Coffeehouse Thread

7 posts

Longhorn: Adopting a least privilege stance for users

Back to Forum: Coffeehouse
  • User profile image
    Dana

    I have a question for the Longhorn crew that relates to user accounts. I am fully in support of the aspect that we should take a stance of least privilege, and run as a normal user whenever we can. Actually, I have been preaching this for a long time (especially for developers), and welcomed the approach taken in XP, hold that to some personal gripes on failures in the way runas works. (Which I have blogged about enough at http://silverstr.ufies.org/blog/")

    In Longhorn I would have thought things would be different. Yet over the weekend during a fresh install of Longhorn I came across something that surprised me. Why is it after a fresh install, while logged on as "Administrator" do we feel compelled to make the first user in the system a member of the Administrator group as well? You have no choice.. you MUST make the first normal user an admin. In a client-based desktop, do we REALLY need to have a second "Administrator" account? If we apply the Pareto Princple (80/20 rule) here, in environments where there may only be one main user, they will be FORCED to be an Admin, and chances are they will run with those privileges unaltered. In other words, they will be forced to higher privileges than they need right off the first install, and chances are will not make a second account to log in as. Why? Because they haven't been trained otherwise. They won't know any better. And that exposes the computing environment to more risk than is needed.

    Might I suggest we rethink this? Why not use secure defaults and make ANY user being added be set to a limited user by default? When we use runas it defaults to "Admiinstrator" anyways, so we have the right exposure to elevate privileges when we need to. I can't quite understand what the reasoning is to have another account.

    In unix environments we don't have "root" and then "userroot" and then "user". Why do we feel compelled to do this on Windows?

  • User profile image
    Eduardo

    Nobody at home ... or ...nobody really care

  • User profile image
    lenn

    While I am not sure of the details of what you are experiencing and if those are a temporary situation brought on by the fact that we are years away from shipping this product, I do know that the plan is to change the model from every user running as Admin to a limited user rights access model for everyone who doesn't need to actually be an admin.  This would enable you to install hardware and software and tweak some system settings but would not leave your admin account vulnerable to hijacking.  The feedback we have received from customers on this plan has been good.

    That said, I am not sure that what you are experiencing represents the planned implementation.  It is an Alpha after all so it is not feature or code complete.  I will see if I can drag a real Longhorner over here to give more insight. 

  • User profile image
    eagle

    The real problem is that most users fail to use a password on there Admin account in WindowsXP which gives a hacker a huge open backdoor into your computer. It’s OK that the “first” user also has Admin privileges (it’s my machine) you will need them when installing updates, new programs and when networking.  We just need to be aware of how to configure our PC’s for optimal security, installing SP2 will add a good firewall and help keep the adware/spyware out.

  • User profile image
    Cider

    In my job, we actually do build XP to that extremely high security level.  As I may have mentioned before, we have a Pre-Installation Environment and it creates the prep files.  And in that file it sets the Administrator password.  And what do we set it to?  We don't know!  Its a randomly generated 128 character list!  (actually might be 256 characters, anyway, its very long and impossible to remember!)

    In an enterprise-style deployment, the idea of the local Administrator password is an issue.  It raises more questions than answers.  Who sets the local Administrator password, who "owns" that account (for auditability sakes) and what are the security ramifications of that password?

    The way we have done it eliminates this to some extent (and we have other policies which push towards a Least Priviledged Environment).  The only way that an account should be an administrator of a workstation is to be part of the Administrators or Power Users group assigned via group policy or some other enterprise-controllable and ultimately auditable functionality.  I believe that with Longhorn they should move to, as is suggested, local user accounts being extremely limited if, for instance, a machine joins a domain/Active Directory.

  • User profile image
    Dana

    Well, its good to see this thread didn't die after all. I thought no one was going to answer this, and moved it over to my blog. You are welcome to follow the comments there, which goes a fair bit further in explorer this that here.




  • User profile image
    eagle

    The problem is that you don’t understand the versatility of WindowsXP pro (Longhorn too). One machine can stand alone, in a peer2peer network or in a domain with thousands of PC’s.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.