Linked by Thom Holwerda on Wed 31st Mar 2010 14:41 UTC
Windows As geeks, we're well aware of the importance of running as a normal user instead of as root (UNIX/Linux/BSD) or administrator (Windows). However, while this should be common knowledge to anyone reading OSNews, it's often hard to illustrate just how important it is - until now, that is. A report by BeyondTrust looked at how many security bulletins issused by Microsoft are mitigated by simply... Not running as administrator.
Thread beginning with comment 416323
To read all comments associated with this story, please click here.
Consider the source
by coreyography on Thu 1st Apr 2010 01:59 UTC
Member since:

While the paper makes some good points, they neglect to mention a couple of things:

1. UAC in Vista and Windows 7.

2. The high probability that most companies run Windows desktops locked down/non-admin anyway, to keep the admins from tearing their hair out.

This company apparently makes a centrally-managed "sudo on steroids", which may make things more convenient, but probably does not significantly improve the security of the average corporate PC or conscientious Vista/W7 user.

Where XP really sucks in this department is with things like power and network settings. Power settings are per-user but need elevated privileges to change; same with network settings. Things like wifi start up as services, so sudo-like/"run as" mechanisms don't work (power settings can at least be changed with arcane control panel incantations).

You end up tweaking the registry or digging into Group Policy or some such (which, frankly, without Google would not be practical). Vista and onward mitigate this issue with UAC (for this argument I assume UAC is secure in that the privilege boundary it establishes cannot be illicitly crossed).

Unix does a better job still, as settings like these can be adjusted with command-line utilities (which are regular programs) or configuration text files, both of which utilize a relatively simple security model (the other benefits/drawbacks of which I won't go into here).

All that said, I run my own XP installations as a limited user, and I am fairly easily able to convince/educate anyone I know who has had their XP hosed by some malware to do the same. It is not as hard as one might think, and the benefits far outweigh the inconvenience. Microsoft screwed up not enforcing this with NT (which already was a significant break from what came before).

Edited 2010-04-01 02:14 UTC

Reply Score: 1