure ways.
IANAL but write like a drunk one.
About the position of Vice President of the US: "It's indoor work with no heavy lifting."
Help stamp out iliturcy.
"Users' Use of Windows Makes Most Windows Malware Worse"
Good thing I'm on Ubuntu, which asks for the admin password once, and then silently accepts any "sudo" command sent to it- So I'm safe!
-- 'The' Lord and Master Bitman On High, Master Of All
I second this line of thinking
of road warriors, bluetooth, pirate WAPs, Promiscuous mode, and a lot of other modern technologies. Your network is not the hallowed ground you think it is.
The only trusted host on the network is a Known Host with a secure connection. Ever and always. There is no excuse for having open ports ever, let alone by default on a desktop, unless you intend to deliver a service on that port to untrusted strangers.
This has been common knowledge and best practice for at least 15 years.
Help stamp out iliturcy.
I agree with the last part of that statement about windows.
It's a combination of ignorant users and ignorant IT people. I've never seen a single IT person use "runas" (impersonation), ACLs on the Windows file system or registry or and this is the damning one, a command line utility that allows you to selectively strip administrative rights on applications as you use them thatâ(TM)s been on Microsoftâ(TM)s site for years (after I pointed it out to them).
There was a reason once upon a time Microsoft chose to release Windows XP in such a way as to have users running with administrative rights. A reason that is extremely weak now - many people were upgrading to Windows XP from Windows 9x/ME and Microsoft didn't want to incur the support cost (or their partners) of having lots of applications stop working. Among them is the popular WinAmp. It used ancient APIs for its configuration file, WINAMP.INI, that stored global preferential data (as opposed to per user) in C:\WINDOWS\WINAMP.INI. If you didn't have administrative rights, it would just hang when you fired it up. Google Desktop when first released would *NOT* work on a non-administrative desktop. The list of offending applications goes on and on, e.g., a friend of mine had oceanic navigation software that insisted running with admin rights.
However, it turns out there is a programmatic mechanism in place in every copy of Windows XP (and Windows 2000) that allows you to strip administrative rights when you launch a process. Microsoft never exposed users to this ability for reasons that to this day are unclear to me. The magic API in question is CreateRestrictedToken.
But what really was an eye opener to me is when I would point out a tool on Microsoft's site to strip out administrative rights when you run a program. Namely, years ago you could have made the situation tenable in the case of apps like WinAmp and Google Desktop by yes, logging onto your desktop as an administrator but launching most Internet facing application without administrative rights but hereâ(TM)s the clincher *AND NOT CHANGING USERS* . In fact, I've been doing this for years.
Nonetheless I observed an incredible amount of laziness on IT professionals when I pointed out these capabilities. Laziness, apathy and the usual suspect of insecurity ("Don't tell me what to do, I know what I'm doing"). Yes, that's right, you manage a CISCO PIX firewall, you must be a security guru all around and follow best practices.
So given my former life as a Windows software developer I took it upon myself to create a turn key installer that at least protects Jane & Joe Average called *RemoveAdmin*:
http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515
RemoveAdmin is a utility to strip administrative rights off apps as they're launched under Windows XP and Windows 2000 where unfortunately 99.9% of home users run with administrative rights.
The default RemoveAdmin installer creates shortcuts for IE and Firefox but if you analyze the shortcut, you see IE and Firefox are passed as an argument to the removeAdmin.exe program.
You can trivially setup another shortcut for Opera and/or any other Internet facing application... as you should since you can't trust foreign computer systems you connect to.
Itâ(TM)s version 0.1 since I havenâ(TM)t created a FAQ and thereâ(TM)s the situation that if you have multiple administrative SIDs it wonâ(TM)t work (not the case for most people). I need to fix that, create a FAQ and also offer to adjust the ACLs on the Startup folder to tighten security such that when combined with RemoveAdmin, breaching your system on account of your browsing becomes because crazy hard.
i explain to my windows XP loving brother that if he can install software and make system wide changes without entering an admin/root password then malware can too, he just looks at me with that deer in the headlights look in his eyes...
Politics is Treachery, Religion is Brainwashing
My parents inherited one of my old PC's some years back. A 800mhz machine, with 128mb ram.
I installed Win2000 and havn't update the operating system since. It has never been owned (At least, as far as I know) - I've checked several times.
How to:
- They do not have an admin account
- There's a router between their PC and the internet. NAT enabled, no explicit forwards.
- Antivirus software that updates itself
- FireFox and Thunderbird which updates themselves.
Fortunately, they do not need Flash so that's not installed.
The app on the other side of em won't give attackers the time of day.
I have to admit I didn't see this the first time and now I have to post again. Application level security is the functional equivalent of no security at all. It's industrial grade stupid. 'Fess up: you work for Microsoft, don't you?
Help stamp out iliturcy.
As well as that, how about setting the default admin account so you have no sounds, no desktop wallpaper, no animated cursors - none of the flashy crap that users seem intent on encumbering themselves with. You want the bling == run as a limited user.
However this would require limiting the capabilities of the Admin account, and this is something I'm not entirely happy with (as, admin *should* be equivalent to god mode).
All this talk of pushing further changes in Windows to enforce best practice on a bunch of programmers who have been doing things the same way for over a decade, just to allow a demographic of users known for not being able to handle a computer intelligently to handle their computers intelligently, all to stop malware after it has already successfully started executing on the target system, is very nice and all, but personally I just tell people to use FF and install antivirus and a decent firewall.
I mean, it would be nice if Windows was Linux, but since it's not, I just choose to go with what works on Windows, rather than shoehorning in something that works on Linux.
Our user population is split about 50/50 between desktops and laptops. Most laptop users have blagged admin rights at some point because they need to add printers, sometimes change LAN settings, install applications to hide their porn surfing, that sort of thing. Our desktop users are in a fully managed environment, and do not have admin rights.
We need to spend virtually zero time with malware problems on desktop machines. Any infections are generally minor and easy to fix. Laptops.. well, they are a complete nightmare of rootkits and stuff buried so deeply that we have to nuke the machine from orbit to clean it up.
The REALLY fun part is logging onto an infected machine with DOMAIN ADMIN rights... if it's a sophisticated bit of malware.. well.. Armageddon basically..
Never email donotemail@WeAreSpammers.com
Microsoft's biggest market advantage is the amount of legacy software that supports their platform.
Microsoft's biggest problem, which I noted before Vista was even released, is that we're well invested in third party software and we've figured out how to play well with their previous platform over six long years. Our nest is well feathered. It's comfy and we don't want to leave it. Especially for a cold new future where we have to buy everything and figure everything out all over again. If we have to do that, why stick with the vendor that guarantees we'll feel this pain again in a little while?
The problem, two years later is even deeper because nobody in their right mind bought into this dog, and so they've been burrowing deeper into their XP cave this whole time.
It's probably too late now to save the Microsoft platform. It's been eight years since the 25 October 2001 release of XP. They have before them the task of creating something that's sufficiently similar to save their "Microsoft brand", sufficiently different from their "Vista debacle", and competitive against a swelling sea of free options. It's a lost cause. "If we have to change to something that radically different, and buy/engineer all our software over again, why not get Macs, or try this 'free' thing?"
Help stamp out iliturcy.
I never thought of that. Windows is such a pain to use at all without the admin access that most people just shrug, set themselves up as a Power User just so they can use the damn thing.
But when you think about it, in the *nix community running as standard users is a staple...the norm if you will of computer operation. If you're logged on as "Bob" and you need the Admin-level access (install something, access a file that is not owned by your account, etc) you fire up "sudo" or a terminal window and SU it for a while.
If it's a nice graphical interface in either usage or installation...it'll even pop up and say "I'm sorry, you need admin access. Do you have the password?" And if you do then it'll just shrug and bloody well go and do it.
This is something that needs to be put in future versions of Windows. That and stop requiring The Sims 2 to have administrator access just so you can play paper dolls.
Phoenix
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
DropMyRights is one of two tools you can get off Microsoft's site to remove administrative rights when launching applications.
However, the biggest problem with both is that they are command line tools and your average Windows user knows jack about the Windows command line. Yes, this is /. but think of your Aunt Alice, Uncle Joe, Cousin Bob - "command line" is a quick way to immediately lose an average user.
What's more, getting people to actually read the Washingtonpost article and implement what it is saying is like pulling teeth. My experience is, it just doesn't happen. Even with IT people.
Secondly, DropMyRights is linked to the Win32 console runtime which causes a momentary flash as an application is launched (Windows displays a console window momentarily). It's very minor given the gains (in the case of DropMyRights) but average people have creative imaginations and they might dismiss a tool for the most *trivial reason* if their experience changes.
For all these reasons I wrote a small utility RemoveAdmin that does the same thing:
http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515
EXCEPT my installer creates shortcuts for IE & FireFox - turnkey solution is critical here, you have to break down the typical resistances with average users. The installer labels the shortcuts "SecureIE" and "SecureFirefox".
In addition removeAdmin.exe isn't linked to the Win32 console runtime so you don't see a flash as an application is launched.
-M
Congratulations samzenpus, you've posted perhaps the first article that's wrong, dupe, blogspam, and slashvertisement all at the same time!
So does he win an internet?
... users logged in with administrative privileges â" an issue Microsoft has been hotly debating recently.
... but which has been an non-issue in other OSs for years.
The Unix system of logging in as two different users is just as stupid as the popup dialogs that Vista does.
The real question is, why does application security context inherit from user security context?
My user is obviously an administrator of my own PC, but does every single .EXE file I run from my harddisk (or the Internet) really need to inherit those rights?
I think not, and that's what really needs to be fixed.
"Good God! I've been sayin' it. I've been sayin' it for ten damn years. Ain't I been sayin' it, Miguel? Yeah, I've been sayin' it."
The thing that bugs me is that the software makers dont state what parts of the registry are needed so you can't aply special rights (Office can be a royal pain in the ass).
It all works well if you know what keys to grant permission to in the HKEY_LOCAL_SOFTWARE branch.
Did you setup the "MOM" account FIRST, before installing software as admin?
A last resort would be to put "mom" in power user group but that kind of defeats the security issue being discussed here.
MS is to blame to allow this for far too long.
Yup, absolutely.
Users are to blame to put up with it and accept that they're "forced" to use admin privs to run programs.
Ah, woah, hold up a bit. "Users" are to blame? Perhaps all of YOUR "users" have MCSEs, but MY users don't have a damn clue (nor do they want one) about what they're "forced" to run as on their desktops. They just want it to work. PERIOD. And if it doesn't, then IT needs to make it work. PERIOD.
And most of all, programmers are to blame that took the easy way out and ignore rights. No, they needn't be able to forsee it (even though they should have). But since the practice still prevails (run a copy protected game without admin rights, see if you succeed), the blame is squarely on third party software. Not MS this time.
I hate to say it, and I know it's unpopular on /. to "defend" them. But it's not MS that has dropped this ball.
Ah, let me just say that if 95% of other distros outside of Redmond can manage to perform common tasks (like run their own damn office software) without the use of elevated rights, then I believe we can re-focus the blame on where it starts and ends, with the "Programmers" in Redmond, who also can't manage to let go of ensuring that we have Win 9x compatibility mode here in 2009.
Of course, you would think THEY would get a clue, when the internal IT staff is running around Redmond "fixing" their "users" problems. Ever wonder what rights Ballmers executive assistant has on their desktop/laptop? Or how about Ballmer himself? Willing to bet it's more than just "User"?
Did you setup the "MOM" account FIRST, before installing software as admin?
Eh???? Why would you have to install software second? At some point, you will want to add other users. Will they not be able to access the software?
I prefer the "u" in honour as it seems to be missing these days.
I wonder how much money they wasted on an analysis like this? Wow, I had no idea that if I log into a Windows box with full rights, that any software that runs under my account will have... full rights to the system?!
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
I can't afford to run your candy-ass operating system in eunuch-mode. It's my goddamn machine and I refuse to ask permission to use my machine for the very purpose for which it was intended.
Bring back DOS 5, it was the last OS Windows ever made that was worth a damn.
I piss off bigots.
The reason why Windows is such a pain in the ass is because Windows was never designed for this.
Let's say I install OSX. The OSX app is self-contained, which means that it does not need anything outside of its circle.
Let's say that I install on Linux. The Linux app can either be installed locally per the user or for everybody. But it is a clear cut case.
Windows? WTF... I need to access the registry, the windows system directory, the program files directory, and the local user directory. It is a bleeding mess!
Microsoft to this day does not understand that the issue is the fact that they have not revamped the complete installation process. There is absolutely no need for Office, or any other application to need anything other the system files if it is running in "install to user" mode.
This is the problem, and until Microsoft understands that nothing will change.
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
I personally think that, although the intention were good, the result is far from optimal.
Vista doesn't virtualize, abstract and sandbox enough functions.
Thus there are still lots of programs which shouldn't need administrative privileges, but none the less still call privileged functions, Vista doesn't manage to let them think they got them by putting these programs into a sandbox, and has to ask for a full privilege escalation in a sudo-like box.
Also, Vista still caries over lot of stupid idiosyncrasies from earlier "everyone-is-admin" OSes. Other OSes make clear distinction between preferences (user settings) and configuration (system-wide settings). In addition all configuration are usually concentrated in a single application : openSUSE has YaST, Mandriva Linux has drakconf, etc. (and MacOS X has a system pannel, I think ?). When user has to do some administration, the user launches the configuration application, sudo-switch privilege do the necessary administration and leave the application.
Meanwhile in Windows, lots of administrative task, instead of being clustered in a single place, are scattered across several places (you often have to "right-click" -> "properties").
In addition of that, sometime administrative task are intermixed with regular one in a complete asinine way. The worst example has been the quick access to the calendar in Windows up to XP : the same dialog brings a calendar *AND* the configuration to the system clock. By locking a user-only account in XP the user suddenly can't get a calendar by clicking on the clock in the task bar.
Meanwhile, in linux, the clock in taskbars usually only bring a calendar, and the system-wide clock is set from the configuration tool.
Last but not least, sometimes several rounds of boxes show up for a single task.
Want to install an application you downloaded ?
You're going to have :
- one box saying that you're opening something you downloaded over the internet
- one box saying that the installer wasn't signed by microsoft
- one box saying that an installer needs administrative privileges.
All this things (insufficient sand-boxing, configuration tools spread all-over, etc.) lead to the constant flow of "Allow or deny ?" UAC boxes that power users hate and Mac ads make fun of.
And such repeated flow leads to lower efficiency, as power users tend to disable UAC and average users get used to automatically OK-click everything.
The UAC idea is good, but Microsoft should really polish the thing before releasing Windows 7 to make it more efficient.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Running as non-admin is easy, runas (which is only a right-click away)is very easy to use and works well 99% of the time. The annoying thing is remembering to right-click the msi/exe to use runas :) Do you need AV? IE is how BHO's like vundo get in to your pc, active-x is also a nightmare... I've been saying this for years! I have 5000+ users that we no longer install AV directly on their PC's, and we pass our PCI/DSS and SOX audits every year. There is no excuse for M$ to put users into Admin by default. Windows 7 however it does... the local admin account is disabled... but so what! It's idiotic, lock the administrator, but place a new user into admin group by default.
-rich
ClearSite
Many of MS own products do not work properly if you are not administrator. I tried this last with Win XP and office 2003 and had all kinds of issues. MS (!!) Office itself ended up no working properly. This was two years ago so I dont recall the specific errors I encountered. I still have to work with the same software so no further try to do this.
Stop putting a bloody silly dialog that says "Do you want to run this an administrator? Yes/No", do what every other sensible O/S does, ALWAYS, ALWAYS make it slightly difficult to get to admin and ALWAYS, ALWAYS ask for some kind of verification.
Common sense, but when has common-sense ever been part of most company projects!
the title to this story on the front page is not the same title as the actual slasharticle when you click on the Read More? I'm not sure what title fits the story right.
That which does not kill me only postpones the inevitable.
Windows lacks a really clear separation between what is in the realm of the user and what is in the realm of the administrator. This is the real root of the problem.
Unix based systems started out as multi-user timesharing systems. From day one you owned exactly one set of filesystem resources, your home directory, and nothing else. An admin CAN create other shared directories, but there is a clear boundary between user and admin. ALL developers know this, it is very clear. Any administrator knows this, they can count on it, it is a very simple rule to understand "home directory belong to user, not home directory not belong to user".
The real problem with windows is who knows who the heck is supposed to own what? User related 'stuff' is scattered willy nilly all over the hard drive, and what and where it is varies with wild abandon between different versions of windows. There is simply no clear cut rule, and thus developers aren't really encouraged to understand the separation because it isn't simple or straightforward. Instead it is complex and you need to know different rules for different versions of windows.
Now in theory maybe this shouldn't be a problem. In theory your developers can go hunt up what the rules are in some knowledge base somewhere. In theory. In practice they are paid to get the product out the door. In practice they don't have a whole lot of extra time to waste on dealing with MS inept handling of the whole issue. In reality they just elevate the privs of their installer and get on with their real jobs.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
The title is misleading - the bug they are later referring is present in Beta of Windows 7 and is not present in Vista - the fact that UAC came with Vista does not make this 'UAC Vulnerability in Vista' - UAC in Vista is working as it should.
Next I believe this bug will get fixed - because if they choose not to fix it then that means they are moving back to Windows 95 security model.. which is kinda illogical.
So unless they find bug in Vista's UAC then this is non-issue for Vista users as, while admin account is still the default option, programs are started in 'Medium IL' mode with the same privileges as they would get under non-admin account.
The Windows Security Epidemic: Don't Run as an Administrator:
http://www.codinghorror.com/blog/archives/000888.html
How to Clean Up a Windows Spyware Infestation:
http://www.codinghorror.com/blog/archives/000891.html
The real problem is that running a Windows system without admin privileges suck really hard. Only a non-power user can stand it (ie your parents).
It is remarkable that not a single post in this thread has been modded below +4. Really all of them are that interesting, or is it rather that /.ers find this issue particularly Interesting, Insightful and Funny?
Do user accounts need to be Admin accounts in order to join a domain? That's the way it was done in NT, but has it changed? I always thought it was a mistake moving users into admin accounts.
Employee Of the Month - Cyberdyne Systems Corporation - September 1997
Why do I have to reboot after installing a PDF reader? Remember that this is Windows we're talking about. Each computer is an island unto itself, to be conquered and subjugated by each software package installed.
I'm longtime software engineer, I've used UNIX and Linux professionally...and I still run Windws as an admin, all the time.
Why? For starters, vim--yes, vim, the open source editor with roots in secure operating systems--writes to its own folder in Program Files, which is a huge no-no. I can get around this by installing vim to it's own special folder, like c:\vim, but it's a symptom of the overall problem. While most new commercial applications do things right, older apps don't, and there's a real issue with free software not handling things correctly. The proper way to handle this is to figure out what software works correctly and what doesn't (which isn't always easy, because some programs only do bad things in particular cases, and it may take months to realize this), and keeping the bad ones out of Program Files.
The problem with your post is your assumption that the design of Windows makes sense, versus being organically tacked-on after the initial mistakes. Don't worry, it's a common misconception.
My blog. Good stuff (when I remember to update it). Read it.
What if microsoft made you put in an admin password on startup, but made your default account a limited user? And since, on home OEM systems, they usually log you in automatically, why not require something like F8 safe mode to login as admin?
That way, people would still be able log in as admin if necessary, but it would provide a decent idiot filter. When you temporarily need admin, like when you're installing a new program, just pop up a dialog and let them put in the password once. Yeah, I know, but at least vista does the fade thing when this would happen.
Sure, this might make things more difficult for a while, before people get used to it. But anyone who's ever tried to image a windows install knows that microsoft has no problem making things unnecessarily difficult when they want to. I've heard this is better with vista, but have not had to image it yet.
Billy Brown rides on. Yolanda Green bypasses Gary White.
UAC elevates a single program to root, not the user. If you allowed a grace period, what would be elevated during the alloted time? The program? A command shell? The user's shell (i.e. the desktop and everything running in it)?
Seems to me if UAC elevates any more then the single program that asked to be elevated, you'll make the system significantly less secure. I really dont understand how a grace period would work.
That there are:
1) A lot of people who've never used Vista seem to have strong opinions about its workings.
2) The very same people seem to think they know what UAC actually does.
3) They are wrong.
UAC = "sudo [program name]"
That is all it is. No more, no less. No magic heuristics--the program has to request elevation, Vista doesn't just wait for the program to write to a non-authorized area (unless it is a old-school setup program written in the dark ages, in which case Vista *does* guess about the need to elevate the installer).
If your in the trenches, you already know that a lot of software is figuring out how to run on machines that are locked down and where the user is restricted.
For example, WebEx and GotoPC which allow for file transfer, remote control. These both work just fine behind a restrictive firewall and on a user with just "user" rights, on a PC with extra restrictive ACL's applied to it (not everyone full access to c:\ and flow down.) Users have full rights to most of HKCU and %userprofile%, so you drop the virus somewhere in there and launch it through RUN in the registry.
A few of the virus writers have figured this out. We see this type of activity on locked down KIOSKs running XP.
So while it's nice to say that if most users didn't have admin rights, these viruses would be stopped, the truth is that if most users didn't have admin rights these viruses would be written differently. They would sit there in IRC awaiting a 0 day exploit and grab "root" eventually.
I know I'm late to the party, but I have a question about games that use admin accounts.
First of all, I haven't played Windows games for years, since I've been using a Mac as my primary system since 2005.
My question is this: Is there anything that prevents you from disconnecting from the internet while playing games that require admin rights? I heard Half-Life 2 requires you to be online for DRM authentication, but I don't know about other games.
If these admin-rights requiring games require you to be online while playing, then the tech media need to come down *hard* on these game development shops. By requiring admin rights *and* an internet connection, then they are grossly irresponsible as they're effectively encouraging the continuation of an insecure internet.
This space left intentionally blank.
I mean really. I know you all like to bash Microsoft around here, but is this comment really insightful?
The future is 2 years old! What the fuck do you think UAC is?
The point is that users may demand that proper security rules are followed, but they can only do so much.
Developers can do a lot more, but still don't have total control over the operating system itself - and obviously shouldn't either.
Microsoft on the other hand have total control over their OS and are in the best position to enforce things like this. They just seem rather reticent about doing it, and when they do they do it in an inelegant way like with UAC.
They should have had a plan like this and have been drilling better practices into developers for a very long time. Instead what they have done in the past is bend over backwards to keep old and bad apps running. And now it is biting them on the ass.
It all works well if you know what keys to grant permission to in the HKEY_LOCAL_SOFTWARE branch.
Windows is easier than all that other stuff, really it is... [/sarcasm]
A Pirate and a Puritan look the same on a balance sheet.
Lets see if I had to choose between my OS being olbitereated and my files (accessable with user level privledges) being stolen or mangled into oblivion I would pick the OS every time.
I don't give a flying rats ass about the OS. I only care about my data which makes UAC and this whole argument pointless. UAC and non privledged accounts does *NOT* protect *YOU* it protects your computers installation of the operating system.
Sage advice in all server environments, absolute nonsense for personal machines.
I find this interesting because I reinstalled my XP workstation only last week after several years and took the opportunity to start running in least privilege mode. It is quite apparent how much software there is that still does not function well using a non-admin account. A lot of my software I have converted to portable versions using thinapp which should prevent registry bloat, and allow me to take them with me on another device and keep all my settings.
Mod. Parent. Redundant.
I bought the DVD. I installed it and played it through fully without any hassle from UAC. Adding user mods directly to the program folder can generate some requests from UAC to elevate privileges... perhaps this is what you were referring to.
Here's a cool trick for anyone interested in editing a text file in a protected folder... rightclick notepad and run it as admin, then open your document from within the notepad application, edit, and save.
"A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges"
Um.... duh?!? How much money was spent on that study? I've been running an XP box as a restricted user for 3 years, and haven't gotten a virus yet. Goes to show you, all those Linux and Mac guys aren't too dumb.
MS recommended people stop using admin accounts 5 years ago. And they changed their software to make accounts not admin by default several years ago.
The main problem is most people insist on running a version of Windows that is 7 years old (XP). Then they bitch that MS OSes seem frozen in time, feature-wise.
I'm not saying Vista is faultless, far from it. But if you use it, you'll see MS actually made a lot of changes in response to how much the world has changed since XP came out.
http://lkml.org/lkml/2005/8/20/95
Well duh. This is why Microsoft put the UAC into Vista.
So in other words, UAC protects the computer 90% more, yet the whiny babies of Slashdot still cry about it. Oh boo hoo, having a secure computer is SO inconvenient, wah!
Securing a Windows machine isn't hard at all... it just requires having a brain. Sadly, most Lunix/OSX advocate don't fall into that category. I wish it COULD be designed as idiot-proof, but if MS started shipping the required apps as part of the OS, all the MS-haters (like the EU) would drag them back into court.
It's a pretty warped logic which dicates MS haters get to design Microsoft's OS.
Wow..was a study really necessary to come to this conclusion
If Windows allowed to have multiple users logged in at the same time, I would do as I do under Linux, I would login twice, once as user for routine task and once as administrator for the rest. The problem with Windows is that each account has only one set of rights and you cannot easily fall back to admin rights when you need to, and you cannot have two users logged at the same time.
There is a compromise between running as Administrator and limping along as a peon: use DropMyRights to run major internet-facing apps without full administrator access. (You patch the icons and Start Menu entries for the apps to run DropMyRights which then runs the .exe.) It's not a 100% solution, but it does help.
.exe always run with limited rights, but I haven't tried it yet.
The main weakness of this approach is that Windows has dozens of ways to launch applications, and it's impossible to get DropMyRights to intercept all of them. There's a related tool, StripMyRights, which gives you two ways to make any
Four things you need with a windows machine once you set it up. 1. Admin/Non Admin account. Set this up. Teach your user why and when to use said accounts. XP makes you log out/log back in to use these accounts. (yes you can elevate with the "runas" command, but this does not always work) Vista lets your elevate your account with the right credentials without having to logout. The way MAC does and Linux does. Never turn off UAC. You are asking for it if you do. Its like running root and then surfing the web cause you TRUST every single website you go to... 2. Updates. Go get them all. If office is on the machine, Install the OS, Install Office, then go get Microsoft Update, not Windows Update. Set to automatic. Unless this is a server, or a machine with a $4,000 piece of software, the updates that microsoft puts out will very rarely (%.01) hose your machine. 3. Install some type of Antivirus. Stay away from the "Complete" packages, with firewall/web protector/sypware checker. Just install the Antivirus package of Norton, Symantec,Sophos, whatever floats your boat. Windows does have a firewall built in. This, in tandem with a router\firewall does the job. 4. Don't install software you didn't pay for/ or there is evidence that millions of other people using it with boards that will help fix your problem should you encounter one. Don't install file sharing software on your computer. I am all about the drm-free music and videos being shared and all, however, I am not about how your machine can be affected while having this type of software installed on your machine. You become a node/server with holes poked in your software firewall.. This is not designed to be a Pro Windows/Anti Mac/Anti Linux response. Simply an IT professional whose clients use Windows and whom I don't want to have coming back to me time and time again because they aren't educated. Explain to your users these four steps and why they need to take them. -Aedon
Why do I have to reboot after installing a PDF reader? Remember that this is Windows we're talking about. Each computer is an island unto itself, to be conquered and subjugated by each software package installed.
Adobe applications often write to the boot sector. A co-worker of mine found this out when is full disk encryption stopped allowing the system to boot. That was with the full version of adobe Acrobat, but it would not surprise me if they do this with their other applications.
Running as non-admin is easy, runas (which is only a right-click away)is very easy to use and works well 99% of the time. The annoying thing is remembering to right-click the msi/exe to use runas :) Do you need AV? IE is how BHO's like vundo get in to your pc, active-x is also a nightmare... I've been saying this for years! I have 5000+ users that we no longer install AV directly on their PC's, and we pass our PCI/DSS and SOX audits every year. There is no excuse for M$ to put users into Admin by default. Windows 7 however it does... the local admin account is disabled... but so what! It's idiotic, lock the administrator, but place a new user into admin group by default. -rich ClearSite
Are you fucking insane?
I'm not talking about the points you're making, whatever the hell they may be. It's just the way you write... that's making me wonder... if you are... genuinely psychotic? -fuck you
If you're an investor, owning shares in a company that has almost all of, but a shrinking share of a shrinking market isn't a happy place to be, especially if they have no room for growth and are trimming their failed attempts to find new markets. Add that their flagship product is running in the single digits, their Marketing efforts are the not only the butt of much comedy but may cost more than the GDP of Haiti and you have the perfect storm.
It's more fun to be holding a company that's growing share, sales and profits too. A company that only holds 10% of its target markets. A company that can report record profits in a bloodbath holiday quarter in the middle of a dire recession? A company whose advertising is so enjoyable that it's viral. A company that's innovating and inventing new markets. That's more fun. That's a winner.
And that winner isn't MSFT. Their stock is where it was 10 years ago. Over the same period Apple is up 1000%. Unlike Microsoft they have 90% of the established market to get yet, and the prospect of undiscovered country.
/14 links? That's informative. Pretty sure you regret posting that now. Let's go again.
Help stamp out iliturcy.
My entire point was that Apple (and others!) can grow without really impacting Microsoft, not that Microsoft is a good investment. That Microsoft grew counters the notion that they are set up for failure, it doesn't do anything to establish that it is a better investment than some other arbitrary company, and I don't think I made that implication.
To put it another way, it isn't clear to me that there is a race, so picking winners and losers doesn't make any sense.
Nerd rage is the funniest rage.