First, let’s define terms. This may be oversimplifying, but for the purpose of this discussion there are only two types of users: Administrators, and Users. They are essentially distinguished by membership in the “Administrators” and “Users” local groups. “Administrators” have complete and unrestricted access to the computer/domain. “Users” are prevented from making accidental or intentional system-wide changes.
Narrowing down to two user types is not entirely arbitrary. In fact, this is exactly how Windows XP Home Edition distinguishes users. Under the hood, its Computer Administrators and Limited Users are members of Administrators and Users, respectively. And besides, membership in groups such as “Power Users” or “Backup Operators” is tantamount to being an Administrator. When I talk about running as non-admin, I am not suggesting running as Power User instead.
OK, so if you are one of those people who is allowed (or required) to administer your own computer, why wouldn’t you just want to log on as an admin all the time? Well, if you were a surgeon, would you always want to hold an unsheathed scalpel in your hand? Or would you prefer to keep it in a safe place until you actually need it? Does that metaphor work? How about “running with sharp scissors”? Well, let’s skip the metaphors, then.
The #1 reason for running as non-admin is to limit your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious or other “undesirable” code finds its way to one of those programs, it also gains unlimited access. A corporate firewall is only partial protection against the hostility of the Internet: you still browse web sites, receive email, or run one or more instant messaging clients [added 2004.06.25] or internet-connected games. Even if you keep up to date on patches and virus signatures, enable strong security settings, and are extremely careful with attachments, things happen. Let’s say you’re using your favorite search engine and click on a link that looks promising, but which turns out to be a malicious site hosting a zero-day exploit of a vulnerability in the browser you happen to be using, resulting in execution of arbitrary code. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privs. If the exploit happens to be written so that it requires admin privileges (as many do), just running as User stops it dead. But if you’re running as admin, an exploit can:
- install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect)
- install and start services
- install ActiveX controls, including IE and shell add-ins (common with spyware and adware)
- access data belonging to other users
- cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
- replace OS and other program files with trojan horses
- access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts
- disable/uninstall anti-virus
- cover its tracks in the event log
- render your machine unbootable
- if your account is an administrator on other computers on the network, the malware gains admin control over those computers as well
- and lots more
My #2 reason for running as non-admin applies to developers. Developing software as User instead of Admin helps ensure that your software will run correctly on end-users’ systems. Please, never again give me anything like Windows Messenger 4.x! An admin had to install it, of course, but no user could use it until that user ran it at least one time with admin privileges. That’s not even “an admin has to run it once before anyone else can”. That would have been bad enough, but Messenger actually required that each user run it with admin privileges. Completely inexcusable, and certainly attributable, at least in part, to devs running as admin. Keith Brown’s upcoming book also drives this point home really well. Some will argue that you should develop as admin and test as User. I don’t believe this works as well. Maybe I’ll drill down into that point in a future post.
My #3 reason applies just to Microsoft personnel, particularly those of us in customer-facing roles. Hey, y’all! We need to lead by example. People look to us for best practices, for the right way to do things. We are trying to convince the world that we are thought leaders in software and in software security. In the Unix world, they never run as root except when necessary. They “su”, do what they need to do, and revert back. We are not leaders when we run as root all the time. Comrades: you need to run as “User”, and your customers need to see you doing it. If you run into issues, don’t add yourself back to the admins group – file a bug against the offending product. Customers: if you see any MS sales, MCS, Premier, PSS, etc., doing web or email as admin, please tell them, “You’re not setting a very good example. I am disappointed.”
Next post we’ll start talking about how to run as non-admin without driving yourself crazy.