Running scared

So here's something really silly.

As you probably know, I run my machine pretty
well locked down
. Then I get nervous whenever I do one of these things:

1)     Lower
my IE security settings to the default level ("Medium" for the
Internet Zone) so that I can view a web site or download something

2)     Run
something as Administrator

3)     Disable
Software Restriction Policies

4)     Run
as Administrator AND set the IE settings to the default level AND without SRP

The silly thing is that #4 is what most people do all day,
every day. They run as Administrator, they have IE set to the default settings,
and they've never even heard of SRP. And this is actually a supported
environment, and provided you are up to date with all your Windows Update patches,
etc. it should be pretty safe.

It's not wrong to work like that, and you get the most
functionality out of Windows in this mode. But for some reason I always get a
bad feeling whenever I do that...

Comments (9)

  1. Dan Smith says:

    Can you do C++ and .NET development in that environment? Last time I checked, there was a long list of things that needed to be tweaked to do ASP.NET development in VS2002. Maybe things are better in 2003?

    Also, if the XP "switch user" feature were available in a networked XP environment, it would be a lot easier not to run as Administrator. Whenever I needed to install something, I could quickly switch to the Administrator account to do so, and then just as quickly switch back.

    I’d sure love *not* to run as Administrator, but since we’re a development shop, that’s how everybody’s machine is configured. There have to be very few roadblocks, otherwise nobody’s going to make the switch (too many other things – like writing code – to worry about).

  2. Peter Torr says:

    Hey Dan,

    You can do development of client .NET applications (if you add yourself to the "Debugger Users" group), but not of ASP .NET applications by default. If you make the ASP .NET service run under your user account (instead of the default IUSR account) then you will be able to debug no problems — check the VS readme.

    I agree — it would be great if XP Pro had Fast User Switching.

  3. Dan Smith says:

    It seems to be the only way this is going to really work is if it’s the default setup for a Visual Studio install (or at least an option that is checked by default).

    If MS really wants to get people to stop running with Administrator privs, they’ve got to make it easier than it is right now. And it’s got to start with developers: if we run with Administrator privs, then it increases the chances that the software we develop will require Administrator privs.

    An alternative to Fast User Switching would be to install & enable Terminal Services; perhaps limiting connections to just "localhost" in some way.

  4. Tristan says:

    I do all my development with diminished rights–I don’t even have debugger rights. I configured the VS.NET shortcut to do "runas" and I have a local user with debugger rights (I did this based on some paranoid, possibly errant notion that I don’t want code running under my normal credentials to be able to attach to other processes). All other times, I’m just a normal user. In fact, I’m able to work normally 99% of the time by configuring shortcuts to use runas (such as installs and Computer Management). Admittedly, the other 1% is a real pain, doing the Great Login Swap just to change settings, but I feel it’s worth it. I gave it a week and haven’t looked back. Thinking about it now, the biggest barrier for moving to diminished rights for development, by far, was my incorrect thinking that it was either impossible or just too difficult.

  5. Peter Torr says:


    There’s a big difference between the debugger right (SeDebugPrivilege) and adding yourself to Debugger Users. You are correct in that normal users should not have SeDebug (and indeed they don’t) because that lets you attach to processes owned by other users (ie, very dangerous). By default all users can debug their own processes, because they "own" them.

    Adding yourself to Debugger Users simply lets you use the VS Debugger. It does not grant you an OS rights, and you can still only debug your own apps. If you use a different debugger (linke cordbg) then you don’t even need to be in Debugger Users. It’s basically just an extra layer of protection in case there’s a problem with MDM (the debug service which runs as SYSTEM), although "by design" it should be safe.

    You are right though — running as normal user, day to day, is not a problem at all (as long as you’re not developing ASP .NET apps 😉 ).

  6. Siew Moi Khor says:

    There is a great article on "Developing Software in Visual Studio .NET with Non-Administrative Privileges"

  7. Peter Torr says:

    Thanks Siew Moi — I was looking for that article the other day but neither MSDN search nor Google (shock! horror!) could find it. Living proof that humans are more useful than computers! 🙂

  8. Siew Moi Khor says:

    Actually this particular human being used MSDN search to retrieve the link to that article 😉

    Trick is to know what keywords to search under. You see, writerseditors of MSDN articles have to submit keywords for MSDN search to hit. That article has a few "Runas" examples. So, if you type "Runas" in MSDN Library search, you’ll find currently it’s the 2nd on the search results list. If you don’t want to get too many hits, and you remember the author’s name, searching under that name sometimes is the best way to go.

  9. Anil John says:

    Here is some info on how I extended the above mentioned MSDN Article to work with VS.NET 2003 and ASP.NET (Including debugging).

Skip to main content