Using Vista (or plan to use it)? Then try your hardest to run it as a non-administrative user first

Using Vista (or plan to use it)? Then try your hardest to run it as a non-administrative user first

Summary: In response to yesterday's blog about whether or not Vista's tightened security could mean additional friction in the Web experience that Vista users will encounter, my fellow blogger George Ou first responded that the average user doesn't default to a non-administrative user or "limited user account" (LUA) but also took the opportunity to say: And if you're trying to install all this stuff as a non-admin, you're just asking for trouble.

SHARE:
TOPICS: Windows
30

In response to yesterday's blog about whether or not Vista's tightened security could mean additional friction in the Web experience that Vista users will encounter, my fellow blogger George Ou first responded that the average user doesn't default to a non-administrative user or "limited user account" (LUA) but also took the opportunity to say:

And if you're trying to install all this stuff as a non-admin, you're just asking for trouble. Sticking a bunch of crapware such as Yahoo IE bars and Lenovo junk is a good way to slow your machine to a crawl. Why go out of your way to make your PC run like junk?

George's comment covers a significant amount of ground that's worth breaking into smaller chunks and addressing. In this blog entry, I want to address the George's comment about how the average user doesn't default to a non-administrative user. In another, I'll deal with the the "junk" bit, particularly as it relates to Lenovo.

With Vista barely out of the gate, it's hard to say how true George's statement will be of Vista users. It was and still is very true of Windows XP users. If Vista usage turns out to be anything like XP usage, George will be right, but with one caveat: In Vista, when you establish the first user -- always an administrative user to start -- that user by default is, for all intents and purposes, already a lesser privileged user (LPU) running under an LUA. In other words, in Vista, there's basically an administrative LPU and a standard LPU. According to a Microsoft spokesperson:

When you sign into any machine as an administrator on Windows Vista, you receive two authentication tokens; one for a standard user and one for an administrative user. You run [Windows Vista] using the standard user token until you do something that requires administrative rights. At that point you are asked to elevate to the administrative token. So while running as a standard user is the better way to go, running as an administrative user no longer carries some of the risks it used to because of [Windows Vista's User Account Control (UAC)] and this "split token" arrangement.

Furthermore, based on what I've seen so far, Microsoft's Vista team has gone out of it's way to make sure that running under an LUA (administrative or standard) isn't the "asking for trouble" that George makes it out to be and quite frankly, while there's no perfect solution, I think they've done a very good job.

When running under an LUA, the likelihood that a system can be victimized by what Microsoft often refers to as "drive-by malware" is significantly reduced. There's no silver bullet to securing systems and networks against the many threats that loom. Instead, securing systems and networks involves a layered approach where the whole is greater than the sum of its parts. In other words, whereas each layer of security (for example, running antivirus software) offers some modicum of protection by itself, that protection is greatly enhanced when it's combined with other security layers (eg: running a system under an LUA).

Adequately securing PCs (the practice of which itself is a layer in securing local area networks and the Internet) involves many layers. The more layers, the more complex things get. One challenge to an operating system developer like Microsoft is how to introduce those layers and encourage users to take advantage of them without introducing a commensurate amount of user experience friction: friction that might otherwise disincent people from using those layer(s) in the first place. As one such layer, running XP as a lesser privileged user (LPU) was a good example of this friction because of how many popular software titles required administrative access to the operating system in order to work. Those applications simply broke. It was friction of the worst kind and a serious disincentive to run XP in a more secure mode.

Additionally, LPUs in XP were restricted from changing settings they should reasonably have had access to like notebook power settings and time zone (some of this is corrected in Vista, but not all). The affected software titles covered a range of use cases from business to gaming to Internet communications. I heeded Microsoft's advice and tried very hard to secure the XP PC in my house that my 16 year old son used for gaming by establishing him as an LPU. The PC became unusable until I gave his user ID administrative rights.

While software developers haven't completely caught up to the LPU way of doing things in Windows, the situation has improved. Not only have developers figured out a way to respect the LUA/Administrator boundary, Microsoft has applied some technical measures to handle certain situations where third parties might need administrative access even though the PC is being run in an LPU mode. Whereas before, an LPU's attempt to write to administrator-access-only disk space stopped certain applications from working, Vista redirects such disk-writes to a safe area on a per-user basis in a way that an application's subsequent attempts to read that data actually work. Another measure involves an escalation function that was demonstrated in the screen gallery I published yesterday.

Vista includes an escalation function for certain tasks like installing software. If you're running as an LPU and you need to install software -- an ActiveX control to support some Web site's experience for example -- the installation's attempt at gaining administrative access won't bring the user experience to a grinding halt. Instead, in an effort to temporarily grant an LPU the necessary administrative rights in order to complete the software's installation, standard LPUs are prompted for an administrative password (see below).

In contrast, all that's required of the dual-token administrative LPU is a mouse-click (in other words, no password). So in either case (administrative or standard LPU), an attempt to install new software is greeted with an escalation dialog. The only difference in an administrative LPU context is that the user isn't asked for a password.

Nevertheless, the Vista user experience that I just described constitutes friction when compared to how things worked on XP. When running with administrative rights as most users did with XP, nothing like this ever happened. The result created something security experts refer to as "surface area"; areas of exposure that malware developers often look to exploit.

Microsoft could have taken any number of approaches to dealing with that surface area in Vista. For example, it could have left things the way they were in XP. Or, Microsoft could have swung the pendulum in the complete opposite direction by forcing non-administrative users to logout and then log back in as an administrator. But we as users have to be honest with ourselves. Working as most of us did with XP was living dangerously. From a user experience point of view, application installation involved no friction. But the same was true for certain classes of malware (again, what Microsoft often refers to as "drive-by malware"). And the whole point of the functionality embodied in Vista's User Account Control feature is to maximize friction to malware while minimizing friction to end users.

Should we as users be allowed to live dangerously or is Microsoft right to toss some friction into the user experience in order to keep us from being our own worst enemies? Part of the answer is the fact that, in tossing-in some friction, Microsoft isn't just keeping each user from being his or her own worst enemy. Historically, the worst exploits have deputized unsecured systems in the process of spreading themselves across the Internet and doing their damage. So, provided any friction that Microsoft introduces is effective, it will also keeping us from being the enemies of other Internet users as well.

Will Microsoft's chosen path prove to effective? On one hand, my answer is yes. On the other, perhaps Microsoft could have done more. Critics of Microsoft say that repeated escalations will desensitize users to the point that they'll just click through them anyway without really paying attention to what they're doing (one reason I actually favor the password-required path). Where I used to live in New York, there was an intersection that was notorious for fatal, head on collisions. Nobody could put their finger on the reason why and there were no obvious answers on what to do about it. In every single case, the accidents were caused by incredibly wreckless driving. For whatever reasons, this particular intersection was a magnet to wreckless drivers whose turn had come to cause a fatal accident.

The local authorities took action. They posted signs that said things like "SLOW" and "DANGEROUS INTERSECTION AHEAD." Even though the accidents almost never had to do with intersecting traffic, they put a traffic light in the intersection (friction). Some people were smart enough to heed the warnings and slow down knowing that they might have to stop for a traffic light. If they're dead now, they probably didn't die in that intersection. Other people didn't heed the warnings. They didn't slow down. Some of them are dead or permanently maimed. Were the authorities wrong to add the friction they did? Not in my mind.

Likewise, I think Microsoft found the right balance in its approach. Yes, the escalation dialogs constitute additional friction. And, it's just a wee bit more (a password) if you're logged in as a standard LPU versus if you're logged in as an administrative one. But it's not sufficiently different from how other operating systems (the Mac, Linux, Unix, etc.) handle the same problem to warrant criticism of Microsoft's approach in Vista. And, if you ask me, going the standard LPU/password required route is not enough friction to disincent users from heeding the advice of running as a standard LPU. In either case (the standard or administrative LPU), there's enough friction to stop drive-by malware provided that end-users heed the warnings. Drive-by malware shouldn't be able to install itself without the end-users' consent.

<sidebar>As a side note, and perhaps as fodder for another blog, defining "install" is worth some attention. There are certain Windows applications that can be copied to and run from standard LPU's My Documents area or even a USB key. In an effort to keep rogue code from running, Vista seems to focus on applications that use Windows' formal installation APIs to load themselves on to a PC. But what about executable code that doesn't go through those APIs? Should Windows Vista equally pass attempts to run unknown applications through it's User Account Control feature?</sidebar>

Will some users become desensitized? Perhaps. But like the wreckless drivers that are dead now, if they're not smart enough to pay a very small price in order to let others help keep them out of harms way, the cards will fall where they will. Often times, not in their favor.

Going back to the question of whether Microsoft's approach will prove effective, I wrote, "On the other [hand], perhaps Microsoft could have done more." Right now, I'm running Vista on a Lenovo X60 Tablet as a standard LPU and so far, that choice has not interfered with my user experience enough to warrant usage as an administrative LPU where a password isn't required for certain administrative operations. Fellow blogger Ed Bott pointed out to me how running as a standard LPU in Vista will block access to some other functions like Vista's device manager without a request for escalation. In other words, gaining access to the device manager requires logging out of the standard LPU and logging-in as an administrator. That's pretty significant friction. For this and other reasons, Bott thinks it's OK to run Vista as an "administrative LPU" as long as the PC isn't shared with someone else.

Going back to yesterday's blog, running as an LPU made no difference between the two different paths I took to get Adobe's Flash plug-in installed on my computer. By the time I got to the escalation dialog, the user experience was exactly the same. It was what came before that dialog -- an experience that's largely in the hands of Web site developers -- that was the gating factor. But to run Vista under a standard LUA, I had to deliberately choose to do so. I don't know about other PC manufacturers, but neither the Lenovo X60 nor Vista arrived in a way that encouraged me to run that way. To run as an standard LPU, I had to go out of my way to do it and I did.

Here is where the lion's share of the responsibilty to educate users about the differences between a standard user and an administrative user rests on the shoulders of Microsoft and system manufacturers. During Vista's installation routines where the initial user IDs are created, there exists a perfect opportunity to educate users on the benefits of LUAs and the differences between the dual-token administrator and a standard Vista user. The same goes for the out-of-box experience that most system manufacturers are in control of. But those and other opportunities to educate users are being missed.

Topic: Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • This should go a long way

    This should go a long way towards clarifying some of the confusion behind the new LUA/UAC initiative being introduced with Vista. Whether this implementation remains a half baked solution or not no doubt lies in the eye of the beholder (as always I suppose). At a minimum it can be seen as a step in the right direction on the part of the gang from Redmond. Finding a suitable and satisfactory "middle ground" cannot be an easy task, considering all the 'puter types they're responsible for who depend on Windows as their computing platform.

    Being realistic, not everyone has sufficient "geek" power to deal effectively with more sweeping system-wide UI changes or user restrictions. Just think of how many have difficulty as it is with controlling or directing something as simple as an outbound firewall! This obviously weighed heavily in the thinking and compromised approach MS chose to take in the end.

    Well explained as usual DB. Thanks.
    klumper
  • Clarification on the "asking for trouble" part

    "Furthermore, based on what I've seen so far, Microsoft's Vista team has gone out of its way to make sure that running under an LUA (administrative or standard) isn't the "asking for trouble" that George makes it out to be and quite frankly, while there's no perfect solution, I think they've done a very good job."

    I should clarify that "asking for trouble" refers to installing software in Standard User mode, especially when you're first setting up the computer. I run my family as standard users so they absolutely CAN'T install software or accidently delete files. I myself run as admin because I know how to avoid trouble to begin with and I?ve always avoided trouble even under older OSes. I do have extra protection now because admin tasks still need my explicit OK even if it?s just a quick click away. My point is that if you?re going to be installing software, clicking to elevate versus typing in a password to elevate is just about the same thing. Only the former is easier.
    georgeou
    • my family

      I run my family as standard users so [b]they absolutely CAN'T install software or accidently delete files[/b]

      Last time I tried that one my son was 10 years old, he found money here and there, bought an used mac, and so long...

      Hope you can keep them for long in Gulag
      theo_durcan
      • It will be easier with Vista ...

        I've always kept my 'non-geek' family in Standard User mode and so far, I have found it MUCH EASIER to with Vista than it was with XP.
        M Wagner
    • King and Castle

      Are you suggesting that every computer should come with a security dad to
      administer it?
      Harry Bardal
      • Nope, just 1 person with half common sense

        Nope, just 1 person with half common sense is all that's needed. Someone who would not try to load one of those special "codecs" that allow you to play this pr0n file. Someone who doesn't surf warez or pr0n sites and clicks on everything and says yes to everything under the sun or at least have the sense to know to click no if the screen dims and they're presented with a danger warning when they weren't planning on installing software. That usually happens to be the first user on the PC and all subsequent users aren't admins by default.

        So you just enough common sense to avoid taking a gun and shooting yourself in the face with it. Vista will handle most of the drive by shootings and the very few that might get through will give you a warning to stop it.
        georgeou
        • Although good advice...

          Mark my words the majority of users will just either put simple passwords (something easy to remember) for user administration or give the password to everyone in their family just "incase" they need to install something.

          Want to bet?
          ju1ce
    • So you WON'T eat your own dog food

      If you don't run AS a limited user, then you can't understand the problems they run into. Many (most) games need escalated privaleges, and the M$ reccomendation is to go in as admin user, and change the launch icon to prompt for what privs to run at. This means that the limited user STILL has to enter an admin password to run the program.

      Limited user privs are just too frustrating for "normal" people to put up with. They need to lean heavily on their "Admin" Daddy to get anything done.
      Roger Ramjet
      • In this case, it's not precisely Microsoft's fault.

        [i]Many (most) games need escalated privaleges, and the M$ reccomendation is to go in as admin user, and change the launch icon to prompt for what privs to run at. This means that the limited user STILL has to enter an admin password to run the program.[/i]
        Even worse, at least on XP (and the root problem is the game coders, not the OS, as mentioned in the blog entry) if a game does need admin and doesn't get it, it can do some weird things. Even stranger, some older games (TreadMarks comes to mind; last updated in 2001) work beautifully in non-admin mode. Perhaps it's time for the developers to actually educate themselves in how to allow their programs to run under LUAs without borking the OS when they're not running as admin.
        Raymond Danner
      • Even with XP ...

        ... 'admin dad' can set up "run as" parameters to allow games to run without the user knowledge of admin passwords. Vista makes this MUCH easier though.
        M Wagner
      • True

        At work, where I am a domain admin I run my computer as a regular old user, just like the plebians.

        Eating my own dogfood has led to me discovering several annoyances with XP that our users should not have to put up with.

        Not being able to manage power management settings in XP/2000 as a limited user is an example. It was fixed easily by changing a few ACL values in the registry.
        toadlife
      • Hasn't been my experience

        [i]Many (most) games need escalated privaleges[/i]

        I can't remember the last time I played a game that wouldn't run under a restricted rights account. I've been eating that dog food for years now and every single game I've purchased within the last couple years has worked just fine. I won't say there aren't any programs out there but I [b]never[/b] have to escalate my privileges to run [b]any[/b] program I use on my XP desktop. Again, I'm not saying they don't exist (2 of the programs my wife uses require admin to run) but my experience has been that those apps are by far in the minority. Maybe most of the apps you are running have been infected with a virus that is demanding admin?
        NonZealot
  • Very good advice!!!

    I really wish you wrote this a day earlier! I set up vista yesterday afternoon and it took forever! Thats not due to bad comp specs either. Athlon 64 x2 4200, 2 gigs of ram, and a Nvidia 7900 gt. It was caused by all the answering allow too all the install prompts.
    Oh and for anyone who reads this who hasnt bought vista yet. Install all the security updates and drivers before you do anything. I thought i was done after my first "set" of updates which caused me to get the dreaded blue screen 3 times!After I have installed every update and driver available vista is running smooth. But I HIGHLY RECOMMEND 2 GIGS OF RAM!!! At parts of my set up I was using more than a gig. And the rummors that Vista is a resource hog is true. My computer runs 400 mbs of ram on idle. XP used 200 which I guess isnt too bad in comparison but if I had 1 gig of ram i would be getting major slow down-I ran 1 gig until yesterday when I bought vista
    saint9121@...
    • VISTA is not really a resource hog ...

      1GB RAM truly is sufficient for most needs. Vista uses up a lot of RAM on IDLE because VISTA has been designed to allocate unused RAM to disk cache. For insatnce, on a 512MB system, the RAM 'footprint' is about 380MB with 0MB of 'FREE' physical RAM available, yet the system will run Outlook, IE and Word concurrently. On the 1GB system I am using to write this, the RAM 'foot print' is at 504MB yet the 'FREE' RAM is at 31MB. Again, the rest of the RAM is being used as a disk cache, and the system is not notciably sluggish.

      VISTA does a very nice job of utilizing whatever hardware resources are available for disk cache to improve overall performance.
      M Wagner
      • Although in context...

        I would agree with your statement..

        If you would of said to us, 5 years ago that an O/S needed 1 Gig of Ram to function we definitely would of called it a hog.
        ju1ce
  • Good Advice!

    I agree, you should always use Vista in non administrative mode. Maybe if more
    people do this we won't see as much malware.
    IAHawkeye
  • What the...

    Maybe that was your first draft.
    Get back to us with your final and cut it down to 25 words or less please.
    D T Schmitz
  • That lasted a bout a week ...

    On my personal machine where I am the ONLY user, with a NEW VISTA install it was just to much. As I have about 100-150 apps to reinstall, being asked permission every 5 minutes to repeatedly run the same trusted programs became too much.

    Maybe in a Corporate environment with limited apps this will fly but a HOME user with a ton of utilities and small freeware programs will quickly turn this off....
    JackPastor
    • Think twice before...

      ...you upgrade to Vista.

      This article presents a long, confusing, rambling rationale for why Vista UAC is the way it is.

      Not a typical David Berlind article.

      Jack Pastor's response should raise a red flag for anyone considering the move to Vista.

      Take it from where it comes.
      D T Schmitz
      • That's no reason not to upgrade to VISTA

        If one needs to disable UAC long enough to install a large number of applications, do it, but this is no reason not to upgrade to Vista -- and, in truth, this becomes a very good reaosn FOR upgrading to Vista.
        M Wagner