Field NotesReal Pros Don't Run as Normal User
Real techs think they have got to log in with the rights of a higher power on their system, even to check their e-mail or surf the Web. Ditto for developers, doctors, and everyone else who is convinced their job is important and requires full-blown Administrator privileges. These are precisely the people who ought to do their normal course of business logged in with a Limited User Access (LUA) account—as a User. I’m not saying that they should completely lose their rights to do things as an Administrator. Instead, they should be taught to make liberal use of Run As, and use Admin only as needed.
Running as Administrator, even with the latest antivirus signature updates, anti-spyware, a firewall on with few exceptions, and every single service pack and security update in place, doesn’t protect you from that rare stupid slip-up. Nor does it block nasty stealth attacks that establish nearly impossible-to-find rootkits on the system. Once the system is compromised, the systems administrator with domain rights, the developer coding that sensitive app, and the doctor with privacy laws to protect, become suddenly and often unconsciously dangerous individuals.
There is a special kind of arrogance involved to insist that it is absolutely necessary to run all daily business with an account that has local administrator rights. It’s like riding a motorcycle down the highway, hair flowing in the wind; it feels great, except for the fact you are at the mercy of any flying object. Running as power user is like driving a convertible. Running as a normal user is that safe little car with the airbags—if you hit something, it might crack the windshield, but you’ll keep driving and get to your destination.
Now for a humbling confession: it took a developer (of all people) to finally convince me to run as Non-Admin. This was despite spending most of my Microsoft career doing deployments that were rabidly secured to the point of no return, and having to constantly lecture customers on all the reasons why they must run as Non-Admin. It wasn’t disbelief in the value of LUA as much as fear that too many things would break. Developers rarely bothered to run logged in with normal user privileges, and often forgot to code or test with LUA in mind.
To fix such problems, my customers use two sets of tools: the Microsoft Application Compatibility Toolkit (ACT) (often exercising the LUA mode), and the regmon and filemon tools from Sysinternals. With the first toolset, customers can attempt to construct an ACT database file containing compatibility fixes (often referred to as "shims"). If that doesn’t do the trick, they can run the Sysinternals utilities to nail down exactly where the surgical strikes must occur, creating less restrictive registry and file permissions. Changes are then applied through custom security templates, creating a veritable Swiss cheese of tiny security pinholes pricked throughout the operating system. It can be grueling, challenging work, and a monumental pain to manage, but it pales in comparison to recovering from (and sometimes even detecting) an attack that could have been prevented.
Not only that, but there is something degrading about willingly relinquishing that Admin power, a nagging suspicion that doing so is a sign of weakness, an inability to hold one’s IT liquor. Only hardcore security consultants run as Non-Admin, and we all know they’re kind of paranoid.
But Microsoft has made some serious advances in application compatibility. Now Office runs very well in limited user access mode, and Microsoft apps play nice in the LUA space. Third-party applications have also made healthy progress. Some apps do break, but smart use of the tools I mentioned, as well as the Run As command, and tips from Aaron Margosis’s excellent Non-Admin blog (see blogs.msdn.com/aaron_margosis) should take care of these.
We’ve finally rounded the corner. Just a year or two ago it was extremely painful to run with an LUA account, but now it is quite bearable. Vast ship containers still pass through the borders of our desktop systems without real scrutiny though, and it is time to secure those assets. So, like that self-righteous reformed smoker who speaks to the glories of discipline, restraint, and sober consideration of the consequences of your actions, I advise against running with Local Administrator rights—even if you think you are getting away with it today.
Shelly Bird is a Senior Consultant II with Microsoft Consulting Services Public Sector. For over 10 years she has assisted government, military, and state agencies in mass deployments of desktops and servers, focusing on security.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.