Sometimes, I wonder and worry about the vast majority of Windows users that run with administrative privileges. Most of them probably do this blindly because it is the default auto-login for Windows XP and do not know any better. This tells a lot about the power of having secure defaults...

However, such unnecessary privilege comes at a great price: spyware / malware / virus / trojan / worm freely misuse such privileges to infect and proliferate. And in knee-jerk response, a whole security industry dedicated to corraling these miscreants spring up and some even enter the Microsoft product line and Windows Update.

But, no one seems to be tackling the fundament security problem:

  • Users running with more privileges than necessary
  • Social Engineering and poor computing habits

As I had discussed earlier, the effective computer system security is simply the weakest link amongst Software, Configuration, and Policy. Simply focusing on using Software to compensate for a lack of secure computing practices (Policy) does not improve security. I mean, we can come up with perfectly written Software with no bugs nor security vulnerabilities and Configure the system securely yet functionally, but if the user runs as administrator because "things work better" or blindly follow instructions to get themselves rooted, all the effort is for nothing. This is why I think that such actions do wonders for PR and user perspection (and sometimes, changing perceptions is "the goal"), but it really does not raise the bar.

I do not know about you, but I like making real progress, not perceived progress. So, I am going to show one approach that I use to not run as administrator to safely compute on Windows - both at home and work.

I mean, I really hate personal security software from McAfee, Symnatec, etc because they assume how you want to work (so many people fail to install IIS on Windows XP due to these software packages "breaking" IIS in subtle ways to prevent installation/functionality), and they do not do much more than common sense... so I consider them unnecessary bloatware that gets in my way. Yes, I do not run security software on all of my machines; no virus scan, no email scanner, nada. I just run as normal User with Windows Firewall sealing off all ports and common sense against social engineering. :-)

Securing the Computing Environment

No, I am not going to wait for Windows Vista, LUA, and various other security advancements to help run as non-administrator and secure my computing environment... not when I can do it all right now from Windows 2000 on up.

What I do is basically:

  1. Run as the normal User, with no privileges changes from the default
  2. Run a special "root" console window (that is a different color) as a user with administrative privilege
  3. Leave the Firewall on and do my job as the normal User, and on the special occassions where I need elevated privileges, I launch commands out of the special "root" console window

That is it. It is functionally similar to how LUA will work in Windows Vista, except with GUI dialog boxes instead of console commands. And this is how I create the desktop shortcut to launch my special "root" console window (I actually just copy the same shortcut on all my machines to %ALLUSERSPROFILE%\Desktop):

  1. Right Click on the desktop and create a shortcut
  2. Paste in the following as target for the shortcut (in my case, I rename the Administrator to "root"):
    %windir% \system32\runas.exe /u:%COMPUTERNAME%\root "cmd /T:3E /k @title root && start /min %windir%\system32\taskmgr.exe"
  3. Choose your shortcut title - I use "root"
  4. Change the icon to something obvious. I use the icon in SHELL32.dll that contains a key with two people.
  5. I change the screen buffer size to 50 Width and 2 Height - so that the shortcut just shows a small window containing:
    Enter the password for %COMPUTERNAME%\root:
  6. I also change the shortcut's text and background color to Yellow on Cyan so that it matches the color scheme of the root console window - just so that the window is very obviously different than the white on black of normal console windows.

Now, what are some of the "inconveniences" that I incur by doing this? Well:

  • I lose the ability to install/uninstall programs as myself. But, I just run "appwiz.cpl" or the program's setup EXE from the root console window and things usually work. If they do not, I consider it a product bug.
  • I lose the ability to run Windows Update for patches. This is something that I cannot do from the root console window, so I have to login as an administrator and let Windows Update client run every six months or so. Yes, I do this infrequently because I run my computers securely, and I only login once every six months or so, so this is no bother.
  • I cannot kill any process that I want. But, that is what the TASKMGR.EXE run as root (from my shortcut), or TASKKILL.EXE in the root console window is for.
  • I cannot Remote Desktop into that machine by default. On Windows XP and later, I just add my User to "Remote Desktop Users" group. On Windows 2000, I have to use the root console window to launch MMC with the "Terminal Services Configuration" snapin, select Properties on the RDP-TCP connection, and add my user to the "Permissions" tab of that connect (Windows XP and later pre-create and populate the "Remote Desktop Users" group into this Permissions list).
  • I cannot configure networking or Windows Firewall. But, NETSH.EXE on Windows XP/Windows Server 2003 works wonders inside a root console window.
  • I lose the ability to change the system date/time. But, I just use the DATE or TIME commands in the root console window as necessary.
  • I can no longer start/stop services. Well, that is what NET START, NET STOP, and SC QUERY commands in the root console window are for...
  • I cannot change file ACLs to grant myself privileges. But CACLS does that nicely from the root console window.

Overall, I find that the "inconveniences" happen very rarely in my day-to-day activities. You rarely install programs, patch, reconfigure networking, stop/start services, and change system date/time and file ACLs on a daily basis... so it makes sense to not run with administrative privileges

Now, I know that there are cases where you may want to run a program but that program only works when run as administrator... such as games or other older software... but I tend to leave them alone. The way I think about it, until the users revolt with their pocket books, application providers have ZERO incentive to fix/improve their code. So, I do not buy such software and if I do, I bug the heck out of their support staff and complain that their product is insecure because it requires me to run with administrative privileges. Hey, some have listened and changed. :-)

Well, I know that this does not solve all your problems on Windows, but hopefully it can help you solve a good chunk of your security concerns. I am interested in hearing some of your stories regarding this topic...

//David