Microsoft

Be stingy with Administrator privileges in Windows 7

If you've been too liberal in giving admin rights to XP users, the improved User Access Controls in Windows 7 should help break the habit.

I have been far too liberal in giving admin rights to my XP users. The improved User Access Controls in Windows 7 should help me break this habit.

----------------------------------------------------------------------------------------------------

I've been running across a lot of great Windows 7 ramp-up material lately. With the public release of the new operating system just over the horizon, there are a lot of tips around. It's ironic that there are so many "before you install" pieces coming out, since lots of IT pros have already been working with the release candidate of the OS for months. I'm never one to look the proverbial horse in the mouth, though, especially since I never really implemented Vista in my office. It's helpful for me to have an informed voice to let me know how improvements in Windows 7 might make my life easier.

One of the developments I'll appreciate most is touched on in Bill Boswell's recent "The 10 Things to Do First for Windows 7," published on Microsoft's TechNet site. Bill's piece is a larger discussion about transition and deployment considerations, but item number ten on his list skewered me in the vitals: "Remove your users' local-admin rights."

I'm guilty of giving out local administrator accounts too freely. It was Windows XP that forced me into that position, though. Certain tasks couldn't be accomplished in that operating system unless one was using an account with administrative rights. Because there wasn't a graceful means to interactively escalate privileges, I ended up giving out accounts with more access than I should have. I had no choice. I tried to be a hard case for a while, but our staff couldn't get work done and all my time was spent running around temporarily elevating users' privileges to facilitate trivial tasks. Loosening my security standards let my users become more self-sufficient, but I then saw problems increase as people gained the power to break things.

Windows 7 is designed to be smarter about account privileges and make it more viable for users to run Standard accounts. Applications that try to make changes to protected areas will be redirected, and rights to perform certain low-risk system chores have been granted to non-Admin accounts. It sounds like Microsoft has listened to users' Vista feedback by making the interactive User Access Control feature less annoying. (Having to authorize even minute tasks made people inclined to turn off UAC entirely, putting efforts to limit user rights back to square one.)

I'm still evaluating how Windows 7's UAC implementation will work for mobile users. They were the first folks I had to give out Admin accounts to under Windows XP. I'm also going to be sampling the applications we use to make sure they'll run properly under Standard accounts. Thankfully, Microsoft has made a tool to help me do that. I'll be leaning pretty heavily on the Standard User Analyzer Wizard and the Windows 7 Application Compatibility Toolkit in the weeks to come. I'm not certain yet that I'll be able to hold to a Standard Account in every use case. I have high hopes, though, that I'll be able to stop giving out elevated privileges simply to make the office go.

23 comments
darpoke
darpoke

in the posts on this thread regarding the need for certain applications to run with admin rights. Developers should be punished for respecting the structure of the operating system? I hardly think that's fair. One might as well advocate that a doctor have his medical licence revoked because he had to operate to remove an infected appendix. After all, whatever happened to 'do no harm'? Yeesh. In fact, rare though it is for me to defend Microsoft - it being hard to feel sorry for a company that has historically spent far more money defending itself than on genuinely innovating its products - I don't think they are even fully to blame for the situation whereby admin rights are needed by certain applications. Anyone who has managed a fileshare know the age-old problem: how do you grant just the right amount of access privileges to allow someone to access everything they need, and no more? How do you even structure the filesystem to draw nice thick lines between all the users or classes of user? Now try doing the for an entire OS - one of the biggest candidates for software bloat in the entire industry, when you consider the need for a kernel, the user space, and all the inbuilt functionality that the big software houses have convinced the market ought to be in the machine right from the start. Everything you grant access to is a potential avenue for abuse. Everything you restrict is functionality that can't be added to the software. So where did we put that line again? Even a company like Apple, which controls its hardware and a large range of its software, can't create an environment that delineates without needing to authenticate as an administrator. What chance does an OS like Windows or Linux stand? It is what it is. Some things just don't boil down to a nice simple dichotomy.

Tony Hopkinson
Tony Hopkinson

Be stingy with Admin rights. No more needs to be said....

1bn0
1bn0

2 applications require full access rights. This is assigned using local file security. Everyone | Full Access. Everything else requires an admin account. Diasable auto updater for all products. Including Windows. Palmetto is right. Microsoft should have enforced running programs without admin rights a LONG time ago and developers should be REQUIRED to write software that does not require admin rights. Some mobile users get admin rights IF they have demonstrated a level of technical expertise that they understand how seriously they can screw up their machine and that they are capable of dealing with the result if they do screw it up. Usually admin access is only granted for a limited time to allow specific functions to be performed then they are removed.

CharlieSpencer
CharlieSpencer

Developers shouldn't write apps that require elevated privs to run, be it Admin, root, or other. MS shouldn't allow the MS or Windows names or logos on apps that require Admin privs to run. The only users I allow Admin rights on a regular basis are our field techs. They may have to install or update our product test software. Most others get Power User; factory floor accounts or other shared accounts are not members of local Users or Domain Users. I find many apps that appear to require Admin actually only need it the first time an individual user runs the app. After creating registry entries and setting up assorted user-specific files, they can often be chopped back to Power User with no ill effects.

williamjones
williamjones

I'd love to say that I was able to keep our users in Standard accounts. That hasn't been the case so far, but I have hope that can change. The challenges in limiting access to administrative privileges can be political as well as technical. Which have been the more difficult for you to overcome?

dwaldo
dwaldo

Sometimes it still results in an "Access Denied" or similar error. Also, installing HP printer software does not work using Run As - if you try, the installer will even tell you that. That's why the article says there's no *graceful* way to elevate privileges in XP.

Derek Schauland
Derek Schauland

Microsoft would have to change some of the ways in which it writes code. Some of the applications purchased and redone by MS have an admin requirement... the steps to get around this "feature" do not work either... so before they put the screws to third parties and force outside developers to use non-admin accounts, Microsoft software, as a rule should run with a standard account

pruett2
pruett2

Many times an application needs admin rights because it regularly moves data in and out of its own Program Files folder, which is protected. When installing these programs, install them in a directory other that Program Files (Misc, OtherPrograms, etc).

Levi Miller
Levi Miller

As a one man IT shop for 100+ users and a wide variety of appilications, I can personally attest that you can get all your users running as standard accounts in XP. Some applications are difficult, requiring a few hours of mucking around the registry and file system to see where extra rights need to be granted - I also use this time to log complaints with the applications developer/support personally about their incorrectly made software. The time and energy saved (by not having to worry nearly as much about rouge software, spyware, etc) is worth it in my opinion.

Timbo Zimbabwe
Timbo Zimbabwe

I've never had a problem with the "runas" command. Ever.

saghaulor
saghaulor

Or you can change the permissions to the folder specific to the program itself. I have a software that I had to do that to. The user is restricted, but has admin access to that on program folder. Now registry writes are a whole nother ball game. I haven't had to go that deep, but I'm prepared to if I have to. I'd rather scrutinize the registry and change permission on a key by key basis then give my users full access to Armageddon. Twice, a former admin has given out full access to some users. And twice both computers were utterly compromised with malware. A well documented procedure would make replicating the permissions waltz very easy for future dancers. +1 That Microsoft (and other OS's) should not allow developers to code programs that rely on admin access. I've ran into a few in Linux, but for the most part, stuff runs without root access; the way it should be.

williamjones
williamjones

...so I admire your accomplishment. I stopped trying to use registry edits as a workaround when I discovered that I couldn't update my custom software build one Patch Tuesday. I decided then that it made more sense to run my systems "stock", and elevate the users' privileges where necessary. I tried to keep data secure with good back ups and by being ready to re-image a system at a moment's notice. A later commenter mentions Group Policy, which certainly makes granular rights management much easier. That was beyond our infrastructure at the time, however. Thanks for your comments.

NickNielsen
NickNielsen

Paint the screen red? Could you possibly mean "rogue" software?

CharlieSpencer
CharlieSpencer

for some commands, the /netonly parameter may be necessary. I ran into this yesterday trying to get my ADUC shortcut to work.

Charles
Charles

If you just right click the app and hit runas, then you are using the profile of the runas user. This can be a problem with some software as it will write to the admin user profile instead of the logged in user. To get around this use command runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\"" The env tells the software to use the currently logged on profile. Even this solution doesn't keep the registry only the environment. Also, passwords will be cached only until you have to log out.

williamjones
williamjones

...and should be considered as an option for running particular tasks with admin rights when needed in WinXP, but it's not interactive. User Account Control prompts a user when a privilege check is required. This makes it more accessible for non-technical users. That's what I meant by graceful.

CharlieSpencer
CharlieSpencer

I've found giving the user Admin on just the app directory works for Crystal Reports, among others I've grown too old to easily remember.

darpoke
darpoke

The precious information your OS safeguards under lock and key is functionally useless if all applications are designed to run in 'user mode' and thus cannot access them. If these data cannot be touched, the need for the OS itself is largely obviated. It's the catch-22 all security aspects in computing have to dance around: you need to give access to central aspects of the environment in order to do anything meaningful. You also need to restrict access to the same in order to prevent uncontrolled or unauthorised operations. Walking the line is the challenge all software development has to meet, like it or not, to varying degrees of success.

Timbo Zimbabwe
Timbo Zimbabwe

"I'd rather scrutinize the registry and change permission on a key by key basis" Indeed. I've come across instances where a program not only updates data within its own directory, but also to a registry key or 2. I'd much rather give rights to a program folder and registry key or 2 than hand over the keys to the kingdom. Most users understand when I tell them that their restrictions prevent malware, etc, from doing their worst and don't question it when I open only the doors that need to be opened....

NickNielsen
NickNielsen

but I usaully profread my wrok and edti my misteaks.

mbrello
mbrello

Have you never made a typo??

Editor's Picks