"Least Privilege" Please!

  • Thread starter Thread starter Chuck Flink
  • Start date Start date
C

Chuck Flink

I note a LOT of answers of this sort:

"At present, Microsoft AntiSpyware Beta 1 will only
operate correctly in accounts with Administrator rights.
This is a known restriction and will probably change in
future, but do not hold your breath."

For DECADES now, UNIX users have know that it is a very
foolish practice to login as "root" (superuser,
admniistrator, etc.) for ANYTHING other than strict
administrative functions. There is no greater
security "sin" in the UNIX, Linux and mainframe worlds
than to fail to strictly restrict and respect
administrator rights.

With Windows NT 3.1 (13 years ago!) Microsoft entered the
modern era by FINALLY separating administrator rights from
ordinary user rights....

Yet we still have this "only works for accounts with
administrator rights" crap!

If you STILL have not set up a separate "limited" account
for your day-to-day ordinary computing... if you STILL do
everything as a member of the administrators group...

Understand you are handing over your system to every fool
who ever had write permission on any executable you
blithly execute.... and realize that administrators have
write permission (at least indirectly) on virtually
everything.... not just their own files!

Learn what "least privilege" means and operate that way!

No programmer worth his salt should read mail, browse the
web, and edit documents while logged in with
administrative rights.

Now programmer worth his salt should develop software
executable by non-admin users AND TEST IT ONLY AS AN
ADMINISTRATOR!

If MS Spyware only runs correctly as an administrator, it
should NOT run in be running in the tray of an ordinary
user. ...it should be running as a service to provide
the real-time protection, not as a task running in the
tray of an unpriviledge user!
 
Chuck Flink said:
Yet we still have this "only works for accounts with
administrator rights" crap!
Click to expand...

We know this. Microsoft know this.

But the product was not coded by Microsoft. Microsoft bought in a
pre-existing product, and turned it round as a beta release in only a few
weeks. The precursor product flouted many of the developer guidelines for
Windows, including some of the issues that make it impossible for the time
being to run MSAS as a limited user.

My guess is that you will see all these issues addressed in a second beta
release.
 
I've been complaining about this issue ever since they
first release MSAS beta 1. Eventually this will be fix by
the next refresh version or beta 2.
 
Thanks for your reply. It does clarify the situation. I
understand you feel the frustration too.

My angst was not aimed just at Microsoft, but at the
broader user and developer communities who continue to
ignore this most fundamental of security rules.

I'm glad you guys in Microsoft are sensitive about this.
That is a sign of real progress. But PLEASE educate your
customers and LEAN on your development partners to get
serious about this.

I'll download the beta of Vista and see if it comes up by
default with the user configured as a "limited user" (bad
choice of words... should be "protected user"). If as in
XP, the users all default to administrators, you will have
let me down again.

Much of the serious harm viruses, worms and Trojans have
done to your reputation (and customers!) could have been
avoided (or certainly limited in scope) if proper
discipline had been maintained re user/admin separation.

In fact, administrators should be prevented from executing
any program that is not required for admin functions.

How many parents have had their computers trashed by their
kids downloading some game and installing it, AND PLAYING
IT! ...giving full control of the computer to some
teenage hacker in Russia, China or Timbuktu????

In the "limited user" environment, only that user would be
screwed.... not the system, not the other users.

It is so obvious I hate wasting bits on this rant.

Sorry. ...for all of us.
-----Original Message-----
Chuck Flink said:
Yet we still have this "only works for accounts with
administrator rights" crap!
Click to expand...

We know this. Microsoft know this.

But the product was not coded by Microsoft. Microsoft bought in a
pre-existing product, and turned it round as a beta release in only a few
weeks. The precursor product flouted many of the developer guidelines for
Windows, including some of the issues that make it impossible for the time
being to run MSAS as a limited user.

My guess is that you will see all these issues addressed in a second beta
release.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.
Click to expand...
 
Vista will have a number of improvements on exactly the lines you are
thinking of. They mean to do this better than Unix.

--

Chuck Flink said:
Thanks for your reply. It does clarify the situation. I
understand you feel the frustration too.

My angst was not aimed just at Microsoft, but at the
broader user and developer communities who continue to
ignore this most fundamental of security rules.

I'm glad you guys in Microsoft are sensitive about this.
That is a sign of real progress. But PLEASE educate your
customers and LEAN on your development partners to get
serious about this.

I'll download the beta of Vista and see if it comes up by
default with the user configured as a "limited user" (bad
choice of words... should be "protected user"). If as in
XP, the users all default to administrators, you will have
let me down again.

Much of the serious harm viruses, worms and Trojans have
done to your reputation (and customers!) could have been
avoided (or certainly limited in scope) if proper
discipline had been maintained re user/admin separation.

In fact, administrators should be prevented from executing
any program that is not required for admin functions.

How many parents have had their computers trashed by their
kids downloading some game and installing it, AND PLAYING
IT! ...giving full control of the computer to some
teenage hacker in Russia, China or Timbuktu????

In the "limited user" environment, only that user would be
screwed.... not the system, not the other users.

It is so obvious I hate wasting bits on this rant.

Sorry. ...for all of us.
-----Original Message-----
Chuck Flink said:
Yet we still have this "only works for accounts with
administrator rights" crap!
Click to expand...

We know this. Microsoft know this.

But the product was not coded by Microsoft. Microsoft bought in a
pre-existing product, and turned it round as a beta release in only a few
weeks. The precursor product flouted many of the developer guidelines for
Windows, including some of the issues that make it impossible for the time
being to run MSAS as a limited user.

My guess is that you will see all these issues addressed in a second beta
release.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.
Click to expand...
Click to expand...
 
Thanks as home softs are often running only under admin rights. Hope there
will be a good "compatibility mode" in order to run old progs. It's hard to
maintain a computer under 3.11 only for an old game which have no equiv in
modern programming.

Bill Sanderson said:
Vista will have a number of improvements on exactly the lines you are
thinking of. They mean to do this better than Unix.

--

Chuck Flink said:
Thanks for your reply. It does clarify the situation. I
understand you feel the frustration too.

My angst was not aimed just at Microsoft, but at the
broader user and developer communities who continue to
ignore this most fundamental of security rules.

I'm glad you guys in Microsoft are sensitive about this.
That is a sign of real progress. But PLEASE educate your
customers and LEAN on your development partners to get
serious about this.

I'll download the beta of Vista and see if it comes up by
default with the user configured as a "limited user" (bad
choice of words... should be "protected user"). If as in
XP, the users all default to administrators, you will have
let me down again.

Much of the serious harm viruses, worms and Trojans have
done to your reputation (and customers!) could have been
avoided (or certainly limited in scope) if proper
discipline had been maintained re user/admin separation.

In fact, administrators should be prevented from executing
any program that is not required for admin functions.

How many parents have had their computers trashed by their
kids downloading some game and installing it, AND PLAYING
IT! ...giving full control of the computer to some
teenage hacker in Russia, China or Timbuktu????

In the "limited user" environment, only that user would be
screwed.... not the system, not the other users.

It is so obvious I hate wasting bits on this rant.

Sorry. ...for all of us.
-----Original Message-----

Yet we still have this "only works for accounts with
administrator rights" crap!

We know this. Microsoft know this.

But the product was not coded by Microsoft. Microsoft bought in a
pre-existing product, and turned it round as a beta release in only a few
weeks. The precursor product flouted many of the developer guidelines for
Windows, including some of the issues that make it impossible for the time
being to run MSAS as a limited user.

My guess is that you will see all these issues addressed in a second beta
release.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.
Click to expand...
Click to expand...
Click to expand...
 
That's what Virtual PC is for! I'm not sure I've seen folks using it for
3.11, but I think it would work. Not sure about game play, but I would
think that a modern PC and video combo would have way more than enough
processor cycles to maintain the speed necessary for any 3.11 game to
function, even in full emulation.

--

Jacques said:
Thanks as home softs are often running only under admin rights. Hope there
will be a good "compatibility mode" in order to run old progs. It's hard
to maintain a computer under 3.11 only for an old game which have no equiv
in modern programming.

"Bill Sanderson" <[email protected]> a écrit dans le
message de (e-mail address removed)...
Vista will have a number of improvements on exactly the lines you are
thinking of. They mean to do this better than Unix.

--

Chuck Flink said:
Thanks for your reply. It does clarify the situation. I
understand you feel the frustration too.

My angst was not aimed just at Microsoft, but at the
broader user and developer communities who continue to
ignore this most fundamental of security rules.

I'm glad you guys in Microsoft are sensitive about this.
That is a sign of real progress. But PLEASE educate your
customers and LEAN on your development partners to get
serious about this.

I'll download the beta of Vista and see if it comes up by
default with the user configured as a "limited user" (bad
choice of words... should be "protected user"). If as in
XP, the users all default to administrators, you will have
let me down again.

Much of the serious harm viruses, worms and Trojans have
done to your reputation (and customers!) could have been
avoided (or certainly limited in scope) if proper
discipline had been maintained re user/admin separation.

In fact, administrators should be prevented from executing
any program that is not required for admin functions.

How many parents have had their computers trashed by their
kids downloading some game and installing it, AND PLAYING
IT! ...giving full control of the computer to some
teenage hacker in Russia, China or Timbuktu????

In the "limited user" environment, only that user would be
screwed.... not the system, not the other users.

It is so obvious I hate wasting bits on this rant.

Sorry. ...for all of us.

-----Original Message-----

Yet we still have this "only works for accounts with
administrator rights" crap!

We know this. Microsoft know this.

But the product was not coded by Microsoft. Microsoft
bought in a
pre-existing product, and turned it round as a beta
release in only a few
weeks. The precursor product flouted many of the
developer guidelines for
Windows, including some of the issues that make it
impossible for the time
being to run MSAS as a limited user.

My guess is that you will see all these issues addressed
in a second beta
release.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.
Click to expand...
Click to expand...
Click to expand...
 
Chuck,
I completely agree with you.
Anyway, poking around with Filemon and Regmon I was able to
find out that I had to give write access (to my non admin
user) to the Antispyware install dir (in my system
c:\program files\Microsoft AntiSpyware) and to the
HKLM\Software\GIANTCompany registry tree.
Antispyware now seems to work ok.
BYE
Stefano

-----Original Message-----
That's what Virtual PC is for! I'm not sure I've seen folks using it for
3.11, but I think it would work. Not sure about game play, but I would
think that a modern PC and video combo would have way more than enough
processor cycles to maintain the speed necessary for any 3.11 game to
function, even in full emulation.

--

Thanks as home softs are often running only under admin rights. Hope there
will be a good "compatibility mode" in order to run old progs. It's hard
to maintain a computer under 3.11 only for an old game which have no equiv
in modern programming.

"Bill Sanderson" <[email protected]> a écrit dans le
message de
(e-mail address removed)...
Vista will have a number of improvements on exactly the lines you are
thinking of. They mean to do this better than Unix.

--

Thanks for your reply. It does clarify the situation. I
understand you feel the frustration too.

My angst was not aimed just at Microsoft, but at the
broader user and developer communities who continue to
ignore this most fundamental of security rules.

I'm glad you guys in Microsoft are sensitive about this.
That is a sign of real progress. But PLEASE educate your
customers and LEAN on your development partners to get
serious about this.

I'll download the beta of Vista and see if it comes up by
default with the user configured as a "limited user" (bad
choice of words... should be "protected user"). If as in
XP, the users all default to administrators, you will have
let me down again.

Much of the serious harm viruses, worms and Trojans have
done to your reputation (and customers!) could have been
avoided (or certainly limited in scope) if proper
discipline had been maintained re user/admin separation.

In fact, administrators should be prevented from executing
any program that is not required for admin functions.

How many parents have had their computers trashed by their
kids downloading some game and installing it, AND PLAYING
IT! ...giving full control of the computer to some
teenage hacker in Russia, China or Timbuktu????

In the "limited user" environment, only that user would be
screwed.... not the system, not the other users.

It is so obvious I hate wasting bits on this rant.

Sorry. ...for all of us.

-----Original Message-----

Yet we still have this "only works for accounts with
administrator rights" crap!

We know this. Microsoft know this.

But the product was not coded by Microsoft. Microsoft
bought in a
pre-existing product, and turned it round as a beta
release in only a few
weeks. The precursor product flouted many of the
developer guidelines for
Windows, including some of the issues that make it
impossible for the time
being to run MSAS as a limited user.

My guess is that you will see all these issues addressed
in a second beta
release.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.
Click to expand...
Click to expand...


.
Click to expand...
 
Nice work--there's a tool to make that easier somewhere....

--

Chuck,
I completely agree with you.
Anyway, poking around with Filemon and Regmon I was able to
find out that I had to give write access (to my non admin
user) to the Antispyware install dir (in my system
c:\program files\Microsoft AntiSpyware) and to the
HKLM\Software\GIANTCompany registry tree.
Antispyware now seems to work ok.
BYE
Stefano

-----Original Message-----
That's what Virtual PC is for! I'm not sure I've seen folks using it for
3.11, but I think it would work. Not sure about game play, but I would
think that a modern PC and video combo would have way more than enough
processor cycles to maintain the speed necessary for any 3.11 game to
function, even in full emulation.

--

Thanks as home softs are often running only under admin rights. Hope there
will be a good "compatibility mode" in order to run old progs. It's hard
to maintain a computer under 3.11 only for an old game which have no equiv
in modern programming.

"Bill Sanderson" <[email protected]> a écrit dans le
message de (e-mail address removed)...
Vista will have a number of improvements on exactly the lines you are
thinking of. They mean to do this better than Unix.

--

Thanks for your reply. It does clarify the situation. I
understand you feel the frustration too.

My angst was not aimed just at Microsoft, but at the
broader user and developer communities who continue to
ignore this most fundamental of security rules.

I'm glad you guys in Microsoft are sensitive about this.
That is a sign of real progress. But PLEASE educate your
customers and LEAN on your development partners to get
serious about this.

I'll download the beta of Vista and see if it comes up by
default with the user configured as a "limited user" (bad
choice of words... should be "protected user"). If as in
XP, the users all default to administrators, you will have
let me down again.

Much of the serious harm viruses, worms and Trojans have
done to your reputation (and customers!) could have been
avoided (or certainly limited in scope) if proper
discipline had been maintained re user/admin separation.

In fact, administrators should be prevented from executing
any program that is not required for admin functions.

How many parents have had their computers trashed by their
kids downloading some game and installing it, AND PLAYING
IT! ...giving full control of the computer to some
teenage hacker in Russia, China or Timbuktu????

In the "limited user" environment, only that user would be
screwed.... not the system, not the other users.

It is so obvious I hate wasting bits on this rant.

Sorry. ...for all of us.

-----Original Message-----

Yet we still have this "only works for accounts with
administrator rights" crap!

We know this. Microsoft know this.

But the product was not coded by Microsoft. Microsoft
bought in a
pre-existing product, and turned it round as a beta
release in only a few
weeks. The precursor product flouted many of the
developer guidelines for
Windows, including some of the issues that make it
impossible for the time
being to run MSAS as a limited user.

My guess is that you will see all these issues addressed
in a second beta
release.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.
Click to expand...
Click to expand...


.
Click to expand...
 
Back
Top