A vendor who doesn’t get it.

On March 28, 2008, in Security, by

One of the reasons that people kick and scream about Vista is that they have been “ADMIN” for many eons on their computer.  Just when I think we’re getting to the tipping point of LUA, every now and then I hear a story about a vendor who still doesn’t get it.  A vendor in fact who is trying to convince the client that the consultant is wrong to advise the client to strive to run without administrator rights.


You only need administrator rights when you install software.  Normal folks don’t do that on a daily basis.  And the mere act of running without admin rights means that you are more protected, usually can patch later, and all sorts of wonderful stuff.  Don’t believe me?


Check out these links…


http://blogs.technet.com/jesper_johansson/archive/2005/11/30/415328.aspx


http://blogs.msdn.com/aaron_margosis/archive/2006/02/16/fixing-lua-bugs-part-i.aspx


Let me quote from Mr. LUA man himself… Aaron Margosis:

“If there is no legitimate business or technical reason for the app to require admin privileges, then failure of the app to work for a regular user account is a serious bug that compromises system security, stability and manageability.  (Note:  if the development team says something like “It’s mission-critical, so it has to run as admin”, or “it writes to HKEY_LOCAL_MACHINE, so it has to run as admin”, the correct response from you is, “You’re talking nonsense.  Fix the bug!”)” 

 

Comments are closed.