It seems like everybody is recommending that users not be given admin rights on their computer. This has become such a part of the conventional wisdom that no one even questions if we should do this anymore.
Well I disagree.
Lets take a look at how we use our cars. Do they refuse to drive if our seat-belts are not fastened? After all, it's dangerous to drive unbuckled? Are most cars designed to carry a load of lumber? Yet we all at one time or another do have to bring some stuff home from Home Depot sticking out of the trunk. We use our cars in ways they were not intended - we have admin rights.
Now why do users need admin rights? Well reason 1 is so they can install software. Yes they will sometimes install something that is a problem or mucks up the machine. But other times they will install something that makes them a lot more efficient. Yet the approval process to install something at many companies is, in practice, so onerous that people will not even try to get approval to install software.
Second is program capability. Restricted rights stop programs from performing certain tasks, communicating with other programs, etc. Again, the user with restricted rights finds that they can not use the full functionality of a program.
This restricted approach has reached it's nadir with Vista where the default security makes it impossible to do anything and the new IE security which makes it impossible to visit any website. Guys, if I turn the computer off, encase it in a block of cement, and bury it then yes it's secure. It's also unusable.
A lot of this in my opinion is due to the laziness of the programmers involved. Much easier to say no setup programs than to come up with a reasonable list of allowable actions for a setup program. For example, if I am running setuproadrunner.exe from Acme Software then HKLM\Software\Acme Software should be writable. And it is very legit to require a setup program be digitally signed to allow this activity.
And in many cases, we should ask the user a different question. Don't say wrtzyx.exe is accessing port 43 - allow? Instead it should be "the program RoadRunner is trying to read from the database coyote - is this expected?"
Yes it's much harder to implement the above. But the computer is supposed to help us. It's not supposed to be that we change our activity to make the programmer's life easier.
And with that said, yes all programs should be written to run with least privileges. We went to a lot of effort to get the Windward programs to run with Vista in it's totally locked down mode.
Comments