Not running as admin…


The security principle of “least privilege” is well understood:  Software should run with the smallest set of privileges needed to perform its tasks.  Low-privileged processes can do a lot less damage when they are compromised (or just buggy) than processes running at high privilege levels.  Windows has made great strides to run services with lower privilege than in the past.  However, Windows users who are allowed to administer their own machines (including most Microsoft employees) usually run with Administrator privileges all the time.  That is, the account with which they normally log on is a member of the local Administrators group (or worse, Domain Administrators).  Everything they do, from reading email, browsing the internet, instant messaging, writing documents, and writing software, is performed with full (and unnecessary) administrative control over the entire computer.  Email, web browsing, and instant messaging do not require administrative privileges, and are common avenues for malicious code to attack end users’ systems.  To be more secure, users should log on with a Limited (or “Least-privileged”) User account (LUA), and use elevated privileges only for specific tasks that require them.  Linux/Unix users have understood this for a long time, so this remains an area where Microsoft is perceived to lag in thought leadership.  Unfortunately, Windows does not yet make running as non-admin as straightforward as it needs to be.  Hopefully Longhorn will address these shortcomings.  In the meantime, though, there are some neat workarounds that greatly mitigate the inconveniences.


 


In subsequent posts, my plan is first to try to convince you that running as non-admin is the right thing to do, to get you to want to run as a normal User instead of admin.  Next, I’ll offer up a collection of valuable tips, tricks and tools to make living as a Limited User as easy as possible.


 


In the meantime, let me know what your pain points are.  Have you tried running as User?  What were the biggest problems?

Comments (43)

  1. BillT says:

    >"running as non-admin is the right thing to do"

    I known this to be true for a long time, yet …

    "get you to want to run as a normal User "

    I think this is the hard part of your admirable quest. But I’m game. Give it a try!

    Perhaps you could enumerate items in the downside. How will running as Admin definately hurt me? How will it potentially hurt me? If there’s no actual pain, only potential (and unrealized) pain, why change?

    It’s been so long since I ran as a regular user, I’ve forgotten what most of the problems and pains were … but here’s one.

    Situation: I’m logged in as a non-admin. I need to do some simple admin task. What’s the quickest way to just get it done? Are there options besides logging out and logging in as admin?

  2. ray says:

    I think the biggest negative for Windows users to run as a non-admin are applications that simply will not work or install if you are not logged in as an administrator.

    This should gradually change as app vendors start to realise security affects them too, but MS should create the framework to allow this to happen. The Windows installer should know that if an application tries to write to privileged keys, it should prompt the user for admin credentials.

    Instead of just having the run-as command, each application should be allowed to specify that it wants to run as a specific user, even if you are logged in as another user. This includes explorer, internet explorer, etc.

    Allow fast user switching to work in the corp domain environment.

    During a new Windows client install, do not create admin users with blank passwords – duh.

    For every single Windows admin tool, if the tool requires admin privileges and is being run from non-admin account, prompt for admin password. For example, device manager, manage computer, services, etc.

    Look at how MacOSX and Linux do it and then do it better.

  3. anonymous says:

    Yes, just right click the application and choose Run As…

  4. James says:

    I used to run a high school graphics lab, and we always tossed and turned on some of these things, admin versus user for the high end graphics PCs, and we always decided to go on to admin, and give the users the trust.

    some applications / abilities we have had trouble with doing without administrator privileges are:

    – CD burning with nero burning rom

    – video capture into adobe premiere, and using real-time video effects cards

    – scanning on some of our SCSI scanners (USB tended to work all right)

    – using some graphics applications (such as lightwave 3D) which require interface with external hardware dongles to verify each PC have a licensed copy.

    At the time we were doing this on windows 2000, probably before sp1 even, it’s possible that since then things have changed, either due to win2k sp1 or due to newer versions of software / drivers, but at the time we had trouble, and I think that ever since then people there have been giving users local admin rights.

  5. Yawar Amin says:

    I agree with ray on all points.

    I use the `cmd’ prompt to open a new `cmd’ prompt as `Administrator’ to do stuff I need to do:

    `> runas /user:administrator cmd

    Enter the password for administrator:

    Attempting to start cmd as user "THANGORODRIMadministrator" …

    >’

    But even with `cmd (running as THANGORODRIMADMINISTRATOR)’ it’s impossible to:

    * Run Windows installer (*.msi) packages

    * Install fonts into %windir%Fonts (copying with `xcopy’ does not seem to install)

    * Open a file manager (Windows Explorer) window

    And it’s pretty hard to open the Control Panel applets. For instance, to run `Add/Remove Programs’ I have to (with `cmd’ running as Administrator as described above):

    `> c:

    > cd windowssystem32

    > control appwiz.cpl’

    The Control panel applets don’t have `Run as…’ in their context menus! Arrrrgh! 🙂

  6. Good points, Yawar, and I will address each of them in upcoming posts. (Well, I haven’t looked into the fonts issue, but I can definitely get you through all the others.) Stay tuned!

  7. James, please contact me directly re Nero, Adobe, etc. Do you have exact repro steps? Any chance they’ve upgraded to XP yet and could try as User again?

    Thanks.

  8. HopeICanHelp says:

    By the way, you should be able to run msiexec.exe without any problems. According to http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/tchDevelopingSoftwareInVisualStudioNETWithNon-AdministrativePrivileges.asp , you can run "msiexec /I msifile.msi" after you’ve "runas /user:administrator "cmd.exe"" It claims that "Note This is exactly what Windows does when you double-click an .MSI file." so it should work without any problems. On the page, you’ll also find out how to run things such as the 802.11 monitor, add new hardware wizard, power options, ups, and many other commands. For programs that you use often as administrator, you can make a shortcut to the application. To run the application as root, you would then right-click on the shortcut, select "Properties", choose "Run As" and then enter the username and password. Simple enough…

    Also, according to http://www.petri.co.il/run_windows_explorer_as_another_user.htm you can run "explorer.exe" as admin by either: C:>runas /user:pro1Administrator "explorer.exe" or by navigating to your windows folder and shift-right clicking explorer.exe and telling it to run as Administrator.

    PS. I’m not 100% of the above since I just came across the information right now and I’m currently running Linux + I’m too lazy to boot Windows. 😀

  9. "HopeICanHelp" – thanks for posting. As a lot of frustrated people will tell you, runas with Explorer does not work – at least not in the default configuration. I’ll post more on that very soon – stay tuned!

  10. Richard Adams says:

    Another key non-admin aware app is PGP (personal edition). While every component except for PGPdisk (which requires admin rights because it mounts a pseudo disk) will work for a non-admin user, if you try and run it under more than one user it says that it is not licenced and suggests you look at PGP corporate (far more $$). PGP don’t seem to be able to distinguish between a corporate site that has multiple actual users and a home installation that only uses different user ids to separate the kids games from the home office. Pity they can’t licence per machine rather than per user for the personal edition! The point of this rant is that of you want to use PGPdisk to encrypt personal financial info for example then you must run both the app and PGP in the same, admin-privileged user.

  11. Marco says:

    here is an alternative, similar to PA, for Windows 2000/XP/2003. We have developed a solution (and giving it away for free to home users) that adds/removes privileges on the fly to the end user token — that is — no need for a second user account like all RunAs-derived solutions required.

    Give it a go .. http://www.neovalens.com

    Cheers,

    Marco Peretti

    NeoValens

  12. Marco, that looks really interesting. When was 1.0 released?

  13. ch. says:

    I would add to what James have said that also many other applications require the admin rights to run – also some of microsoft’s own products. (for example age of empires II – age of kings)

    how can I let my kids play it without giving them the admin password?

  14. Aaron Margosis has a blog dedicated to running as a non-admin. This is surprisingly difficult to do in Windows but Aaron gives us some compeling reasons to do so and gives lots of good information about some of the techniques and tricks that are required.

  15. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  16. rogern says:

    Hello All, I run my XP Pro SP2 workstations at work and home as limited user accounts for several months. It’s a pain but hardly any spyware picked up by Spybot S&D, Adware, viruses, ect.

    I set up my clients as limited users and don’t have any issues of them tweaking the system that they are not supposed to do.

    I would like to see Windows like Linux that just asks for the root password to execute the action requested. No need to right click run as.

    Windows Explorer for me opens run as from the program menu. Not always though.

    Best regards,

    rogern

  17. Helm says:

    Using your desktop without admin rights is the only way to use your system. At home every system I have had since Windows NT 4.0 Workstation came out has two accounts, one admin for installations and troubleshooting, one for every day use. In my corporation I forced 200 users not to have admin rights. They all complaint, but when our support team gurantees them their systems are up and running without issues, they are okay with it.

  18. tonyso says:

    Get your friends and family, all those folks that come to you for computer help once their machines have…

  19. Chris Quirke says:

    Instead of having to decide which level of corporate employee I’m going to pretend to be as I log on, and staying that way all day, I’d rather set limits on what various apps can do – and it’s not as simple as a scale of "0 to 10".

    For example, in a particular hour I may:

    – look up a financial account in a database

    – browse a web site or two

    – read mail and "open" emaul attackments

    – play a quick game or two

    I’d want Internet-facing apps to have zero access to either system or user data, the game to have zero access to anything outside of its own subtree, and my accounting app to have zero access (in either direction) beyond the local PC. I don’t see user session rights as delivering this – after all, even the most limited user has the right to edit their own data, so any malware with those rights can trash that data simply by overwriting it.

  20. Serge says:

    The main limitation of ‘run as’ is that it truly assumes that identity. Any changes made to the HKLM tree do so for the assumed ID, not the logged in one. When running an install under ‘run as’, read/write rights should be given to the logged in user to any folder and registry key subtree created. Does me no good to install as administrator if the user can’t use the app.

  21. Aaron Margosis says:

    Serge —

    1. Addressed – see the posts about MakeMeAdmin.

    2. Changes made to HKLM are system-wide – did you mean changes to HKCU?

    3. No, you don’t want to grant Write access to the program’s install folder or HKLM settings. Those should be Read-only to users. Per-user data should go into the user’s profile, not the app install folder.

  22. Will Kaiser says:

    Execellent topic. I just stumbled upon this by accident and will be following it closely.

    I’m an application packager and SMS admin in a corporate environment, and I face problems with installing and running applications in a locked down environment on a daily basis. I’m also leading a project to move to a more locked down environment. Our current spread is around 50%/25%/25% distribution in user/power user/administrator respecively. We’re looking to move to a spread of around 85%/10%/5%.

    Probably the single biggest problem that I face when running apps as a user is with applications that write temp files to unusual locations when running. I’ve had apps drop temp files into program files, %windows%, the root of c, even the root of documents & settings. I can sometimes get around this by adding the temp file to the installation, but this only works about half of the time.

    I’ll be intested to see what you can uncover in an everyone-wants-admin-rights world.

  23. John Huber says:

    Running as a non-admin for the most part is living in a dream world. Microsofts own apps do not work fully when run as a normal user not to mention a wide variety of non Microsoft apps. I have talked to a number of people who are in the same boat. You have to give users local admin right just to get most apps to run right.

  24. Jeff Mayrand says:

    Let me just say I think the effort to run as non-admin is commendable. I really think there needs to be a way to allow a user to elevate privilege to execute a particular command but also allow administrators to limit which commands they can leverage. Even better would be to allow execution of certain commands with privilege and not require opening up the administrative account to the user. (Hmmmm sounds a lot like capabilities in Unix…)

    Microsoft could learn an awful lot from how the Unix environment works. Its the inability to do these types of tasks and others as to why Microsoft is never considered an Enterprise Platform. It’s simple difficuties like these that should be the focus on new releases…

    Intead we are getting a new graphics subsystem! It’s crap like that which in a server OS is the least of my concerns… If Microsoft is serious about getting into the enterprise and given their push at TechEd with SQL server and wanting to play with the big boys they better seriously get their chit together….

  25. John Galt says:

    I am glad I stumbled upon this topic today.

    I have recently started making the push on securing my XP box and running it more like my Gentoo box. The power of *nix and the ability to run apps with elevated privileges or to ‘su’ on the fly makes it 10 times as desirable as XP – unfortunately, Windows is prevalent, and in the support game, you have to stay abreast.

    The hardest, I think, is for home users to get used to such and environment – it is a completely new way of looking at things to someone who has not dealt with system administration before, and a very good example of this is the default installation of XP – OOB it creates the administrator account, which you supply the password for, and forces you to create another account – which is also a computer administrator.

    For so long I have run my XP box like that that it is staggering to believe – but it is 100% true. Everything I do in XP is as a computer admin, and it is starting to take it’s toll, as more and more 0-day exploits have started showing up in recent months (I have had 4 infections thus far in the last 3 months, as opposed to 5 the entire 3 years previous, when I started running XP).

    Once I get this running as a limited user thing going correctly (and that is going to take a lot of time, I can tell) I think my next project will be to develop a way to automate the clean install process so that it always sets it up this way.

  26. Yawar, if you open Control Panel, hold the Shift button and then right-click the applets there is an option for "Run as…"

    Also, if you open the Start menu and locate Windows Explorer there, right-clicking the item on the menu will also give you the option for "Run as…" – no need to hold shift in this case.

    – Chris

  27. pam says:

    hi whenever I try running "runas /user:administrator cmd" or "runas /user:computernameadministrator cmd" it opens the command prompt and asks for a password but it seems like the keyboard becomes disabled only at this point. I’m wondering how to do it properly. I hope you can help me out on this one. Thanks!

  28. Aaron Margosis says:

    Pam –

    It’s working. RunAs.exe just doesn’t echo any characters (not even asterisks) while you’re typing the password.

    HTH

  29. shawkster says:

    good notes in this forum. this debate is really had to establish. Considering Laptop users and Desktop users. I am working to this non-admin direction and the debate is still on-going with some proprietary apps used by only certain people. I will follow this forum and share my opinion on what is happening in the real world vs. lab testing and what a developer proposes. it is always best to look into the user world before you implement or code your application as a regular user in the first place.

  30. Anthony says:

    I’ve started using winXP-PRO since SP1a. From the day 0 the everyday work is done in non-admin account. I log as an admin only to do some maintenance.

    What I miss in windows is the "sudo" – I am very unhappy about "runas" asking me for the admin’s password. The *nix’s "sudo" is – on contrary – asking for the user’s own password and then decides on the contents of the special configuration file (namely – "/etc/sudoers") if the current user’s requested action was pre-approved by an administrator.

    With the current "runas"’s behaviour – winXP is still a single-user OS for me…

  31. tom324 says:

    Nero works perfectly under Limited user account. All it takes is to download and install "Nero BurnRights" from

    http://www.nero.com/nero7/eng/Support_Tools.html

    Tom

  32. jdm says:

    What I’d like to know is how work around games that REQUIRE admin level access. Getting them  to run in normal user accounts or at least how to make a “demi-admin” (which I assume is higher than a power user) that would grant just enough rights to run the game but not enough rights to compromise the system.

    This is driving me nuts since we lock the kids out of the admin accounts only to pick up games, most not clearly marked “need admin account to run”, that require they be run from admin accounts.

    Truly don’t understand what admin rights a game could possibly need.

    jdm – see the “Fixing LUA Bugs” posts linked from this Table of Contents.

    HTH

    — Aaron

  33. TMOF says:

    I am currently running as an Admin with no other users.

    I tried to set up an LUA but it wouldn’t let me until I had set up an Admin Account (even though I already have one).

    I set one up and then an LUA and ended up with 2 Admins and 1 LUA.

    Of course all my settings are on the first Admin (e-mail, IE favourites etc.)

    I tried to change the first Admin to an LUA but couldn’t and when I deleted the LUA my first Admin disappeared too leaving me with the 2nd Admin without any of my settings.

    So…

    How do I set up just 1 new account (LUA) and transfer all my settings to it from the Admin one?

    I also then need the e-mail and internet settings to be a mirror on both accounts. Is this possible?

    TMOF:

    The built-in Administrator account is hidden from the logon UI unless it is the only admin account left.  XP generally wants to keep that account around in case your “regular day-to-day” (admin) account has a problem.  A bit unfortunate.  Anyway, to transfer Favorites, etc., from your admin account to your new LUA account, I would suggest logging on as the admin, finding the Favorites folder, and copying (not moving) the items to the corresponding Favorites folder of your LUA account.  (If you move the items, they will retain the permissions from the source folder, and the LUA account will not be able to see them.)

    For email – that will depend on what email program you use.  Outlook Express includes various Export features to simplify transfer of settings, messages, address books, etc.  To transfer email account settings, it’s Tools / Accounts / Export…  Put the exported data in a shared location where your LUA account can read them.

    HTH

    — Aaron

  34. Table of Contents – blog posts on Aaron Margosis’ Non-Admin WebLog

  35. Nina says:

    I actually have a question.  I have two computers, both running windows XP.  One has a deskjet printer directly connected that has been up for sharing. On the 2nd I am able to install the printer when logged in as admin, however, my limited user account can not see the printer.  Any suggestions?

    [Aaron Margosis]  You should be able to browse for and install the printer while logged on as the non-admin account in the same way.

  36. Mike Marcum says:

    Let me start by saying, I’m one of only 2 techs for a small city of around 250-300 computers and our policies don’t allow Admin rights to the end-user.  Not granting Admin rights has consistently been one of the biggest thorns in my side, not viruses, adware or spyware.  If you lock down your network you can keep all that stuff out, but I always have to spend time with the end user to make stuff work as Admin.  An example of that would be our Police Department, They have new video footage they just got from Joe’s Mini Mart and now they have to view this video at their PC, but of course the video is proprietary and they have to have software loaded that only Joe or his vendor can provide.  Guess who has to load it? ADMIN!  Doing a RUNAS works only if you’re the Admin and if your not you’ll have to call someone.  This is only one example of many.  I ran across this blog when I had to setup our GIS user and they couldn’t run a program in Corel called Bit Stream Font Navigator that they use to manage their Fonts,  XP only allows Admins that right.  After looking around I found this great utility that allows a end user to run any program as ADMIN and it’s freeware, but the Admin still has to do the initial setup.

    http://www.steelsonic.com/steelrunas.htm

    The ultimate goal for all techs In my opinion is to be as efficient as possible by addressing all the needs of the end user in a timely fashion, LUAs aren’t the way to do that.  The overhead that LUAs cause for techs is HUGE.  I have my opinions on how to make that happen, but I’ll refrain 🙂

  37. Frank Hutt says:

    I have been running Windows XP SP2 and now SP3 for some time in limited user mode. I managed to get most things to work.

    There is one thing that I cannot implement. That is to do a custom windows update. The only message I get is during shutdown, when there is the option of either do an auto update during shutdown or no update. There is no custom update option given. Is there some work around for this?

    Thanks

  38. Pahan says:

    @ Yawar Amin

    you can try this to Install fonts without admin.

    go to fonts folder.

    follow these links u will understand 🙂

    http://4.bp.blogspot.com/_qGrwehdbHLY/SXoB84VwiLI/AAAAAAAAALU/1KRIN3EHyEA/s1600-h/untitled2.JPG

    http://1.bp.blogspot.com/_qGrwehdbHLY/SXoAZS-3t-I/AAAAAAAAALM/jZm1SnQIMmA/s1600-h/untitled.JPG

    [Aaron Margosis]  I don’t suppose you actually tried that before you went to the trouble of posting it, did you? 🙂  Try it.  You get a weird error message about the font being in use.  Run Process Monitor and you’ll see the “access denied” errors causing the CopyFile operation to fail.