Misconceptions about Least Privilege

I found a trackback to my recent post wishing for 2005 to be the Year of Least Privilege, and unfortunately, the response repeats one of the major misconceptions of Least Privilege user accounts:

G. Andrew Duthie asks: "Will 2005 be the year of Least Privilege" (via Robert Scoble).

Not a chance.  Why not?  Scoble sums it up pretty well (unintentionally):

For those who don't know what Least Privilege is, it means turning off a bunch of administrator rights so that no software can install without logging off and logging back in as administrator

People don't want to have to log off and log back on to get stuff installed!  That's awful.  People want to use their computer and have it get out of the way.  What should happen is that they are prompted for an administrator login when admin privileges are needed and it should all just work seamlessly once such a login has been provided.  Similarly, if they are logged in as Administrator, they should have to provide their password to install software anyway so that they know it's happening.

Essentially, don't let software install and run unsafe code without first confirming the user trusts it.  Check out sudo for how to do it on the command line and OS X for how to put a GUI on it.  Then while you're at it - disable the administrator account and just use this system instead (see sudo for how to handle permissions when there is no administrator/root account).

Unfortunately, the author of this post is incorrect in the assertion (also made, unfortunately, by Scoble) that one has to log off and log back on to change from low-privilege user to admin. You can log in / log out, using Fast User Switching in Windows XP (Home, or Pro, if the machine is not joined to a domain), and using FUS is fast, easy, and provides isolation of applications, while still allowing you to keep your apps running when you switch back and forth. But if you can't use FUS, you don't have to log out and log back in. You can use RunAs to run apps, MMC utilities, etc. with your admin account, or you can use Aaron Margosis' MakeMeAdmin utility (a simple batch file for creating an admin command prompt that uses your existing user profile) to run apps from the command-line.

Additionally, I've used OS X (I bought an iMac for my wife specifically for the purpose of better understanding how least privilege works in OS X), and while I would tend to agree that the user experience is good in this area of OS X, what the comments don't take into account is that with that kind of interface the danger is that someone will attempt (probably successfully) to spoof the UI such that an unsuspecting user will enter their admin credentials not realizing that it's not actually the OS prompting them. The more often that a user's work is interrupted by this type of prompt, the greater the likelihood that they will be accustomed to simply entering the credentials without thought so they can get on with what they really want to accomplish (interestingly enough, the post above notes this..."want to use their computer and have it get out of the way" but then goes on to suggest interrupting them with dialogs that they won't care about, apart from getting beyond them as quickly as possible). Not meant as a criticism of OS X by any means, but as an observation on what users want to do, which is get to the functionality that they want, not spend time filling out credential dialogs.

I'm certainly eager to see what the LUA user experience will be in Longhorn, and I'm hopeful that it will be improved over what exists in Windows XP. But it's not only possible, but relatively easy to run as a low-privileged user in XP and Windows Server 2003 (and Windows 2000, for that matter), and it doesn't require a great deal of expertise (see Aaron's blog for his experiences in setting up non-tech savvy relatives with LUA accounts).

What do you think? Have you tried running as a non-admin? Did you find challenges? Did you give up? Let me know in the comments...