The Windows Security Epidemic: Don't Run as an Administrator

In How to Clean Up a Windows Spyware Infestation, I documented how spyware can do a drive-by infection of your machine through your web browser. To be absolutely clear, I never clicked on any advertisements, or downloaded and executed any files. All I did was open a GameCopyWorld web page in an unpatched, original circa-2001 version of Internet Explorer 6.0.


This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2007/06/the-windows-security-epidemic-dont-run-as-an-administrator.html

A new personal computer is needed – one for parents and grandparents, etc. It surfs the web with little danger; it can do more than Wordpad but less Word; spreadsheets would be good to have, and picture and sound utilities.

I tried to install Ubuntu on an old PC. It failed. Plus it still has too many versions and such with silly names. More simplification is needed I think before people will move towards Linux derivatives.

I cannot speak to Apple, but a Vista PC is wayyyy too much for most users. Howabout a streamlined OS that just works? One that doesn’t have too many “flavors”, or wondering if I need Kermit or Gnome or neither?

A very useful program when running as a limited user, is SudoWin.
(http://sourceforge.net/projects/sudowin)

As the name says, it behaves the same as Sudo on Linux.
Main benefit is that settings/data/… of a program running with SudoWin is stored in the user’s directory. When using the RunAs… command, you can have many problems in that area, which make life difficult, which leads to users running as Admin.

Administrator w/ UAC == User; Vista with UAC is the best decision at this time.

Roger, if you turn UAC off and log in as standard user, the file and registry virtualization is turned off too. You might want to leave UAC on so you get the benefit of this for legacy programs that write to restricted locations.

Well, minus the performance penalties of all that virtualization. Security, particularly fake Administrator security, isn’t free:

http://www.codinghorror.com/blog/archives/000803.html

The problem is that “basic” (restricted) user account is painful for the user, especially when he’s not tech savy and 3h drive from you. I setup my mother’s new computer that way and she complains endlessly about it as she cannot install anything she needs and I have to do it for her.

I’ve been running as non-Admin for well over a year now, with very few problems (I’m a C++/C# developer). This is on both my Windows 2003 box at work, and on my Windows XP (now Vista) box at home.

Being able to use Remote Desktop to log into the same PC with different credentials makes this relatively painless on 2003, if I really need admin credentials. At home, I use Fast User Switching. My administrator account is deliberately set to use colours that burn the eyes, so I’m not tempted to spend too long there :slight_smile:

I’ve since replaced XP with Vista at home. I turned UAC off and log in with a non-Admin account.

Most things work fine like this. If something needs admin privileges to run, it gets uninstalled, unless I really need it. So far, the only two problem programs I’ve cared enough about are Exact Audio Copy and Steam. I tweaked the permissions slightly in their respective program directories to get them to work.

This is all just a sign that the terrorists are winning.

As for the problem of having non tech savvy parents a considerable drive away, I use VNC and a free domain from a dynamic DNS service. That allows me to remotely help my relatives with computer problems, even though they are a day’s drive away.

Have to say, i have been running as a normal user for well over a year, and only need to run as admin whne doing installs. I started to do this after reading Aaron Margosis’ blog (and applying a lot of the suggested hint’s and tips as well)
Ocasionally i have to “tweak” directory permissions after an install, but that is the fault of the software manfacturers.

Also using VMWare machines has made this much simpler, as i find i don’t get as much cruft building up in my host OS (Windows XP).

I run as a limited user at home, but only because I rate my online safety far above my convenience. It’s obvious that no one at Microsoft ever tests their software outside of an admin account. Random crashes occur everywhere, sometimes with a cryptic error message, sometimes without. Other vendors are even worse.

My pet hate: the “Run As…” menu option does not appear on the right-click menu of all objects consistently. It’s stupid that the only way I can run certain things is to bring up an admin copy of Explorer and manually navigate the entire file system to run the link I wanted.

Thanks for the eye opener… It never dawned on me NOT to run as admin on Windows. In the Linux world, I hardly, if ever, ran as root. Is pretty much the same thing. If you want to trash your PC, why no login as SYSTEM? Get the job done quicker I say!

Now to run home, boot up, login as Administrator, and create me a new login. Then comes copying settings over. But that’s not to big of an issue.

Thanks again, Jeff!

And Chris VB, gonna try that SuDoWin, even if I don’t really have to!

Roger, if you turn UAC off and log in as standard user, the file and registry virtualization is turned off too. You might want to leave UAC on so you get the benefit of this for legacy programs that write to restricted locations.

If you leave UAC turned on, programs that state ‘requireAdministrator’ in their manifests will pop up a credentials dialog in place of the ‘Confirm’ used for an administrative account. You have to supply an administrative account’s credentials here - using your standard account password won’t work. Those programs that state that they need ‘highestAvailable’ won’t produce a credentials dialog - they will run under the limited token.

Jeff: the default for new users is indeed Standard User. The first user created on the machine by Setup is an administrator by default, true, but you need at least one administrator account in order to start setting the system up.

Mike is right that you do need one administrator account and that in Vista accounts created after that are by default normal users. Perhaps Microsoft could have made one minor change to drive the point home better: Force (or strongly suggest) the administrator account be named “Administrator” and THEN prompt the user to create their everyday account under their own name.

On the other hand, I personally don’t mind the UAC thing at all. I actually think it’s a nice compromise between backward compatibility and safety. You’d hope people would have at least a little common sense and would be able to disallow obviously bogus attempts to gain admin access. OK, stop laughing. But for power users, it’s a convenient way to run. Maybe Microsoft should have made UAC a one-year stopgap solution that will be turned off in the first service pack so everyone could get their house in order before then.

One more comment: What’s with this idiot PhD in computer science in the NYT that THREW HIS COMPUTER AWAY rather than clearing off the spyware? That’s about the stupidest thing I’ve heard. If he didn’t want to clean it, he could have wiped it clean. If he didn’t want to bother reinstalling, after wiping it he could have at least donated it to a charity or something. And doesn’t he have any self-respect anyway? Seems like a classic case of the academic type who can’t deal with the simplest real-world situation…

What I find terrifying about this, is that you just don’t know things are bad until they really are bad.

I use a mac and kinda keep my head in the sand as to what is out there waiting to pounce because everyone (every mac user I know) assumes that this can’t happen to them becuase they have a mac.

Dont run with sizors. LOL

I would have loved to have run as a limited user in my XP days. But, the most used program on my system (besides my browser) is Quicken and it won’t run properly under a limited account. I imagine an awful lot of personal machines are similarly stuck. Since no one thought of security back when XP came out, I don’t blame Microsoft. I blame the application writers. People like me have been complaining to them for years to stop requiring Administrator privileges to run their applications. With the introduction of Vista, Microsoft took the first true opportunity they had to force the issue. To me, UAC is a decent compromise. However, I do agree with Bob, above: Microsoft should have forced some kind of Administrator name on the first account created and then forced the user to create a standard User account of their own. That way, UAC would lock the system down tighter.

Office 97 did not run on NT4 for users without Admin access. It wanted write access to the registry, System32, etc, especially for the first few runs.

“I’m trying to imagine what my mother or father would do if this happened to them. They’d probably have to buy a new computer.”

You mean to say that you did not persuade your parents to buy an Apple Mac ?

I am surprised your unpatched PC didn’t get totally hosed even with the Limited account, because of privilege escalation vulnerabilities. In other words it is possible to get admin account access and bypass any limitations.

I have a question. It is weird, but it must be asked. We know the companies that produce spyware. At least some of them we do. We know them, and we could track them down if we really put some effort into it, so why no one yet did it? Why no one sued them, had them closed and their owners arrested? They certainly broke enough laws to give us justification for doing so. Is it THAT hard to track them down and shut them off?