I'd love to say that I was able to keep our users in Standard accounts. That hasn't been the case so far, but I have hope that can change.
The challenges in limiting access to administrative privileges can be political as well as technical. Which have been the more difficult for you to overcome?
Discussion on:
View:
Show:
As a one man IT shop for 100+ users and a wide variety of appilications, I can personally attest that you can get all your users running as standard accounts in XP. Some applications are difficult, requiring a few hours of mucking around the registry and file system to see where extra rights need to be granted - I also use this time to log complaints with the applications developer/support personally about their incorrectly made software.
The time and energy saved (by not having to worry nearly as much about rouge software, spyware, etc) is worth it in my opinion.
The time and energy saved (by not having to worry nearly as much about rouge software, spyware, etc) is worth it in my opinion.
Paint the screen red?
Could you possibly mean "rogue" software?
Could you possibly mean "rogue" software?
...so I admire your accomplishment.
I stopped trying to use registry edits as a workaround when I discovered that I couldn't update my custom software build one Patch Tuesday.
I decided then that it made more sense to run my systems "stock", and elevate the users' privileges where necessary. I tried to keep data secure with good back ups and by being ready to re-image a system at a moment's notice.
A later commenter mentions Group Policy, which certainly makes granular rights management much easier. That was beyond our infrastructure at the time, however.
Thanks for your comments.
I stopped trying to use registry edits as a workaround when I discovered that I couldn't update my custom software build one Patch Tuesday.
I decided then that it made more sense to run my systems "stock", and elevate the users' privileges where necessary. I tried to keep data secure with good back ups and by being ready to re-image a system at a moment's notice.
A later commenter mentions Group Policy, which certainly makes granular rights management much easier. That was beyond our infrastructure at the time, however.
Thanks for your comments.
Many times an application needs admin rights because it regularly moves data in and out of its own Program Files folder, which is protected. When installing these programs, install them in a directory other that Program Files (Misc, OtherPrograms, etc).
Or you can change the permissions to the folder specific to the program itself.
I have a software that I had to do that to. The user is restricted, but has admin access to that on program folder.
Now registry writes are a whole nother ball game. I haven't had to go that deep, but I'm prepared to if I have to.
I'd rather scrutinize the registry and change permission on a key by key basis then give my users full access to Armageddon.
Twice, a former admin has given out full access to some users. And twice both computers were utterly compromised with malware.
A well documented procedure would make replicating the permissions waltz very easy for future dancers.
+1 That Microsoft (and other OS's) should not allow developers to code programs that rely on admin access. I've ran into a few in Linux, but for the most part, stuff runs without root access; the way it should be.
I have a software that I had to do that to. The user is restricted, but has admin access to that on program folder.
Now registry writes are a whole nother ball game. I haven't had to go that deep, but I'm prepared to if I have to.
I'd rather scrutinize the registry and change permission on a key by key basis then give my users full access to Armageddon.
Twice, a former admin has given out full access to some users. And twice both computers were utterly compromised with malware.
A well documented procedure would make replicating the permissions waltz very easy for future dancers.
+1 That Microsoft (and other OS's) should not allow developers to code programs that rely on admin access. I've ran into a few in Linux, but for the most part, stuff runs without root access; the way it should be.
"I'd rather scrutinize the registry and change permission on a key by key basis"
Indeed. I've come across instances where a program not only updates data within its own directory, but also to a registry key or 2. I'd much rather give rights to a program folder and registry key or 2 than hand over the keys to the kingdom. Most users understand when I tell them that their restrictions prevent malware, etc, from doing their worst and don't question it when I open only the doors that need to be opened....
Indeed. I've come across instances where a program not only updates data within its own directory, but also to a registry key or 2. I'd much rather give rights to a program folder and registry key or 2 than hand over the keys to the kingdom. Most users understand when I tell them that their restrictions prevent malware, etc, from doing their worst and don't question it when I open only the doors that need to be opened....
The precious information your OS safeguards under lock and key is functionally useless if all applications are designed to run in 'user mode' and thus cannot access them. If these data cannot be touched, the need for the OS itself is largely obviated.
It's the catch-22 all security aspects in computing have to dance around: you need to give access to central aspects of the environment in order to do anything meaningful. You also need to restrict access to the same in order to prevent uncontrolled or unauthorised operations.
Walking the line is the challenge all software development has to meet, like it or not, to varying degrees of success.
It's the catch-22 all security aspects in computing have to dance around: you need to give access to central aspects of the environment in order to do anything meaningful. You also need to restrict access to the same in order to prevent uncontrolled or unauthorised operations.
Walking the line is the challenge all software development has to meet, like it or not, to varying degrees of success.
I've found giving the user Admin on just the app directory works for Crystal Reports, among others I've grown too old to easily remember.
Developers shouldn't write apps that require elevated privs to run, be it Admin, root, or other.
MS shouldn't allow the MS or Windows names or logos on apps that require Admin privs to run.
The only users I allow Admin rights on a regular basis are our field techs. They may have to install or update our product test software. Most others get Power User; factory floor accounts or other shared accounts are not members of local Users or Domain Users.
I find many apps that appear to require Admin actually only need it the first time an individual user runs the app. After creating registry entries and setting up assorted user-specific files, they can often be chopped back to Power User with no ill effects.
MS shouldn't allow the MS or Windows names or logos on apps that require Admin privs to run.
The only users I allow Admin rights on a regular basis are our field techs. They may have to install or update our product test software. Most others get Power User; factory floor accounts or other shared accounts are not members of local Users or Domain Users.
I find many apps that appear to require Admin actually only need it the first time an individual user runs the app. After creating registry entries and setting up assorted user-specific files, they can often be chopped back to Power User with no ill effects.
2 applications require full access rights. This is assigned using local file security. Everyone | Full Access. Everything else requires an admin account.
Diasable auto updater for all products. Including Windows.
Palmetto is right. Microsoft should have enforced running programs without admin rights a LONG time ago and developers should be REQUIRED to write software that does not require admin rights.
Some mobile users get admin rights IF they have demonstrated a level of technical expertise that they understand how seriously they can screw up their machine and that they are capable of dealing with the result if they do screw it up. Usually admin access is only granted for a limited time to allow specific functions to be performed then they are removed.
Diasable auto updater for all products. Including Windows.
Palmetto is right. Microsoft should have enforced running programs without admin rights a LONG time ago and developers should be REQUIRED to write software that does not require admin rights.
Some mobile users get admin rights IF they have demonstrated a level of technical expertise that they understand how seriously they can screw up their machine and that they are capable of dealing with the result if they do screw it up. Usually admin access is only granted for a limited time to allow specific functions to be performed then they are removed.
Microsoft would have to change some of the ways in which it writes code. Some of the applications purchased and redone by MS have an admin requirement... the steps to get around this "feature" do not work either...
so before they put the screws to third parties and force outside developers to use non-admin accounts, Microsoft software, as a rule should run with a standard account
so before they put the screws to third parties and force outside developers to use non-admin accounts, Microsoft software, as a rule should run with a standard account
Be stingy with Admin rights.
No more needs to be said....
No more needs to be said....
Didn't you use the "run as:" function in Windows XP?
Sometimes it still results in an "Access Denied" or similar error. Also, installing HP printer software does not work using Run As - if you try, the installer will even tell you that.
That's why the article says there's no *graceful* way to elevate privileges in XP.
That's why the article says there's no *graceful* way to elevate privileges in XP.
I've never had a problem with the "runas" command. Ever.
...and should be considered as an option for running particular tasks with admin rights when needed in WinXP, but it's not interactive. User Account Control prompts a user when a privilege check is required. This makes it more accessible for non-technical users.
That's what I meant by graceful.
That's what I meant by graceful.
If you just right click the app and hit runas, then you are using the profile of the runas user. This can be a problem with some software as it will write to the admin user profile instead of the logged in user. To get around this use command runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""
The env tells the software to use the currently logged on profile.
Even this solution doesn't keep the registry only the environment. Also, passwords will be cached only until you have to log out.
The env tells the software to use the currently logged on profile.
Even this solution doesn't keep the registry only the environment. Also, passwords will be cached only until you have to log out.
for some commands, the /netonly parameter may be necessary. I ran into this yesterday trying to get my ADUC shortcut to work.
in the posts on this thread regarding the need for certain applications to run with admin rights. Developers should be punished for respecting the structure of the operating system? I hardly think that's fair. One might as well advocate that a doctor have his medical licence revoked because he had to operate to remove an infected appendix. After all, whatever happened to 'do no harm'? Yeesh.
In fact, rare though it is for me to defend Microsoft - it being hard to feel sorry for a company that has historically spent far more money defending itself than on genuinely innovating its products - I don't think they are even fully to blame for the situation whereby admin rights are needed by certain applications.
Anyone who has managed a fileshare know the age-old problem: how do you grant just the right amount of access privileges to allow someone to access everything they need, and no more? How do you even structure the filesystem to draw nice thick lines between all the users or classes of user?
Now try doing the for an entire OS - one of the biggest candidates for software bloat in the entire industry, when you consider the need for a kernel, the user space, and all the inbuilt functionality that the big software houses have convinced the market ought to be in the machine right from the start.
Everything you grant access to is a potential avenue for abuse. Everything you restrict is functionality that can't be added to the software. So where did we put that line again? Even a company like Apple, which controls its hardware and a large range of its software, can't create an environment that delineates without needing to authenticate as an administrator. What chance does an OS like Windows or Linux stand?
It is what it is. Some things just don't boil down to a nice simple dichotomy.
In fact, rare though it is for me to defend Microsoft - it being hard to feel sorry for a company that has historically spent far more money defending itself than on genuinely innovating its products - I don't think they are even fully to blame for the situation whereby admin rights are needed by certain applications.
Anyone who has managed a fileshare know the age-old problem: how do you grant just the right amount of access privileges to allow someone to access everything they need, and no more? How do you even structure the filesystem to draw nice thick lines between all the users or classes of user?
Now try doing the for an entire OS - one of the biggest candidates for software bloat in the entire industry, when you consider the need for a kernel, the user space, and all the inbuilt functionality that the big software houses have convinced the market ought to be in the machine right from the start.
Everything you grant access to is a potential avenue for abuse. Everything you restrict is functionality that can't be added to the software. So where did we put that line again? Even a company like Apple, which controls its hardware and a large range of its software, can't create an environment that delineates without needing to authenticate as an administrator. What chance does an OS like Windows or Linux stand?
It is what it is. Some things just don't boil down to a nice simple dichotomy.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
