Video: Why administrative accounts are actually Limited User Accounts in Vista

Video: Why administrative accounts are actually Limited User Accounts in Vista

Summary: For years, Microsoft and its customers have been battling the problem of drive-by malware. What is drive-by malware?

SHARE:
TOPICS: Windows
9

For years, Microsoft and its customers have been battling the problem of drive-by malware. What is drive-by malware? For the most part, it's the sort of malware that takes advantage of systems where the user is logged in with administrative privileges. Until Vista came along, being logged into Windows as an administrative user afforded some forms of malware the same umimpeded rights to the entire system that the user himself (or herself) had. This made it easier for malware to drive by and install itself.

At first, the answer was thought to be simple: get the word out not to run Windows as an administrative user. In other words, run it under a Limited User Account (or LUA). LUA's can't install software. That way, when some piece of drive-by malware tries to install itself while a system is running under an LUA, it can't inherit the rights it needs to complete the installation. Only there was a problem: running Windows (including XP) under a LUA broke a lot of software. I witnessed this myself with the gaming software that my son uses.

Enter Windows Vista. Vista has a security feature that attempts to offer the best of both worlds. In the event that your software runs fine under a non-administrative account, then you have nothing to worry about (as was the case with Windows XP). If it doesn't (in other words, if the application needs administrative access for some reason), Vista accomodates that in two ways: first, it allows a normal LUA or standard user to supply the administrator's credentials when the application installs itself. Second, it does a neat trick with any files the application tries to install in sensitive areas by virtualizing them so they don't really install there. When the application tries to use or open those files as though they were in the sensitive area, it thinks they're there. But in reality, they're not. Vista is smart enough to put them on your hard drive in a place where they can't cause the harm they might have caused if they were loaded into certain sensitive areas.

Finally, but just as importantly, what if, rather than being logged in as a standard user, you're logged in as one with administrative privileges. This is where one of the key security improvements of Vista over Windows XP comes in. Even if you're logged in as an administrative user, attempts at installing software (be it legitimate or drive-by malware) are still treated as though you're running under an LUA. It doesn't ask for administrative credentials. But it does double check with you before it allows the software to install itself. Recently, I wrote a detailed post that included an image gallery showing what this process looks like in action.  In my most recent video, I take to the whiteboard with some stinky magic markers to explain how this all works.

Topic: Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • I love that function of Windows Vista

    I love the function of Windows Vista where it asks for permission before it runs any Administrator program or lets something install in an administrator account.

    It's wonderfully designed, because it only comes up once for each program (I can turn it off for each program) each time I run it.
    Leria
  • Admin Privilidges

    I tried to run chkdsk /f from the command prompt after a reboot problem and was told I did not have Administrative privilidges. Screw Microsoft, I want to be able to control my computer without them telling me what I can or cannot do.
    yagijd
  • This is still a band-aid

    We are encouraging people to setup their accounts as Admins and not really changing that. The focus should be the LUA, but many users feel that they know what they are doing when using a computer and install as Admin anyway. That type of mentallity needs to be brutally beaten into the heads of those who use it.

    Besides, how soon before we have mal-ware that clicks inself on the drive-by install.
    nucrash
  • What the presence of UAC implies

    The existence, intrusiveness, and on-by-default nature of UAC is *the* conclusive proof that the architecture of NTish Windows is security and app-run-privileges Swiss cheese. Step *back* and look at the picture so the individual dots don't hypnotize you:

    1) If the user must so often be asked to okay processes at runtime, the potential, if not the reality, of malicious processes running anytime must be ongoing and great.

    2) If we need UAC to stop "drive by malware," the system architecture must therefore itself be largely incapable of preventing drive-by malware from getting into the system and running. *Drive-by malware ingress should be next to impossible in a well-architected, well-maintained system.*

    3) That so many Win apps require their users to have admin privileges to run--not install; that's acceptable--means badly-architected apps. That apps must be, or tend to be, so architected means that *the OS architecture is flawed* in that it allows, if not encourages, such faulty app architecture.

    That Vista is so in the user's face about managing process security from moment to moment is smoking-gun-class evidence of the system's insecurity. Yes, MS, if we uneducated users don't go to bad web sites and open bad files and only interact with nice people, nothing bad will happen (unless the systems of those nice people have already been compromised and happen to be sending us drive-by malware that looks like a friendly file from a nice person...). But that's what good OS and good app design and implementation are for. An OS and its apps should not be so badly- and over-integrated that it should be possible to hose the hard drive via a received email or rootkit the system via a browsed web page or a listened-to CD. If an OS has to ask its users so often how to keep it safe, *its designers and implementors must not know how to make it safe.*

    I see commenters comparing UAC to the way some Linux distributions are set up to prompt for a password whenever you need to do something rootish (same as needing to be Admin-ish on Windows); isn't UAC doing the same? No, because those Linux systems are (a) configured expressly to disallow the user routinely running as root (a 0th-order security must) and (b) to ask the user to supply root-quasi-equivalent credentials *only when the user has launched a system configuration process that requires quasi-root privileges to run*. *Routinely running* user applications on such systems does not require root-class privileges because (a) the OS is designed so users do not need root-class privileges to fully and successfully use user applications, and therefore (b) the user applications on such systems can be, and are, generally designed to *not* require root-class privileges to run fully and successfully. In most cases, under Linux and UNIX we can install the apps we want to run *entirely within our user space* without become root or rootlike during app installation *and* app use.

    Windows could do this, too, closed source and all. All it takes is the right code.
    dpnewkirk
    • You are off by a mile

      There is nothing wrong with the design of NT. Writing applications that work as a regular user in NT based OSs is not any harder than in any other OS.

      The issues are caused by legacy support in Windows.

      UAC is [b]designed to annoy people[/b], so that they will complain to ISVs who write software incorrectly, and those ISVs will fix their software.
      toadlife
    • Point by point crushing

      [i]1) If the user must so often be asked to okay processes at runtime, the potential, if not the reality, of malicious processes running anytime must be ongoing and great.[/i]

      Okay, I'm with you so far however this isn't any different than any other OS. Every time you view a picture, you invoke code that could potentially be [url=http://news.com.com/Flaw+leaves+Linux+computers+vulnerable/2100-1001_3-857265.html] exploited by data inside the picture file [/url]. [b]Any[/b] OS that [b]ever[/b] parses [b]any[/b] data that comes from a remote source is constantly at risk.

      [i]2) If we need UAC to stop "drive by malware," the system architecture must therefore itself be largely incapable of preventing drive-by malware from getting into the system and running. *Drive-by malware ingress should be next to impossible in a well-architected, well-maintained system.*[/i]

      So you seem to be advocating a defense strategy that requires 1 layer of perfect security. That's a nice dream but no one has done it yet. If you accept that no single layer of security can ever be perfect (as everyone but you does), multiple layers of imperfect security are necessary.

      You also completely ignore the fact that people install OSs in order to run applications and, even if you have a [b]perfect[/b] OS, you will not always run perfect applications. As I linked to above, opening a PNG file was enough to allow a remote exploit. Similar types of exploits have targeted [url=http://www.securityfocus.com/bid/13271] mplayer. [/url] An OS has to restrict the permissions of an application while giving the user some method of bypassing the security restrictions. Linux does it with su, sudo, kdesu, etc., OSX does it with whatever they call their permission augmentation dialog boxes, and Windows does it with RunAs and UAC.

      [i]3) That so many Win apps require their users to have admin privileges to run--not install; that's acceptable--means badly-architected apps. That apps must be, or tend to be, so architected means that *the OS architecture is flawed* in that it allows, if not encourages, such faulty app architecture.[/i]

      Huh? Are you saying it is impossible to write a Linux application that requires root permissions? Sorry but Linux allows "faulty" app architecture just as readily as Windows does.

      You also seem to be woefully uneducated when it comes to Windows architecture. Windows has had the concept of restricted rights since 1993 in its workstation/server products and since 2001 in its home desktop products. The registry has always had user sections (writable by the current user) and system sections (not writable by anyone but admin). Since XP, all home users had their own folders on the file system (writable by the current user) and the system/applications had different sections (not writable by anyone but admin). If app developers wanted to store data in the system section of the registry or the application section of the file system, that was their laziness and not something dictated to them by the OS architecture. And you know what? Almost every single application I've run in the last few years has worked just fine under a restricted rights user so developers [b]have[/b] been getting the message.

      [i]An OS and its apps should not be so badly- and over-integrated that it should be possible to hose the hard drive via a received email or rootkit the system via a browsed web page or a listened-to CD. If an OS has to ask its users so often how to keep it safe, *its designers and implementors must not know how to make it safe.*[/i]

      So I suppose you use the root account as your day-to-day Linux account? After all, since Linux and all of the apps that run on it are architected such that it is impossible to remotely exploit Linux (or any of its apps), there is no danger in running as root, right? Don't let the remotely exploitable vulnerabilities that [b]have[/b] been discovered in Linux (and its apps) spoil your little fantasy.

      Also, do you even know anything about UAC? I never get prompted by UAC when I open an email or surf the web. If I ever did then guess what, it would mean that UAC was doing its job! Actually, I had this protection before Vista since I've been running XP as a restricted rights user for years now. UAC isn't any better at preventing malware than what I had with XP but UAC [b]is[/b] better at letting me perform "good" administrative work without having to use RunAs or switching users. UAC doesn't give you better security than XP, it just makes the security that was always in XP a little more convenient.

      [i]In most cases, under Linux and UNIX we can install the apps we want to run *entirely within our user space* without become root or rootlike during app installation *and* app use.[/i]

      In most cases? Pull the other one!! Every single package manager I've ever used has required root permissions just to run. In the few cases that I've needed to install an application from its source code, compiling could be done as the user but the "make install" step has almost always required root.

      However, you are right that some Linux apps would install and run just fine in the user's home dir. Hmm, kind of like some Windows apps! I use putty to ssh into my Linux boxes and putty.exe runs [b]just[/b] fine from my Windows user's home directory. Firefox is another application that I've installed and run on Windows without ever requiring admin permissions.

      [i]Windows could do this, too, closed source and all. All it takes is the right code.[/i]

      Hmm, not according to you. After all, according to you, the problem isn't in the code, the problem is in the architecture of Windows itself. Want to reconsider?
      NonZealot
      • Point by Point Un-Crushing

        [B]Any OS that ever parses any data that comes from a remote source is constantly at risk.[/B]

        You speak the truth, however, one OS in particular HAS been exploited in THOUSANDSof different ways by this action, while others have rarely.

        [B]So you seem to be advocating a defense strategy that requires 1 layer of perfect security. [/B]

        Again, you speak the truth, but running as non admin (for real, with file permissions and a true separation of userspace/os space) is pretty darn close. Take BSD as one of the best, Linux as pretty close behind. This is enforced by various distro (such as Mandriva) making it extremely difficult to ever actually run as default root. You have to take EXTRA steps to make it happen. If I boot to level 3 (console login), log in as root, try to startx, you get a big RED desktop, a bomb and a warning stating that "RUNNING AS ROOT IS A TERRIBLE IDEA" and then the desktop exits.

        Is this level of security perfect, no, it can never be, but the principle is absolutely perfect, and all Linux's and BSDs, etc are striving for the unnatainable perfect goal based on a sound foundation.

        [B]Huh? Are you saying it is impossible to write a Linux application that requires root permissions? [/B]

        Again, you take the EXCEPTION and compare it to the rule of certain other OSes. Some programs TEMPORARILY need root's previledges to run (VPN connection is a good example), but it passes the process off to the OS and the remaining userspace application is in no way running as root.

        Skip the next point, I can't see the causality between what he said and what you are talking about. He stated the OS should not be integrated and you say he should run as root, don't see the connection.

        [B]In most cases? Pull the other one!! Every single package manager I've ever used has required root permissions just to run. [/B]

        He stated that in Linux he CAN install completely in the userspace, not that it was the default. That is almost unheard of in any MS os, Vista included, since the userspace and functions and OS space are not yet completely isolated.

        [B]Hmm, not according to you. After all, according to you, the problem isn't in the code, the problem is in the architecture of Windows itself. Want to reconsider?[/B]

        I'm not sure why he would. Linux (and BSD and Unix) is architected with userspace and operating system isolated from each other, *nixes have immutable filesystem permission controlling what a user can and can't do instead of an arbitrary set of rules (with potential to be wrong) and the absolute ability for it's complete history to run as non admin in a fully functional system.

        TripleII
        TripleII-21189418044173169409978279405827
        • Yet another linux zealot without a clue

          [i]You speak the truth, however, one OS in particular HAS been exploited in THOUSANDSof different ways by this action, while others have rarely. [/i]

          Wake me up when Linux has 90% desktop market share and then we'll make comparisons. Until then to make a comparison is idiotic.

          [i]"but running as non admin (for real, with file permissions and a true separation of userspace/os space) is pretty darn close. "[/i]

          No it's not. Running as a non-admin protects users from other users and the system from users, [b]but it doesn't protect users from malware.[/b]

          [i]"That is almost unheard of in any MS os, Vista included, since the userspace and functions and OS space are not yet completely isolated."[/i]

          Complete and utter nonsense.

          [i]"*nixes have immutable filesystem permission controlling what a user can and can't do instead of an arbitrary set of rules (with potential to be wrong) and the absolute ability for it's complete history to run as non admin in a fully functional system."[/i]

          I'm having trouble deciphering this gibberish. What the hell are you talking about? Windows has had ACLs, and security policies for over a decade and Vista has MIC for processes now, which can jail processes into specific locations of the filesystem and registry.

          NonZealot may be a little "zealous" in his posting here, but at least he knows a thing about how different operating systems work. You linux fanatics are pathetic.
          toadlife
          • Oh clueless one

            I believe the while discussion thread [B]is drive by installs[/B]. Not a user deliberatly installing malware, and if I wanted to dig I could point to multiple posts where I state that NO OS is immune from a user determined or tricked into installing malware.

            To actually refute my post that Windows (I deliberatley did not reference windows, I said other OSes) has not been victim to thousands of exploits where malware installed in a drive by manner (i.e. no interaction with the user), is beyond stupid. Sorry to call a spade a spade, but even MS touts one of the perks of I.E. 7 is no more drive by malware installs.

            How about when I wake you up when Linux has a market share equal or greater than OS-X and owns what, about 35% of all the worlds servers. Time to get up.

            Finally, USER components are STILL being imbedded in the Operating Space, they have worked TOWARDS separation, but even the most ardent Windows supporter who knows what they are talking about knows this to be true.

            File permissions, immutable in the filesystem, whereby what can be done with the file is controlled by the filesystem, and to my knowledge, in 17 years of NIX has NEVER, EVER had an exploit where a fille permission was bypassed. (I am not talking about a program becoming root and changing the file, I am talking about a direct exploit). ACLs and security policies are great, but have had flaws, leaving the underlying filesystem open (not just a single file).

            When Vista imbeds true user permisions, read, write, execute (and share and time share and whatever they want) instead of relyinging on rules and a protection layer, they will be much more secure. UAC is rule based, a Root Prompt is due to the OS stating that This Process Needs Root. No matter what the exploit, what the conditions, the FILESYSTEM decides who can do what. That's why UAC is not as seamless as OS-X/NIX root prompts, you only get asked when you really need it.

            You can believe Vista is much more secure, and you would be right because they are moving to and doing what NIX has always done. They are not there yet.

            TripleII
            TripleII-21189418044173169409978279405827