Users' Admin Logins Make Most Windows Malware Worse

nandemoari writes "A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges — an issue Microsoft has been hotly debating recently. According to BeyondTrust Corp., the result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will 'close the window of opportunity' for attackers. This is particularly true for users of Internet Explorer and Microsoft Office."

Re:You mean...

[93+Escort+Wagon]

Realistically, running in a non-admin account is a pain in the ass. ...in Windows.

It's absurdly easy to do in Mac OS X - you don't even have to think about it. If you need to run as an admin, the OS figures it out and prompts you.

Actually it's so easy that it drives me nuts Apple hasn't taken the next step - something XP actually does - and have you first set up an admin account, then set up a "normal" account for day to day activities. If any single thing contributes to the first widespread Mac virus/worm/whatever, I bet it'll be the number of unnecessary admin accounts being used.

And before someone brings it up - it's not that difficult to work around the "it'll prompt you for your password" protection that supposedly will warn you if something tries to take advantage of your admin status. You just need to know a bit about the command line, since the Applications directory is writable to anyone in the admin group.

Re:Windows is busted

[Ralish]

Your post is misleading and inaccurate.

Random dlls, configs, assets and exes in WINDOWS dir.

Do a fresh installation of Windows, don't install anything on it, take a look at the Windows directory. I recommend you sort by file type. You'll notice it's actually quite organised; the "system32" directory for instance, notorious for being a huge mess, is something like 90% just "exe" and "dll" files, and very little else. It's all surprisingly organised. As soon as you start installing programs however, many will just decide to dump stuff in the Windows directory (and subdirs) for literally no good reason. The crap Creative drivers decide to drop is unbelievable, I found out first hand. There is VERY little that _needs_ to be in the Windows directory, application devs need to realise this.

dlls, data, configs and exes in Program Files.

Yes, good thing Unix systems only install programs in users home directories, and not in system-wide accessible directories.

Some data and configs in Documents and Settings.

You might notice each user has a sub directory in "Documents and Settings" (now "Users" in Vista and later), which contains all their personal documents and user-specific configuration files for the OS and applications. Definitely very single user.

Registry.

I'm guessing the distinction between HKLM (Local Machine) and HKCU (Current User) is lost on you? Current User, by the way, is a registry hive specific to the logged on user that is unique to their user profile.

Once again, this all stems from the OS supporting a feature, and the feature not being utilised. Windows NT didn't become a multi-user OS with Windows 2000, or NT 4.0, it was a multi-user OS from the very beginning, the first release being NT 3.1. In fact, that's in part why NT was developed, Microsoft realised that 9x was completely stuffed from a security perspective, and had no hope of ever becoming a serious multi-user OS, so, they started NT (along with various other objectives).

The mass migration of 9x applications designed for a single user environment to the multi-user NT of course resulted in many of these programs having very poor support for multi-user configurations, and were never really updated to support it. Then, there's just simple developer laziness, not caring to develop their application with a multi-user design in mind. Or theirs ignorance, resulting in poor implementation (this is one of the key reasons why so many programs "require" administrator priveleges. Not because they need them, but they use API's that are administrator only to achieve their goals, when there are other API's that can do what they want that have no administrator requirement.)

My point is, it's not Windows that's broken, it's several applications that run on it. It's important to lay the blame correctly, and when the OS has been a multi-user system since its original release in 1993, it's fairly clear to me that Microsoft hasn't been slow to adopt such a design principle.

Re:Ignorance on users part (including IT people)

[betelgeuse68]

So, right click on your shortcut, click "Properties", click on the "Advanced" button, pick "Run with different credentials".

Now when you double click on your shortcut, you can change your credentials (to the Administrator).

-M

Re:You mean...

[WWWWolf]

Actually it's so easy that it drives me nuts Apple hasn't taken the next step - something XP actually does - and have you first set up an admin account, then set up a "normal" account for day to day activities.

That'd be a step backwards. In Unix-based OSes, there's unprivileged users and root (superuser); root can do pretty much anything, ordinary users can't. The whole point of sudo (the password dialog thingy) is that the superuser access is given only when needed, and you can have perfectly ordinary user accounts that are allowed to do some administrative tasks. You can configure sudo to only allow certain programs to be run as root; this is far better than having the lazy users flip between normal accounts and administrator accounts and stay logged in as administrators because "that's where you don't need to fill in those annoying password prompts, duh".

The biggest clinch is that if you run a program as root, it will just work; run it through sudo with root privileges, it won't give you a password prompt, it will just run the program. The model is "if the user is logged in as root, we assume they know what they're doing, even when they want to do something that could damage the system; if an ordinary user runs something that could be damaging the system, we disallow it and only let it through through the sudo prompt."

Bleeding obvious

[Dynamoo]

It's bleeding obvious, isn't it? Running as an admin is the best way of screwing your machine up when you get infected.

Our user population is split about 50/50 between desktops and laptops. Most laptop users have blagged admin rights at some point because they need to add printers, sometimes change LAN settings, install applications to hide their porn surfing, that sort of thing. Our desktop users are in a fully managed environment, and do not have admin rights.

We need to spend virtually zero time with malware problems on desktop machines. Any infections are generally minor and easy to fix. Laptops.. well, they are a complete nightmare of rootkits and stuff buried so deeply that we have to nuke the machine from orbit to clean it up.

The REALLY fun part is logging onto an infected machine with DOMAIN ADMIN rights... if it's a sophisticated bit of malware.. well.. Armageddon basically..

Re:Almost but not quite enough

[Vertana]

Alright, I've read enough of your comments. The reason you won't get many (if ANY) downloads off of your cheap plugins is because as stated above it is "closed source" (really... plugging in closed source software on Slashdot?) and you're an untrusted source. Put the source code up or shut up... why do you want us to download 'YOUR' software so bad in the first place? Exactly... untrusted source with an untrusted answer. I have a hint: STOP ADVERTISING YOURSELF.

Re:The Problem lies elsewhere

[cbiltcliffe]

Because file type associations don't have a user-level setting. They're system-wide.

Along with a whole load of similar crap.