As geeks, we’re well aware of the importance of running as a normal user instead of as root (UNIX/Linux/BSD) or administrator (Windows). However, while this should be common knowledge to anyone reading OSNews, it’s often hard to illustrate just how important it is – until now, that is. A report by BeyondTrust looked at how many security bulletins issused by Microsoft are mitigated by simply… Not running as administrator.
Despite the advances made by Microsoft on securing Windows, the fact of the matter is that the first user created on a new system is always administrator. This means that many (most?) Windows users out there are running as administrator, and as BeyondTrust’s report shows – that’s incredibly insecure.
Of the total amount of security vulnerabilities put out by Microsoft in 2009, across all versions of Windows and Office, 64% are mitigated by removing administrator rights. Microsoft published 190 security vulnerabilities last year, and 121 of them are thwarted by running without administrator rights.
Breaking it down per product, the figures become even more interesting. Microsoft reported 55 Office vulnerabilities in 2009, and all of them are mitigated by removing admin rights. Of the 33 Internet Explorer issues reported, 94% were thwarted by removing admin rights. For Internet Explorer 8, 100% would be. If we restrict the vulnerabilities to just Windows, we see that 53% can be mitigated by not running as admin.
The threat of the most severe type of vulnerability, the ones that would allow remote code execution, can be greatly educed by not running as admin: 87% of them are ineffective when you do not run as administrator.
These figures how us exactly what we already knew: running as administrator is stupid, and asking for trouble. All the more reason for Microsoft to finally abolish that quaint custom of making the first user an administrator.
Things are not as simple as it seem. Many windows programs cannot run in power user mode. In power user mode, power user do not access permission to many important system folder. Access permission cause many run time errors.
Many malwares have ability to run as administrator even if you log in as power users. My company have tried to reduce malwares by changing to power user. However, the changes cause many problems to users without reducing the the number of malwares. The anti-virus cannot delete the malware because power user don’t have permission to delete the file.
However, many malwares are autorun virus. By disable autorun and autoplay, the malwares are reduce dramatically.
that’s because they are poorly written. most programs can work just fine or regular account.
only exceptions i can think of are security related programs, like antivirus and firewall, which should run as services with different privileges.
Only problem is, many apps are very difficult or costly to fix. And this includes open source/free stuff… the largest the company, the highest the cost of any change, even minimal. And today companies are saving every penny.
I wonder how much those same companies spend on network and desktop security. I hear licenses on corporate a/v and lost productivity/stolen data expense can get pretty hefty.
Yes. But try to explain that to a CEO who doesn’t know where the ON button of his notebook is.
the problem is even worse when you have black box code built by some third party that no longer exists.
You can run as admin inside Windows 7’s XP mode if that helps at all. It’s just an integrated VM of XP.
Part of the problem is that MS wasn’t doing much to encourage multi-user aware programs in the XP days. A big part of this had to do with the central registry system. The virtual registry in Vista/7 is a major improvement in this regard.
That’s great if you can have enough horsepower to run the additional virtualized OS and if you can spare the disk space.
For most desktops, that’s not an issue but the sales and project mgm’t folks here prefer the really small laptop or near-netbook machines and those have some significant tradeoffs.
Better to run either BeyondTrust Privilege Manager or Avecto Privilege Guard if you have a domain.
… by fixing them.
Or not running Windows.
I bet the Old Order Amish don’t have any vulnerabilities in their home computers.
You can modify data on their abacus without being prompted for a password. That’s a pretty big vulnerability.
Honestly, most Linux distro’s enact the first user as the ‘root’ user too. That’s not the problem.
Instead, Microsoft should force the creation of the admin password AND a normal user during installation.
Additionally, Vista + Win7 shed light on the software requiring admin rights to run issue, and has helped to resolve software that is being updated and maintained. However, there is still a vast amount of software out there that businesses use that is not being upgraded or maintained for numerous reasons; software that still requires admin rights to run.
So as another said – it’s not so simple.
Most window users do not install heir own operating systems. OEM ship computers with windows setup with a user with administrative privileges because they do not want to get support calls asking why they are prevented from doing A or installing application B.
Windows 2000 shipped with three users,winxp shipped with two, normal and admin. Microsoft gave people options and OEM passed on a bad choice to their consumers to reduce their costs and consumers did change the bad option and the bad option stuck as default and expected option.
It is required in new york to take couple of hours of road safety lectures and workshops before a drivers license is issued. Should computers users be required to do the same?
I would point out that microsoft called their ‘normal’ user ‘limited’ which also doesn’t endear itself to people.
Honestly, most Linux distro’s enact the first user as the ‘root’ user too.
I am not aware of any such distro. I don’t use that many distros though, but atleast the one I use a lot, Mandriva, does NOT enact the first user as root. No, you always have to enter root password separately if you wish to install applications or do other similar system administration tasks, just as it should be.
Could you now then elaborate which distros actually do enact the first user as root?
Actually, I suspect what the OP meant is that all Linux and UNIX systems have the root user as the first user. It’s always there, it has uid 0. That is the first user, there’s no arguing that.
That being said, there’s a critical difference between what XP and older did for admin versus what *NIX systems do. In the case of XP, any user marked as admin has *full* access to everything just as the first user, which is administrator, does. In *NIX, while the root user is the first user, the installers typically do one of two things. First, they disable the root user and the first account created has sudo privileges (e.g. Ubuntu and Mac OS X), or they make you set a root password and create a user without sudo privileges (e.g. OpenSUSE). Both of these have their advantages and disadvantages, but they do accomplish one thing evenly. That password prompt makes you stop and consciously decide to continue, rather than just letting your user do anything root could do.
With Vista and 7 the situation is slightly better, but only slightly. Administrator accounts do get prompted by UAC but, unlike limited user accounts, they do not get asked for a password. This means that there’s no conscious decisions involved, the click-through habit takes over and most users just click continue to get the dialog out of the way. If Microsoft revised UAC to always prompt for a password, we’d probably see a drastic drop in the number of stupid infections. It won’t kill infections completely, but even just that split second is often enough to tell you that something’s wrong and that greeting card you clicked on shouldn’t be asking for your system password.
Why would he mean that? It has absolutely no bearing whatsoever on the topic at hand.
He/she probably means distros like Slackware, Gentoo and ArchLinux which require the user to make a user account manually, since by default they use is root.
I’ve always said that Windows users right from XP should have been tutored into creating passwords and one for administrator from the installation.
All OEM machines should have been set-up so that the user would need to set both passwords or some sudo equivalent, like Ubuntu has for example.
That is absolutely WRONG.
While I haven’t run ArchLinux, neither Slackware nor Gentoo require you to run as the root user by default. Anyone that does is out of their mind. Both communities suggest using su/sudo (just like every other distro) for doing admin stuff.
Well, when you’re dropped to the command line after installation, you then login as root and create a user account. Until then, it’s root access only.
BTW. I’ve seen many users come into the IRC’s distros’ channel as root, because they didn’t create a user account.
Edited 2010-03-31 17:21 UTC
While technically correct, all of the documentation and prompts strongly encourage the administrator to add a user as their first task.
Furthermore, what user without a deep knowledge of Linux is doing a manual install of a power-user distro? This is just a tangent, since Arch/Slackware/Gentoo make up a sliver of the Linux user base and are invisible to the casual audience…
The Arch Linux installer LiveCD runs as root.
The Arch Linux install howto explains how to set up and configure a system (mostly using the nano editor for system configuration text files) and how to create (a) user account(s). One then re-boots, removes the LiveCD, and runs as a normal user from then on.
All installer CD’s run as root as there are no users. Some (like Gentoo’s LiveCD’s) randomize the root password on boot for security (so you can run SSH), but still login as root.
That is the nature of installation media.
LiveCD’s typically run as root, but you can add users to them before you burn the CD/DVD so you don’t have to. But again, that’s typical because a LiveCD is usually a recovery disk or installation media where root permissions are required for the primary tasks of system maintenance.
But LiveCD’s and Installation Media are not examples of normal UNIX/Linux user configurations. (And I never said that Microsoft should make the Windows Installation programs run as a normal user, that would be very problematic for any operating system installation system.)
Being the OP…
Distro installers always ask you to enact a password for root. That is the first user enacted during the installation.
After that, you can then add a normal user to use.
Yes, but they don’t make you run as root. That’s a rather crucial difference.
Of course distros ask you to set a password for root, but I am not aware of any distro which didn’t also create a normal user account. Even Mandriva installation _mandates_ you to create a normal account, you can’t continue installation without. And in no situation is the root user the default user; it doesn’t log automatically in, it doesn’t show up in GDM/KDM and so on.
That is very different from what you at first said.
No, that is exactly what I was saying Microsoft should do as well.
In most distros, one MUST add normal users to use.
The root account is there, but it is not noramlly used. Indeed, many Linux distributions login manager will not allow root to login. Users must first login as normal users with limited priveleges, and most of the time run applications as that noraml user. Only when a system administrative change is required would one run someting as root, and the user must supply the root password to become root in order to accomplish such tasks.
On Linux, users do NOT nromally run as root.
In most distros, one MUST add normal users to use. [/q]
Yes. And Microsoft should force the same on Windows.
That’s really not as much a distro limitation as it is that root doesn’t usually have permission to run X-Windows (Xorg/etc). If you want to login as root directly, go to the console login.
Agreed; and Microsoft should force the same on Windows; and remove the ability to add anyone to the Admin group, and change the meaning of the ‘Domain Administrators’ (which typically carries all privileges of the Admin group on a local system).
With Vista and Win7, they have made a step in the right direction, but they still have a long, long ways to go.
Debian does… (at least, it does with Debian 5.0 and earlier)
During install, it first prompts you for the root password, and then prompts you for the “first” (second) user and that user’s password.
Edit: Oh, you mean that it creates only *one* user at all… nah, dunno.
Edited 2010-03-31 18:10 UTC
It is the problem though, if you give someone broad sudo priviledges, all it takes is a sudo bug and you effectively have full control. If you do not run as the user with full privileges, it takes a lot more effort. With linux its a fairly moot point though, because the people interested in hacking it are only targeting environments that would never run that way.
Exact same principal for windows. First windows user is in the “administrators” group, but they still need to go through a dialog for something to execute with admin rights. Proper way to do it is not run daily stuff under an admin account, and run things as the admin account as needed.
The problem is that people are so irritated with having to hit “Ok” to run something as admin, they would be even MORE irritated if it required a username/password.
Users must be part of the ‘wheel’ group AND be added to /etc/sudousers in order to have access to sudo. Additionally, to use sudo you have to enter your own password. It’s not specifically allowed. Once you use it successfully it will let you continue issuing additional commands via more calls to sudo without a password but only for a given amount of time between calls.
‘su’ doesn’t require any group – just that you know the password for that user, root or otherwise.
Not quite.
On Linux/Unix there is typically only one administrator user – root. Rarely do you ever add another user to the ‘root’ group. Instead, you give people the privilege to switch user to the root user using su or sudo. See above.
On Windows you actually add users to the Administrators group. To properly do it the UNIX/Linux way you would not do that, but use the ‘runas’ command instead. It can be successfully done – I’ve done it before – but it is a major PITA as Windows is not designed to work that way.
Under UNIX/Linux, this is how all software is designed to run.
However, Microsoft has historically contributed to pushing for users to need Admin rights in order to use their daily software. Until Office 2002/2003, Office required Admin rights to run. Only recently (VS2005/2008/2010?, not sure which) did Visual Studios drop the requirement for developers to need admin rights in order to debug software.
It’s not that administrators did not want to force people to not have admin rights to use their computer. It’s that the software available for Windows – even software from Microsoft – required it!
It’s only a problem so long as software is designed to require admin rights to function.
Vista and Win7 are making a big show of it. You don’t see so many issues now with it because either the vendors got smart and updated their software to not need it (which has happened), or (where that was not possible, or available yet to the user) people turned it off; and with Win7 the default level was toned down.
I don’t know which Unix you refer to (probably some weird GNU variant), but this is just plain wrong.
My own take on this is that things in Ubuntu (the most popular one, but not the single one, of course) are not that better: a single user is automatically put into the root position. The only thing she needs to do is enter her own password.
It is the same kind of click-click-click -solution than in Windows, downplaying the Unix tradition. But instead of clicking, you type the password. And since we all know how wonderful the concept of password is among the general public (“password123” works in Ubuntu as well as in Facebook and my bank!), it is trivial to exploit.
Edited 2010-04-01 04:51 UTC
OS X is the same way. It’s not quite the same as a click-through, since you do at least have to take a bit of time to enter the password and it breaks the flow of your click click clicking long enough for the action to register in your brain.
You don’t have to be part of the wheel group to use sudo; you just have to be in the sudousers file. The bulk of my experience is with FreeBSD, Fedora, and RHEL/CentOS, so this could be different, but I don’t think it is.
Sudo asking for my password has always bugged me. If it really wanted to secure the system, it should have the ability to use a third password separate from the user or root. I’ve looked into this before, and I remember this is something sudo was never designed to do. This really should be fixed.
I never thought about this, but that’s true on Linux.
On FreeBSD, the users need to be part of wheel to su to root, they can still su to other users without additional permissions, but normal users don’t have su permissions when first created.
Linux might want to tighten that up.
In all truthfulness, this could be also said about… I don’t know, Haiku.
Edited 2010-03-31 15:49 UTC
True but there are plans to implement a security model… at some point they realize this.. there are also some features that inherently need good multiuser support such as multi seat support which has come up in the past and even recently on the mailing list and forum
The current single user model was inherited from BeOS
The primary differences being that 1) the Haiku project doesn’t have thousands of developers on staff and billions of dollars in the bank to address those issues, and 2) Haiku isn’t aimed at a general, non-technical audience.
“…and nearly 100% can be avoided by removing the sure all together and never removing the computer from it’s box”
I don’t like the odds that 36% of the malware doesn’t give a rat’s ass if you’re administrator or not. I also don’t like the blind eye turned to the older OSes that Microsoft released. The reality is that Microsoft keeps dropping opportunities to fix its OSes for profit. I’ve had XP up and running in one form or another for 10 years. I would have gladly paid $50 to keep XP up to date for another 5 years, or $100 for another 10 years of support.
I don’t have a problem with them drawing a line in the sand with different iterations of their products. I don’t have a problem with Microsoft not supporting IE6, IE7, and IE8 for people that don’t want to pay to support the introduction of IE9 on XP. But I want quid quo pro; if I pay $50 you better keep IE9 alive for 5 years or give me something better over that time period. And if I pay $100 then I expect it to run everything that Win7 runs in the next 10 years. You pay more you get more.
I work as a financial applications administrator and when our desktop guys have to come in and look at a desktop it seems the primary vector for problems is Internet Explorer (6 – don’t cringe – legacy web apps).
Adobe is another example of a company that took something that worked – produced a common file format and the ability to secure documents and they have bloated it into utter oblivion and completely ignored security.
So having said all that I think for your average user giving them a more secure browser and perhaps using an adobe reader alternative might achieve the same results.
We can’t go back in time and make tens of thousands of apps run on non-admin accounts, so until everyone moves to Windows 7 you have to look at other opportunities.
Morglum
“So having said all that I think for your average user giving them a more secure browser and perhaps using an adobe reader alternative might achieve the same results.”
I can absolutely guarantee this is the case.
Since not running as admin negates 100% of the IE8 flaws in 2009, how about doing both?
… the problem is that for way too many programs, it is required to run as an administrator, despite the fact that there’s no reason to need such privileges. This is particularly the case for older programs that advertise compatibility with several Windows versions: they make privileged calls because they were originally developed without security in mind. And then there are all the sleazy home-grown DRM schemes that, again, require administrator privilege.
Microsoft has removed the admin rights since 2007 with Vista and UAC
if you are running vista, and see an “OK/Cancel” screen when you do something that needs elevation, you are running under the “Administrators” group.
If you see a “Username/Password” screen when you try to do something that needs elevation, you are running as a normal user (typically in the .\Users group)
Wrong!
I’m running Windows Server 2008 (based on Vista SP 1) and is running as normal user (restricted user). Whenever I try to perform actions for which my user do not have the required rights a window will pop up asking for the Administrator password. Very much like su (or gtksu), but actually slightly more intelligently (I cannot believe I just wrote that).
I guess what windows users must do is create a password protected admin account as well as a regular user account.
Now I am the only person who uses this pc, would the user account require a password in this scenario to mitigate these sorts of vulnerabilities?
No and even using the guest account would block them but it’s a poor practice to use an account without a password.
While the paper makes some good points, they neglect to mention a couple of things:
1. UAC in Vista and Windows 7.
2. The high probability that most companies run Windows desktops locked down/non-admin anyway, to keep the admins from tearing their hair out.
This company apparently makes a centrally-managed “sudo on steroids”, which may make things more convenient, but probably does not significantly improve the security of the average corporate PC or conscientious Vista/W7 user.
Where XP really sucks in this department is with things like power and network settings. Power settings are per-user but need elevated privileges to change; same with network settings. Things like wifi start up as services, so sudo-like/”run as” mechanisms don’t work (power settings can at least be changed with arcane control panel incantations).
You end up tweaking the registry or digging into Group Policy or some such (which, frankly, without Google would not be practical). Vista and onward mitigate this issue with UAC (for this argument I assume UAC is secure in that the privilege boundary it establishes cannot be illicitly crossed).
Unix does a better job still, as settings like these can be adjusted with command-line utilities (which are regular programs) or configuration text files, both of which utilize a relatively simple security model (the other benefits/drawbacks of which I won’t go into here).
All that said, I run my own XP installations as a limited user, and I am fairly easily able to convince/educate anyone I know who has had their XP hosed by some malware to do the same. It is not as hard as one might think, and the benefits far outweigh the inconvenience. Microsoft screwed up not enforcing this with NT (which already was a significant break from what came before).
Edited 2010-04-01 02:14 UTC
Unfortunately this is a side effect of Microsoft’s promise of ‘backwards compatibility for ever’. What Microsoft need to do is rip out all the old backwards compatibility code that exist within Windows, enforce probably user separation and to hell to the loss of compatibility. What will be the result? you will see slower sales, you will see slower upgrades but eventually people will move to the new version – Microsoft will just have to have the patience to be willing to put up with slower sales. The problem is that I don’t see it happening because Microsoft management want to make changes with zero sacrifice nor do they want to front their shareholders and explain to them the long term strategic reason they made a decision that will yield in short term sacrifices by way of lower growth or lower profits.
I’m not sure they’d legally be allowed to do this. Under US law, a publically traded company such as Microsoft’s first and foremost obligation is to the shareholders. If they did such a thing, and I agree such a move is long overdue (should have been done with the first version of NT imho), the shareholders could actually stop them via litigation if they could prove that a move would not be proffitable within a reasonable amount of time. Given the nature of removing all backward compatibility from Windows, they could probably prove this rather convincingly to your average judge who often has the tech knowledge of an insect. Couple this with the fact that the majority of MS’s shareholders likely have as much tech knowledge as your average judge, and Microsoft’s hands would likely be tied even if every employee from Balmer on down wanted to make such a move. It’s crazy and stupid, like most of our legal system, but there it is.
Yes and it would be an obligation to the shareholder, clean the code base, less developers required, cleaner and faster development schedule, and thus in the long term they would be able to produce products to market faster, of higher quality, lower cost because of less developers required and thus make more profits. Why is it so difficult for you or anyone else to see something so clearly obvious?
The problem is that Microsoft is only looking year to year instead of looking 5-10-15 years into the future. Where is their long term plan? continue to have backwards compatibility for ever – even when it results in the costs getting so high that the martins plummet to almost nothing? When competitiveness becomes non-existant because they’re having to carry around crap that should have slowly been phased out.
Edited 2010-04-01 07:39 UTC
*I* understand it perfectly fine, and I agree with you. My point was that the shareholders might not. It doesn’t depend on Microsoft’s, nor mine, nor your ability to see something sensible. It is whether the shareholders would, and most investors want returns *now* not in five years. Most of the shareholders, like Microsoft themselves, only see the short view.
Because you aren’t providing any specifics as to what should be removed and how it would improve user separation. The big problem in XP with account separation was the shared registry and they already fixed that in Vista/7 with the virtual registry.
and destroy billions in wealth.
The account separation in NT works fine. Removing Win32 compatibility would cause more destruction than any security threat. The real problem is with companies that wait as long as possible to upgrade.
Tell me where I stated that I wanted to remove win32 compatibility – that is, the removal of the win32 subsystem.
Edited 2010-04-01 07:35 UTC
Well, you stated you think Microsoft needs to remove all backward compatibility. The win32 subsystem, parts of it anyway, have long been deprecated by Microsoft. You don’t think, if Microsoft were to remove backwards compatibility, they’d take the opportunity to push WPF and .NET exclusively? Of course, in typical MS fashion, they’d leave some undocumented and obscure hooks in to give their products an advantage over anyone else’s, but I guarantee you if they started a brand new Windows, with brand new subsystems, public access to Win32 would be axed in a hurry.
I don’t know. What I’ve personally learned from software engineering is that most things can (and should) be done in backwards compatible manner. At the other extreme you have Linux, where, well, the side effects of not giving a damn about any kind of compatibility are equally well known…
Well, you see, using non-root account does NOT protect you from ANYTHING (except for root-kits). Let me explain. If some software (IE, Acrobat, whatever) has a remote-code execution vulnerability, then attacker can run his code on your system. If you are sitting under non-root then this code executed with your user rights.
Basically, this means that malware can:
* make itself starting on system start-up;
* scan your traffic for passwords;
* record key and mouse presses;
* inject any code into other processes running under the same user;
* write itself on the disk in home folder;
* use your traffic visiting pron sites;
* send spam;
* hack CAPTCHAs;
* make your PC a part of botnet;
* steal your data;
* destroy your data;
* scan LAN and send itself to others;
* use 100% CPU power slowing down everything;
* polymorph its code;
* hide from anti-viruses (a bit harder, yet still pretty much possible);
* etc.
It may not harm data of other users using your PC, but it can do ANYTHING with yours. There are two very common use cases for PCs: only one user and two-three users with some docs shared. In both scenarios malware in “user” mode is AS DESTRUCTIVE AS in root/admin.
Situation is a bit brighter currently, but this is because most of malware tries to store itself in system folders. The next step will be storing inside home folder (documents and settings\user\Application Data. Hey! There’s a hidden Microsoft folder with tons of binaries! And we can infect most of them! And Windows does NOT protect them as zealously as Windows\System32!). And this step is nearing since less and less users use XP.
The same is true for UNIX world – any malware piece may write itself to autorun (.initrc/whatever), store binary in /usr/ or /home/username/ and do whatever it wants!
If you see using non-root user as a security measure, then shame on you and ololo on you. You can’t be serious talking such things.
P.S. Please remember, that corruption of system files and drivers is not really important – you can always restore them or reinstall. Loosing YOUR documents – that is what hurts!
The advantage of malware being forced into user mode is that it is detectable.
Something opening a network connection? root can see it. Something added to the startup items? root can see it. Want an audit listing of what files were modified, when and by what program? root can do that.
Now, if the malware is running as root, it can insert its code into the OS driver level where it has the power to do anything. Detecting rootkits is very difficult and is a race between the latest rootkit and the latest detector.
Did you know you can just lock down the workstations and then use an app like Viewfinity’s Privilege Management app to manage permissions?
http://www.viewfinity.com/Products/PrivilegeManagement/Default.aspx
Security experts have discovered the 99% of Windows 7s flaws can be mitigated by unplugging the network cable.
More at 11.
Use Runnas.exe
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=15…
Use this to run almost any app in a limited account.
Simply create a new “token user” account on the network dc.
Add it to the local admin group of the machine.
Generate all security tokens using this user account.
Run all apps needing admin rights using runnas.exe and its associated TOK file.
For additional security lock the user account down by putting in its own restricted user organizational unit (restricted by gpo)
If you need to hide the dos box that pops up use “console tool.exe” or “runh.exe” located here.
Both great for hiding startup scripts at user boot and completely hiding a dos box in general.
http://www.virtualizationadmin.com/terminal-services/download.htm