Regarding a Vista “Administrator” account, try creating a new account named “Administrator” in Vista. Suprise…it’s already there, because Vista does create a hidden “Administrator” account.
At least, that’s what Home Premium does.
Any solution that requires users to be educated so they change behavior is seriously doomed.
Software needs to be designed with security in mind from the beginning and Windows clearly wasn’t. I suspect that the backwards compatibility issue is the millstone around Microsoft’s neck. They just can’t afford to upset anyone by breaking aging software, breaking badly written Active X intranet applications, or by breaking any of the crapware that comes pre-installed from PC makers.
I would have thought microsoft needs to do two things,
1, make sure everything they write thats intended for an ordinary (non system admin) user to work under a limited user account, nothing the user does short of software installation should need an admin account, there needs to be a way for the user to run a program as admin, with an admin account username and password. there should be no way for a program to do this behind the scenes, sort of popping a request box up (for admin accoutns just ask for the password, OS X has this almost right, it forgets to tell you whats requiring the info, and what its doing).
2, make the normal everyday programs refuse to run under an admin account, thus if you want to use office you will be using a standard account, and thus finally software may be tested to run this way.
personally I’d restrict the ability to use the windows logo or trademarks anywhere on a program or its packaging unless it can run as a standard user, have a different logo for things that can only be run as an admin.
Oh and as an add on I’d disable various bits of the admin account, e.g. follow the KDE route of having fixed wall paper, and turning some of the eye candy off…
with a bit of thought this should not be hard.
and to cope with legacy programs, a ‘sandbox’ inside a limited user account, in effect a virtual machine, making it obvious which programs don’t work. probably with a dialog saying the program requires an admin account, prompting for a username password, or offering the choice to run int eh sandbox in one go.
the only other way i can see is to make standard users always run in virtual machines, thus spyware etc can trash the users account, but no more. a boot menu allowing ‘root’ access.
I use OS X, its better than windows at this, but not perfect, nor is linux, all current operating systems seem to have been built with the assumption that the nasty spyware people etc are not really there, hence the ability to write a BHO for internet explorer that can do undesirable things in the pack ground
It is possible to get the galloping crud (worms, viruses, spyware , rootkits, etc…) on your system without having admin privs. (It is harder, but it is possible even with the current patches and all the protection software.) It is getting to the point were we are going to have to create a Chernobyl OS image (A protected VMWare image of the OS that is “encased in concrete”) and restore it to a working image that can be used to “go online”.
Great Post!
I’m a little confused by some of the comments though.
On Windows Vista, does Administrator w/ UAC == User w/ UAC? What are the differences from a risk perspective? Won’t UAC trump the current permissions be they Admin or not?
Administrator w/ UAC == User
Vista with UAC is the best decision at this time. Anyway, there are many margin for improvement like securing the Win32 API, partial trusted unmanaged code.
I bought my parents an Apple Mac (Mini). The persuasion consisted of “I will buy /this/ for you, okay?”
It’s up to the kids to take care of the parents.
I’ve made a few initial attempts at running as a standard user and always come up a brick wall in that, as part of my stability measures, I have Documents and Settings junctioned to a folder on another drive. It works fine when running as an Administrator, but when I try to run as a standard user the junction seems not to work. I guess I could try and set up the user profile to map to a drive, but it’s such a pain.
I see a lot of people around the internet moaning that Vista should require a password to elevate. The truth is that you can do this by setting yourself up as a standard user with UAC (or something like that). The argument is more about defaults.
I am completely aligned with this post. I’m not so sure I would be as kind to Microsoft as you are. It’s not just the admin default install account (although that is really poisonous), it is the fan-out from that which taints many applications, including ones from other Microsoft business units. I have some ranting about that on my kyte.tv channel as the “Clueless #1” episode: http://kyte.tv/orcmids_flying_kyte.
Iit is an 18 minute video and I am embarassed about how self-indulgently I wander all over the place, repeat myself, and so on, but I think you can get the point if you skip ahead to where I hold up the box of my Microsoft LifeCam and discuss my experience with it.
I agree with the limited user account by default.
Last year I bought a new laptop, and reformatted the drive on my old one and installed Windows XP, and gave the laptop to a friend of mine (a single mother who didn’t have a PC at home). I just did the default XP installation.
A few months later, she mentioned that the computer was taking a long time to start up and seemed to be running slower than usual. She also mentioned a couple of “messages” that kept showing up.
I had her bring the machine in to my office so I could check it out. Wow! It was so loaded with spyware and adware that, after three hours of working on it, I decided to copy off the limited data that she’d accumulated and reformat the drive again.
I then created the default admin account with my name and password, and created a limited-privilege account for her, and installed Avast. It’s been about a year now, and with two exceptions (a problem with wireless networking and a software installation that required admin for install only) the admin account has never been needed. I just took care of the wireless problem a couple weeks ago, and took a look at the machine while I had it; it was clean as a whistle.
I’m behind several layers of firewall protection here (working for a state government as a programmer) and run with an admin account (policy here for developers), but I test all applications I develop using a limited-privilege account before it goes to our testers.
I’m always an admin, using firefox for the web. I have ad-aware, spybot, cwshredder and AVG (which, btw, scans by itself by default every day, nice, but slow, so I do it manually)
I’ve never gotten an infection I couldn’t clean up, I rarely get one, and I must say, for me constantly using the SVN builds of various programs I would be a little tortured to use a limited account.
on linux of course, I know I can mess up the machine easily with root. On windows, it doesn’t let you. I would once in a while LIKE to be able to fool around with the innards of windows. alas, I cannot, even with the highest privileges it gives you…
I wished people responsible for intruding our PCs would be made responsible for their actions.
I have not heard of any case where that happened.
In real life, you cannot just use other people’s things without authorization, on the net you can.
It shows one thing to me: many people are mentally sick in our society - and that is tolerated because we cannot handle them.
Why ? Because they outnumber us by far.
One word to anti-spyware:
An example for incompetence and persistant, evil nagging even after unistallation is McAfee.
Talking with many others, frequently resulted in SpySweeper to be the best protection you can get.
Thanks for reading this.
Fantastic blog you have here. I’ve read a few posts and I really enjoy it.
Keep up the good work,
Peter
Nowadays there are many security risks that may be cause for data loss. When I run my computer with Administrator rights there are many internet related stuff that need to be patched to close various security holes. But even if I’ll download all patches over the Internet, install them, there will be one of the program I’ll forget to patch, or I’ll have no information about security risks related to this program. And this program will be my security hole. There are many cases when I can lose my data if I have only one security hole and using or not using of Administrator rights is not the matter. 10 years ago there were other risks to lose data by using computer and computer software, the army of spyware, trojans, root kits, was not so big. But I loosed my data accidentally or not one time per 1-2 year and that was very important data for me. The only thing that helped me to guard myself from data loss was the company that I owned (http://www.munsoft.com/). When I worked several years with data recovery I find out many things that I must perform to feel myself guarded from several spywares, trojans and so on. Now when I accidentally or not lose my data I know exactly what I need to do to get my data back. And not antivirus software, backup software or anti-spyware cannot help me to guard or get my data back. I believe that everyone at first need to be confident that he knows steps he needs to perform to recover lost data and then spend his time to install various types of software to close security holes.
Well… all complaints about software ‘not running on user/limited account’ sort of prove the point - Windows has not been designed with security in mind. Had it been - this crappy software that needs admin rights would never run and no one would buy it - so it would have been re-designed to run on unprivileged account.
I want to tell something about webroot sofotware…
I submitted *.exe file to Virustotal and the results are here http://www.virustotal.com/analisis/eaa2611583f6b1a50424ebda80525644
. This software contains malware/virus. You’d better spend additional $20 and buy History Killer Pro ( http://www.historykillerpro.com ). It is more professional, user-friendly, contains no malware. I’ve even found the educational 40% off coupon for HKP: EMER-G91X-RMEN.
“If you leave UAC turned on, programs that state ‘requireAdministrator’ in their manifests will pop up a credentials dialog in place of the ‘Confirm’ used for an administrative account. You have to supply an administrative account’s credentials here - using your standard account password won’t work.”
Sooo… What on earth am I supposed to do with a computer that had the admin account set up for me? I don’t know what these “credentials” are or where to find them, unless it’s just that account’s username and password. I don’t know what programs (besides Steam, which someone mentioned- and I like Audiosurf and Portal too much to uninstall Steam) require admin privileges, but I’d bet they’re ones I still want to use.
At any rate, I never thought about that and yet I’ve managed to avoid infections. Computer runs great for two years old, Avast+Malwarebytes find nothing when I scan, and judging by the amount of normal things my firewall requests confirmation for I doubt it’d let something malicious through. XP
“Hold Shift and right-click the exe. Should show “Run as…” as the second menu item.”
But not on .msi files which is a real annoyance!
It needs to be a community effort. While MS can do better and really they have been, there is a lot the 3rd party software community needs to do as well. A lot of desktop apps will not run properly unless the user is part of the administrators because they assumed certain rights to local folders and registry keys.
the poor admin is stuck. implement restricted users and have lots of stuff broken or make everyone an admin and move a long in a semi productive way.