Think of it as the "janitor" account.

While I was at Microsoft, every so often the question would arise “how can we do more to prevent users from running all the time as administrator?”


There’s something sexy and powerful about being “administrator”.  Suggest taking administrator access away from someone who has it now – say, a developer, or a small business’ financial officer (thanks, Quickbooks!), or a home user (thanks, Turbotax! – by the people who brought you Quickbooks) – and you’ll get thrown the look of an alcoholic who’s just realised that you’ve figured out where he’s stashed his hooch.


Okay, so undeniably, there is power in that account – and that’s the main reason why you should spend as little time with that power as possible.  “Power corrupts”, remember, and in this case, the thing most likely to get corrupted, by that power being constantly “on”, is the important data you use to run your business.


In Vista and Longhorn, this has been significantly addressed by use of UAP / UAC / LUA or whatever it’s called this morning.


For some reason, nobody ever took up my suggestion, which was brought on by the observation that my kid thinks the guy with power at his school is the janitor.  He has the keys to every classroom, he knows where the secret tunnels are, and how to open up the locked cabinets with the electricity in them.  To those of us beyond secondary education (high school), the janitor is somewhat less cool – without him, the school couldn’t function, but we wouldn’t like to do his job unless it was absolutely necessary that we do so.


So, I think that we should rename “administrator” to “janitor”, at least in our minds, if not in our systems.


This highlights that administrator access should only be used when you need to work on the ‘plumbing’ of the system.  It’s not really the power-house, and the secret areas to which it has the keys are only the boiler-rooms and fuse-boxes of your system.


Where’s the harm in being administrator all the time?  It’s like leaving all those locked cabinets open, for any old virus to abuse as it pretends to be you; it’s like spending time in the boiler room, where you could drop your bottle of cheap whisky and set off a fire that burns down the whole school.


Okay, enough with the analogy, here’s some real reasons why.  If you run as administrator, a virus or trojan that you run (and you will run one, one day) will be allowed to destroy not just your immediate files, but the entire system on which you depend, or worse, install extra components that can be used to attack others, or to filch off your private information.  If you run as administrator, you will accidentally type a command that deletes an important system setting or another user’s important files.


Do I run as administrator?  No.  In my job I run as a Restricted User.  Not even “Power User” (another bad term that equates to “administrator”).  I spend my day as a Security Engineer, and Developer, in Restricted User mode, because I don’t trust that I can detect every virus or trojan, or that I can control my actions sufficiently well not to do something disastrous.  At times, it sucks, because there are programs I can’t run (but there are usually alternatives), and features I can’t access (but I can often open them up with appropriate tools and settings).  I still can’t debug as easily in Visual Studio .NET 2003 (but the 2005 version fixes this).


There will always be “Elevation of Privilege” attacks, sure, but the answer is not to give up on separation of privilege completely.  It’s tricky to right code to use least privilege, because you constantly have to think “what access do I have to this object, and what access do I need?”  Again, that’s no excuse for doing the wrong thing.  Any time you see a company whose software insists on unnecessarily running as administrator, think to yourself “I’m running a tool that is written by people who haven’t learned anything new since at least 1995″.

3 Responses to Think of it as the "janitor" account.

  • erikr says:

    Hi,

    I was smiling when I read your post since for the last 7 years I have been saying that we(IT personnel) are becoming the plumbers of the future… And to be honest I am somewhat unhappy with that(not that I have something against plumbers).

    I do agree with everything you are saying here technically, yet I have a problem with the concept of degrading system administrators even more. I mean 7 years ago this was a very respected proffession,currently(since we are viewed as somewhat high-tech janitors) the profession seems to have lost most of it’s respect. Saying that we are janitors-just gives us an additional kick in the face.

    Bye…

  • Alun Jones says:

    It’s not about degrading anyone – I was even careful in how I refer to janitors because, quite frankly, the janitor at our kid’s school seems to be one of the best people I’ve ever met.

    It’s about removing the aura of power and appeal associated with the highest privilege levels on the system. You can call yourself an administrator if you like, but don’t run with elevated privileges.

    In UAC in Vista, even the administrators aren’t administrators all the time. Just when they need to be. I think that even if your job title is to be a system administrator, you should only have those rights and privileges while you’re changing user and machine settings. Not while you’re reading your email, or scheduling meetings in your calendar, or drafting a document that describes how an administrative process should proceed.

    There’s no shame in being a plumber, either.

  • erikr says:

    Agreed. No problem with being a plumber-I just don’t like seeing this profession’s repectability degrade even more…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>