Upcoming posts in my LUA/non-admin track:
- Using secondary logon (RunAs)
- Running control panel applets as admin
- Using RunAs with Explorer
- Temporarily elevating your current account to admin without logging out
- Running with a restricted token (what does “protect my computer and data from unauthorized program activity” actually mean)
But first, the low-hanging fruit: how to help your non-techie friends and relatives run with least privilege. Interestingly, the problem of running as admin only when needed is best solved today in Windows XP Home Edition (and XP Pro, when not joined to a domain). From KB article 279765, HOW TO: Use the Fast User Switching Feature in Windows XP:
“In Microsoft Windows XP, if you enable the Fast User Switching feature, multiple user accounts can log on to a computer simultaneously…. [U]sers can switch sessions without closing Windows, programs, and so forth. For example, User A is logged on and is browsing the Internet, User B wants to log on to their user account and check their e-mail account. User A can leave their programs running while User B logs on and checks their e-mail account. User A can then return to their session where their programs would still be running.”
With FUS, you can be logged on as a Limited User, switch to a Computer Administrator session without having to close your apps, do your admin stuff, and switch back to your LUA session. FUS is easier to use than RunAs, and lets you run any app (unlike RunAs). It’s also more secure, since logon sessions are isolated from each other and do not share a common desktop. To switch from one session to another, click the Start button, Log Off, Switch User. Or more quickly, just press Win+L (Windows key + L).
Here’s how I set up home computers for friends and relatives:
- Create a Computer Administrator account called “Admin”. No password. (Read on before you flame.)
- Create a Limited User account for each person who will be using the computer. No passwords.
- Enable the Guest account if it is anticipated that visitors may need to go online.
I instruct all concerned that the Admin account is to be used only for installing software, and to use their individual accounts for all day-to-day use, including web, email, IM, etc. This has worked quite well for everyone I’ve done this for, and don’t get calls anymore about home pages being hijacked, etc. Users generally don't even have to log out. My 7-year old walks away, the screen saver kicks in, my 3-year old moves the mouse and clicks on his picture (or the frog or whatever it is now) and has his own settings.
[added 2004.06.22]: I also like to make the admin desktop noticeably different from normal user desktops, to help prevent accidental use. For example, use the Windows Classic theme instead of the XP default, set a red background, or a wallpaper that says “For admin use only. Are you sure you need to be here?”
OK, I know you’re bursting already: “No password?!?! Are you insane?!?!” Cool down, now. Starting with Windows XP, a blank password is actually more secure for certain scenarios than a weak password. By default, an account with a blank password can be used only for logging on at the console. It cannot be used for network access, and it cannot be used with RunAs. The user experience of just clicking on your name to log on can’t be beat for simplicity. If you can trust everyone who has physical access to the computer not to log on as someone else or abuse the admin account, this is a great way to go. If not, you can always enable passwords.
What about applications – perhaps games originally designed for Win9x (“Wintendo”, as David Solomon calls it) – that unnecessarily require admin privileges? To be honest, I haven’t had to support gamers, so hopefully someone with more direct experience can chime in here. I’d start with KB 285909, How to Troubleshoot Program Compatibility Issues in Windows XP. I do admit to punting on TurboTax and just running it as admin. I weigh the risk of running TurboTax as admin vs. screwing up my taxes, and I’m just more afraid of the IRS. (I saw a discussion somewhere on the Internet about TurboTax requiring admin – I’m not the only one who was forced to punt.)
A valid question that often comes up (and came up in a reply to one of my earlier posts) is, “why isn’t LUA part of the out-of-the-box-experience for Home Edition?” I’m not on the Windows team and wasn’t party to those decisions. But as I understand it, there simply wasn’t time in the XP timeframe to address all the issues to make Limited-User-by-default satisfy user expectations and provide a good user experience out of the box. There is always a balance between security and usability, and at that time, usability would have suffered too much for too many people. Remember that the vast majority of home users were using Windows 98 and Windows ME (“the last version of MS-DOS,” I call it), and apps designed for that platform. I think we can expect that it will be a lot better in Longhorn.
One last caveat: Fast User Switching and RunAs do not play well together. Use one or the other, but not both at the same time. You could end up having to hit the reset button. [Added 20 June 2005:] This caveat applies only to XP RTM and XP SP1. The underlying bug was fixed in SP2, so now you can use FUS and RunAs together with no problem.