While I was at Microsoft, every so often the question would arise “how can we do more to prevent users from running all the time as administrator?”
There’s something sexy and powerful about being “administrator”. Suggest taking administrator access away from someone who has it now – say, a developer, or a small business’ financial officer (thanks, Quickbooks!), or a home user (thanks, Turbotax! – by the people who brought you Quickbooks) – and you’ll get thrown the look of an alcoholic who’s just realised that you’ve figured out where he’s stashed his hooch.
Okay, so undeniably, there is power in that account – and that’s the main reason why you should spend as little time with that power as possible. “Power corrupts”, remember, and in this case, the thing most likely to get corrupted, by that power being constantly “on”, is the important data you use to run your business.
In Vista and Longhorn, this has been significantly addressed by use of UAP / UAC / LUA or whatever it’s called this morning.
For some reason, nobody ever took up my suggestion, which was brought on by the observation that my kid thinks the guy with power at his school is the janitor. He has the keys to every classroom, he knows where the secret tunnels are, and how to open up the locked cabinets with the electricity in them. To those of us beyond secondary education (high school), the janitor is somewhat less cool – without him, the school couldn’t function, but we wouldn’t like to do his job unless it was absolutely necessary that we do so.
So, I think that we should rename “administrator” to “janitor”, at least in our minds, if not in our systems.
This highlights that administrator access should only be used when you need to work on the ‘plumbing’ of the system. It’s not really the power-house, and the secret areas to which it has the keys are only the boiler-rooms and fuse-boxes of your system.
Where’s the harm in being administrator all the time? It’s like leaving all those locked cabinets open, for any old virus to abuse as it pretends to be you; it’s like spending time in the boiler room, where you could drop your bottle of cheap whisky and set off a fire that burns down the whole school.
Okay, enough with the analogy, here’s some real reasons why. If you run as administrator, a virus or trojan that you run (and you will run one, one day) will be allowed to destroy not just your immediate files, but the entire system on which you depend, or worse, install extra components that can be used to attack others, or to filch off your private information. If you run as administrator, you will accidentally type a command that deletes an important system setting or another user’s important files.
Do I run as administrator? No. In my job I run as a Restricted User. Not even “Power User” (another bad term that equates to “administrator”). I spend my day as a Security Engineer, and Developer, in Restricted User mode, because I don’t trust that I can detect every virus or trojan, or that I can control my actions sufficiently well not to do something disastrous. At times, it sucks, because there are programs I can’t run (but there are usually alternatives), and features I can’t access (but I can often open them up with appropriate tools and settings). I still can’t debug as easily in Visual Studio .NET 2003 (but the 2005 version fixes this).
There will always be “Elevation of Privilege” attacks, sure, but the answer is not to give up on separation of privilege completely. It’s tricky to right code to use least privilege, because you constantly have to think “what access do I have to this object, and what access do I need?” Again, that’s no excuse for doing the wrong thing. Any time you see a company whose software insists on unnecessarily running as administrator, think to yourself “I’m running a tool that is written by people who haven’t learned anything new since at least 1995″.