Security best practise would suggest you should not use an account with admin rights for day to day work. This would apply to home machines as well as business.
As for business networks then software installation should be done via GP, SMS or such like and use elevated installation rights. An end user should not be installing software on a company network anyway.
If an end user requires "certain" right's then they should be delegated in active directory for that user or group. No user, including administrators should be using accounts with full admin rights. Full admin accounts should only be used when required for
I remember reading in FYI mag a while back about some gent being so pleased that his account was a member of the schema admins. He was told he should only be in that group whilst performing the task required (I think he was domain preping for exchange or something).
Thats my $0.05
I do (but I'm a developer). I would guess it's going to become more common for users to run this way after XP SP2 since you can't open the firewall ports without being an Admin.
Begin a developer you dont really have a choice not to run as admin. You would spend most of your time logging in as admin, fixing things and then logging back in as a user. Since windows doesnt have the SU commands like any *nix OS's, your kinda stuck running
as an admin, at least when developing software.
at work our accounts are non administrator...at home since nobody has access to my terminals i run as admin. I know it's a security issue...but when I'm at home I don't wanna deal with user switching and not having an -su option really makes it a hassel
I would love to be a admin. I use a Dell 9100 at work and on the road, A Media Center 2004 desktop at home (networked to 4 rooms).
I can do admin functions while on the road and at work so checking the board would not be a problem.
Are your home terminals connected to the web? If you read e-mail on them, you might consider trying to run as non-Admin.
I'd love to hear more suggestions from people who run as admin as to what they think MS should change to make it easier to run as a "safe" user account.
I run admin at home for two main reasons. First, since I do VB6, Web, and .NET development on my main system here, I need to have that level of access. Secondly, many games I like won't run under a non-admin user (they were apparently designed for Win9x).
At work, I have local admin access for development purposes on my desktop. I have a custom 'power user' level access on the network and to our Citrix boxes. I have admin access on some servers since I'm also an admin some of our Intranet sites.
I do not run as admin at home or at work. As a developer, I have been living Keith Brown's
developer lifestyle for quite a while. I only switch to admin when I need to be an admin. I think this is very important for developers to do as it exposes security issues early in the dev
cycle. I'm currently developing on Windows 2003 as a non-admin and have stumbled across a few issues that some of my admin-running collegues would have never found.
A previous poster said a well designed network will make this easier for you and that is true. Even here at Microsoft, some of our IT applications require administrative privileges to run (Try submitting your annual review without being an admin). The cool
thing though is that when you bring it up to the IT staff they are very receptive to it and willing to try to resolve the issue.
My biggest issue with the non-admin thing is that you need to have a fairly high degree of technical sophistication in order to accomplish this. While the security enhancements for Windows XP SP2 are great for notifying the user about certain unsafe actions.
A lot of the actions require you to be an administrator (installing ActiveX controls for example).
In my example of our annual review tool problem, I had to run Internet Explorer as an administrator then provide my network credentials to access the tool. That worked fine for me, but good thing my grandma wasn't trying to do the same thing!
The problem as I see it, is with conflicting agendas. We want people to be admins to perform admin tasks (install programs, update the registry etc.) but we don't want to require our users to be administrators to read their email. ClickOnce deployment should
help somewhat in this area, but you still have the issue of deploying CAS policies. I would love to see Longhorn nail this issue down so that it is easier for users to not run as admin.
The following is a post from my blog. While it is not targetted at strictly developers the lesson is universal:
Last fall I got an email from the IT department at my school informing me that I was sharing files in an XDCC chatroom. I mailed them back and told them I wasn't and that I don't use XDCC. The sent me back a message with the server that I was connected to
as well as the ports and other relevant information. I immeadiantly went to work to diagnose the problem. A virus scan turned up nothing as did adaware. I proceeded to download a copy of TCPview from
Sysinternals. Sure enough there was copy of netsvc running on the port that the emailed me. As I dug into the issue I discovered a file called cfgmgmt.dll that had been added into system32. This did indeed turn out to be the culprit.
I wasted a day tracking down this issue. It wasted a huge amount of my time that I did not have to waste. The trojan had come with something that I had downloaded that was less than legit. Even so I wanted to make sure that it never happened again. Sometime
before I had bookmarked an article to read later about developing applications as a non-administrator. After this incident I sat down and read it, and implemented everything that it said.
Why did I do that? The answer is simple, if my user had not been in the administrator group nothing would have happened. As a regular user you don't have permission to add files to system32 and settings to the registry. I would have saved alot of time that
I spent trying to hunt it down. Many virii that exist require the user to be an administrator to be effective. If the user is not an administrator than there are insufficient privledges for the virus to do what it wants. Obviously this does not protect against
virii that exploit a security flaw to gain elevated privledges so a virus scanner is still needed.
Is all this security a pain? I have not found it to be. You can easily run an application or an installer as an administrator through the runas option in the windows shell. There are plenty of guides out there on how to use your computer effectivly as a
non-administrator. So I implore you, DON”T RUN AS AN ADMINISTRATOR.
And if you do? I never want to hear you cry about any companies security flaws, you are just as culpable as they are.
I run as admin at work. I tried doing web development with ASP.NET as a power user, and frankly, it sucked. I had to "runas" far too many times.
That, and my Palm software / USB sync pretty much refused to work unless as Admin. It's "old" enough that it doesn't get along well with XP Pro.
Actually when I did some COM+ development I ran as admin just how VS could automatically unregister and reregister the component. But thats the only time.
No, I log in as Administrator... seriously though, at home I have my son's login as an admin with highly modified priveledges due to gaming issues. For myself at home, I use a Mac, and no. At work, I log in as a member of the Administrators group, so technically
I had been to a couple of events where Developmentor guys would work as regular (power) users and do admin thingies via Run As ... on a command shell or some other application. I thought, wow, I have to upgrade to XP and be able to do that!
So I did. But I can't figure out why I don't get Run As ... options. I end up having to set the Run With Different Credentials on the Properties for programs, and then that makes me do too much work. First to set it up, secondly to go through the dialog
that comes up every time I want to run that particular program. (Sometimes I don't want to run as Administrator). I will still go through all of that, because it is easier than switching to my admin account.
I like that kind of advice, I like keeping as much as possible locked-down and opening up only where necessary. I would like the system better if it made such safe habits easier and more natural.
HOW TO: Enable and Use the "Run As" Command When Running Programs in Windows
Doing development work as an Administrator is an excellent way to facilitate making mistakes in your programming that will prevent your application from working properly as a Standard User.
HOW TO DEVELOP AS A STANDARD USER:
- If you need write access to certain areas of the registry, grant yourself access to those areas using the 'Permissions' dialog in Regedit (you'll need to run Regedit as an administrator, of course, but that's easy)
- The same logic applies to the filesystem, but you really should try to avoid making changes to filesystem permissions.
- Keep track of the latest Windows Updates by using the Automatic Updates feature.
- VS.NET facilitates non-administrator developing and debugging; there are user groups created on your machine when you install Visual Studio that you can add yourself to: "Debugger Users" and "VS Developers". You only need the latter if you are working on
- If you need write access to Windows system directories for your application to work, YOU ARE DOING SOMETHING WRONG. Windows Installer should be the only avenue by which you add, update or remove system components.
- Your entire application should be written with security considerations in mind; never assume that you have write access to any given location, and always provide useful error messages in the event that the user doesn't have access. Developing in a standard
user context will force you to be aware of these issues.
- If your application needs to do things that a standard user doesn't have the capability of doing, then ensure that your application supports elevating priviledge (by way of a "user/password dialog") for those actions.
I'm sure others can add more to this list, but if you are a developer working with an admin account, try this out -- you may be surprised at how much will still work.
I don't run as admin, except I call it "root".
I run as an Admin at home.
Why? Because all my games need it.
The problem is that a lot of applications (or games) tend to put the configuration files in the same map as the executable in the program files folder.
When you run as a normal user, changing something in the program files folder is not allowed -> that's probably the main cause of all problems.
The recent games from EA: Simcity 4 and Command & Conquer: Generals are now using the My documents folder to store user only stuff in it, but those folders are getting to big in my opinion (186 MB) and you still need to login as an administrator.
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.