Non-Admin, Live!

Tech*Ed 2005 in Orlando, FL (USA) will include significant coverage of “non-admin” topics:

  • SEC350 – “Tips and Tricks to Running Windows with Least Privilege”, which I’m presenting, and
  • SEC351 – “Developing with Least Privilege”, presented by G. Andrew Duthie.

In addition, Robert Hurlbut will be leading a Birds of a Feather session, BOF034, “Developing Software as a Non-Administrator”, and Keith Brown‘s BoF session, BOF033, “Writing Partially Trusted Code” also represents a “least privilege” topic.  [2005-05-19:  added the following]  Also, for a look at the future, don’t miss DSK210, “Longhorn Client Security Advancements”.

Are customers interested in these issues?  Well, the Tech*Ed organizers surveyed registered attendees to determine which sessions would be the most popular.  So which session topped the survey?  Tips and Tricks to Running Windows with Least Privilege!  The Security track organizers are also really stoked that the top six sessions in the survey are all Security track sessions.

My session is also one of twelve to be simulcast on the Internet via LiveMeeting.  I’m on Wednesday, June 8, 2005, 8:30am – 9:45am Eastern Time (US).  You can register for it here and view the full list of other simulcasts here.  You’ll need to have installed the Microsoft LiveMeeting 2005 console – you can download the standalone installer here.  (You need admin privileges to install the console, but not to use it!)

I’m also presenting “Tips and Tricks to Running Windows with Least Privilege” at Tech*Ed Europe in Amsterdam, July 5-8.  I’ll try to post more details when I get them.


Comments (19)

  1. Josh says:

    I will be there, this is one i have been looking forward too.

    Today we run as "Power User" as "User" had way too many issues.

    One of the big problems we have had is around ActiveX and I would love to know how the Longhorn Team plans to solve this problem since no one wants to elevate IE and these are started in process to it…


    The only thing i have thought of is pushing them in SMS this not realistic for a corporation over 60,000 strong and dev’s rev these all the time without any notice to us…

  2. Check out Aaron Margosis’ blog for tricks and tips to make it easier for you (and those around you!)…

  3. Glenn Fincher says:

    After reading the non-Admin blog for awhile & slowly weaning myself off of all that power, i have become a bit of an evangelist! You will love the thread below on the:

    "How do I install programs so users with Limited status "

    The answers that an otherwise astute MVP gave were enough to make you cry! Others corrected his misguided statements & chimed in for the non-admin live. The statements in this thread just about cover all the "issues" that people bring up when non-admin running is proposed.

  4. barrkel says:

    IMHO, LUA needs to be rebranded. Perhaps "Administrator" could be renamed "Maintenance Access" or something, and somehow crippled in some annoying way to make it unusable as a desktop logon, and have some kind of escalation / RunAs strategy with ordinary users elevating to Maintenance Access when needed.

  5. Allan Wolff says:

    Aaron –

    Congratulations on the interest in your presentation. I am a bit surprised at the popularity numbers you quoted in your post. I’m sorry I can’t be there for the many sessions you mentioned on running LUA but I look forward to tuning in to the webcast of your session EARLY wednesday morning. It may be pretty hard on West Coasters who want to tune in, but no problem for me in the Midwest.

    I have been trying to follow the gospel on developing as Non-Admin, which Keith Brown has been preaching for several years, and have been serious about it for the past year. Though I still have problems doing some Visual Studio work as Non-Admin your blog and your utilities (MakeMeAdmin and PrivBar especially) have been an essential resource, which I mention on my blog.

    There are a few things which I never did get to work (your fix for granting privileges to install printers) and some odd behaviors (the way web-links launch unpredictably under the admin process or user process once you have one IE/Explorer process running in a RunAs Admin window) but it certainly is feasible to run LUA for most activity. In fact, I like Glenn Fincher above, have become an evangelist on this and am promoting it by giving a couple of user group talks here in Chicago.

    I do want to mention one little tweak that I discovered and find very helpful for distinguishing Explorer and IE Windows running as Admin from other accounts. Besides Privbar and setting the toolbar backgrounds differently, I set up a custom sounds scheme for the Admin ID. I created a special DISTINCTIVE drumroll sound clip which I assign to the ‘Start Navigation’ event under Windows Explorer. Then whenever I click on a new object in an Explorer/or IE window running under the Admin ID I am alerted by the distintive sound which reminds my of the dangers where I am. This is particularly noticable for me since I normally run as user with no UI sounds.


  6. Allan Wolff says:

    Opps – I seem to have left off the final ‘l’ in ‘html’ in the link above to my blog post on lua-development.

  7. mls says:

    Sarbanes-Oxley and FISMA have driven customer’s interest in least privilege on the desktop. Good session. Do you have any pointers for easier management of per-user file associations? The explorer > tools > folder options > file types UI has LUA bugs. Sure, I can create/change the HKCUSoftwareClasses keys in the registry directly, but I would prefer a UI.

  8. Greg Churchwell says:

    Any way I can get your PowerPoint from TechEd? I am required to do a presentation at my company about my TechEd experience and I was hoping to review your presentation and use some of your slides. They really want me to do it before I receive my DVDs. Thanks. (

  9. gchurchwell, I tried to send it to you, but your server’s spam filters blocked it. You can watch the presentation again here:

  10. Greg Churchwell says:

    Actually, I got it! Thanks. Now, do you know if I could get any of the other speaker’s slide shows too? I have the list of sessions I went to, but I don’t recall who the instructors were. Anyway, thanks for your help Aaron. I really enjoyed your presentation at the conference!

  11. Greg Churchwell says:

    I’m finding what I need Aaron.

  12. Ryan Naraine has written a nice article for eWeek about non-admin security in XP. He notes that Microsoft…

  13. Aaron,

    I know that you going to be at TechEd EMEA in Amsterdam next week. How about we meet there and chat? We could discuss some non-admin/security stuff and I can also tell/show you new version of RunAsAdmin. Anyway, if you feel like chatting with me in Amsterdam – ping me at (or at TechEd you use e-mail or just find me at Ask the Experts on security stand).



  14. Kohn says:

    Hi Aaron,

    you presentation was great.

    Thanks for your great work on makemeadmin and privbar!

    You made me a LUA Evangelist.. I´m a active member of a MS CLIP Board in germany where I post about your site and tools…

    If anyone is interested on link-sharing I use as my linkdatabase on storing all I found about furl now and in the future in it:

    Best Regards and keep at it Aaron! 🙂

  15. piers7 says:

    Temporary priv. escalation’s one answer, but if you *really* want to get down and dirty, why not just fix/hack/break the offending apps:

    (warning: not for the fainthearted)

  16. Ryan Naraine has written a nice article for eWeek about non-admin security in XP . He notes that Microsoft