Slashdot Mirror
Users' Admin Logins Make Most Windows Malware Worse
nandemoari writes "A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges — an issue Microsoft has been hotly debating recently. According to BeyondTrust Corp., the result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will 'close the window of opportunity' for attackers. This is particularly true for users of Internet Explorer and Microsoft Office."
What they need to do is limit all users to not be administrators. They should create the admin account so that it can ONLY do admin tasks. It cannot run programs like office or games. It can only run security and diagnostic apps, adding-remove apps. If they restricted admin users from using their account for daily use and only for admin use, that would significantly reduce the attack surface for crackers.
I am sure this is not news to anyone whether you love or hate Microsoft. The fact is the coding practices commonly followed under DOS and then under Windows have been rather poor. The reasons for it are many, but largely because of a thirst for performance. But in order to keep people hooked on Windows, they have to keep supporting the mistakes of others as well as their own. This is what they call "backward compatibility."
But there is a way out of it and for some reason they seem unwilling to do it. Write a new OS, virtualize old Windows for "legacy support" and eventually all the software vendors will port their code to work with the new Microsoft OS natively just as they did with Mac OS X. I can't imagine why Microsoft is unwilling to do that... got any suggestions anyone?
The question is why it hasn't been meaningfully addressed in Windows for such a long time.
Because it would break compatibility. Actually, and I hate to say it, it ain't MS's fault. Or at least not only theirs.
A simple example: In the good (bad) old days of 95 and 98 and the lack of sensible rights management, it didn't matter whether you use the HKLM or the HKCU registry branch. Both were equally unprotected, and since your software worked with every user (and you needn't care about such trivialities as watching out for a lack of reg keys), software vendors simply dumped their registry junk into the HKLM tree.
The same applies to access to sensible system areas, like drivers (copy protection crapware) or code injection. Programmers simply assumed it is possible because hey, the system didn't really care about it!
In comes Win2k and suddenly, when you are not logged in as admin, your games don't work. Now why the hell does a friggin' game need admin rights, you ask? Because it wants to load a copycripple driver, because it wants to write in the HKLM (or similar sensible) hives or because of other things that didn't matter earlier due to a lack of rights management and due to being the easy way out of a programming problem.
MS is to blame to allow this for far too long. Users are to blame to put up with it and accept that they're "forced" to use admin privs to run programs. And most of all, programmers are to blame that took the easy way out and ignore rights. No, they needn't be able to forsee it (even though they should have). But since the practice still prevails (run a copy protected game without admin rights, see if you succeed), the blame is squarely on third party software. Not MS this time.
I hate to say it, and I know it's unpopular on /. to "defend" them. But it's not MS that has dropped this ball.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Uhm... Microsoft has had Windows setup to not require administrative privileges for many, many, many years. I blame software developers who abused the fact that people did.
You are right and some companies do actually force this on all their corporate desktops. In the majority of cases this is not done and most people especially home computer owners don't do this. As for blaming developers well you could lay some of the blame at them but that is really unfair since it was Microsoft who made it so easy for people to give themselves administer privileges.
Looking at Linux/Unix security. Basically from inception a normal user only had limited privileges and to do anything as a system admin required knowing the root password or being a member of a sudo (1980's) group that had particular privileges. This was instilled in Unix and now Linux users from the time they started using the system. This is not to say that some users are stupid enough to work as root, however those that do this, especially in the corporate world are usually brought to task very quickly. The same has never been true with Microsoft OS's.
When a vendor writes software for Unix/Linux they should know and if not are usually told in no uncertain terms that requiring root access for their particular product requires a "please explain" because most applications don't require root privilege although there are exceptions. Even installation especially if the software is being tested is normally set up in what is called a "sand-box". Again Microsoft fails on enforcing this (Vista was an attempt).
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
It would be a hell of alot easier of software developers didn't require administrative privileges when they really don't need them. I tried to run in a "user" usergroup when I replaces win2k pro with win xp pro but nothing ran correctly. I tried using the "run as" menu and a program called sudo-win which would elevate my privs temporarily then reduce them again. Nothing would install correctly, nothing would run correctly. Even programs that don't use any administrator functions or zones wouldn't work correctly. Realistically, running in a non-admin account is a pain in the ass.
For all the flak that it (mostly rightly) gets, Vista did change that for good. Since its release, the percentage of apps that require admin privileges to run dropped very significantly - so much so that the only one I still have installed on my desktop is Acronis True Image, and that one actually needs it, as it does disk-level backup (though it should really rather pop up the UAC prompt when it actually starts backing up, and not on startup).
"Polite", a virus for Microsoft Word, already did this back in the mid 90's! When you try to save a file the virus macro asks "Shall I infect the file?", and kindly refrains from doing so if you click say no.
But Valve will go after you for trying.
My question:
Customer 06/11/2006 04:15 AM
I am not willing to play (and let other people play) HL2 using the Admin account on my computer because of the obvious security implications (I don't want my computer infested with malware).
Is there any way to run it without admin privileges? I installed it using admin privileges and went back to my unprivileged account but turns out it needs to write data to the install folder (bad programmer - no donut for you).
Which are the files STEAM tries to write to in the install folder?
If it turns out to be too complicated I'll just download the no-steam version with BitTorrent ;-).
Their response:
Response (Josh) 06/13/2006 01:34 PM
Thiago, It cannot be run without admin privileges. I know you were probably joking, but I would also encourage you to avoid any product that claims to get around Steam. We take cheating and hacking very seriously.
It's a combination of ignorant users and ignorant IT people. I've never seen a single IT person use "runas" (impersonation), ACLs on the Windows file system or registry or and this is the damning one, a command line utility that allows you to selectively strip administrative rights on applications as you use them thatâ(TM)s been on Microsoftâ(TM)s site for years (after I pointed it out to them).
There was a reason once upon a time Microsoft chose to release Windows XP in such a way as to have users running with administrative rights. A reason that is extremely weak now - many people were upgrading to Windows XP from Windows 9x/ME and Microsoft didn't want to incur the support cost (or their partners) of having lots of applications stop working. Among them is the popular WinAmp. It used ancient APIs for its configuration file, WINAMP.INI, that stored global preferential data (as opposed to per user) in C:\WINDOWS\WINAMP.INI. If you didn't have administrative rights, it would just hang when you fired it up. Google Desktop when first released would *NOT* work on a non-administrative desktop. The list of offending applications goes on and on, e.g., a friend of mine had oceanic navigation software that insisted running with admin rights.
However, it turns out there is a programmatic mechanism in place in every copy of Windows XP (and Windows 2000) that allows you to strip administrative rights when you launch a process. Microsoft never exposed users to this ability for reasons that to this day are unclear to me. The magic API in question is CreateRestrictedToken.
But what really was an eye opener to me is when I would point out a tool on Microsoft's site to strip out administrative rights when you run a program. Namely, years ago you could have made the situation tenable in the case of apps like WinAmp and Google Desktop by yes, logging onto your desktop as an administrator but launching most Internet facing application without administrative rights but hereâ(TM)s the clincher *AND NOT CHANGING USERS* . In fact, I've been doing this for years.
Nonetheless I observed an incredible amount of laziness on IT professionals when I pointed out these capabilities. Laziness, apathy and the usual suspect of insecurity ("Don't tell me what to do, I know what I'm doing"). Yes, that's right, you manage a CISCO PIX firewall, you must be a security guru all around and follow best practices.
So given my former life as a Windows software developer I took it upon myself to create a turn key installer that at least protects Jane & Joe Average called *RemoveAdmin*:
http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515
RemoveAdmin is a utility to strip administrative rights off apps as they're launched under Windows XP and Windows 2000 where unfortunately 99.9% of home users run with administrative rights.
The default RemoveAdmin installer creates shortcuts for IE and Firefox but if you analyze the shortcut, you see IE and Firefox are passed as an argument to the removeAdmin.exe program.
You can trivially setup another shortcut for Opera and/or any other Internet facing application... as you should since you can't trust foreign computer systems you connect to.
Itâ(TM)s version 0.1 since I havenâ(TM)t created a FAQ and thereâ(TM)s the situation that if you have multiple administrative SIDs it wonâ(TM)t work (not the case for most people). I need to fix that, create a FAQ and also offer to adjust the ACLs on the Startup folder to tighten security such that when combined with RemoveAdmin, breaching your system on account of your browsing becomes because crazy hard.
>>which is hard to figure out because Windows won't tell you because you don't need to know.
Yep. In Linux you get the rather common sense "permission denied" message when you try installing something and it tries to write to a directory you don't have rights to. In Windows, it fails silently most of the time. Drove me up the wall when a program I'd installed was working on a computer I set up for my mother, when it turns out even though she could see the program with her "mom" account, something or other needed admin privs, and it was dying silently.
A Mac fan extolling the merits of the command line.
It's going to take some time to get used to. Forgive me.
Why? Quite a few current OS X users switched to OS X from various other *NIX'es and Linux. It really isn't so surprising that many OS X users are command line freaks.
Only to idiots, are orders laws.
-- Henning von Tresckow
Obviously, you've never run a business
Vendor Locking is Great! for the bottom line.
Ask yourself, how can I configure something that only allows my products ?
Also, How can I support my stuff from way back ?
And you'll end up where Microsoft is today.