Should "Standard User" be the default in Windows 7?

Should "Standard User" be the default in Windows 7?

Summary: It seems clear to me that combining an Admin accounts with Windows 7's "low nag" User Account Control (UAC) setting is a bad idea. Problem is, Admin accounts and "low nag" UAC settings will be the default for millions of people buying Windows 7-based PCs.

SHARE:

It seems clear to me that combining an Admin accounts with Windows 7's "low nag" User Account Control (UAC) setting is a bad idea. Problem is, Admin accounts and "low nag" UAC settings will be the default for millions of people buying Windows 7-based PCs.

The problem with systems running with these two settings is that it's possible to use a code-injection vulnerability to silently run code or other applications with administrative privileges behind the user's back. Even Windows super-guru Mark Russinovich acknowledges that a problem exists:

Several people have observed that it's possible for third-party software running in a PA account with standard user rights to take advantage of auto-elevation to gain administrative rights. For example, the software can use the WriteProcessMemory API to inject code into Explorer and the CreateRemoteThread API to execute that code, a technique called DLL injection. Since the code is executing in Explorer, which is a Windows executable, it can leverage the COM objects that auto-elevate, like the Copy/Move/Rename/Delete/Link Object, to modify system registry keys or directories and give the software administrative rights. While true, these steps require deliberate intent, aren't trivial, and therefore are not something we believe legitimate developers would opt for versus fixing their software to run with standard user rights. In fact, we recommend against any application developer taking a dependency on the elevation behavior in the system and that application developers test their software running in standard user mode.

The follow-up observation is that malware could gain administrative rights using the same techniques. Again, this is true, but as I pointed out earlier, malware can compromise the system via prompted elevations as well. From the perspective of malware, Windows 7's default mode is no more or less secure than the Always Notify mode ("Vista mode"), and malware that assumes administrative rights will still break when run in Windows 7's default mode.

[poll id="469"]

So, a problem exists, and not only is it something that malware authors could use but we could even see software developers using the trick to make their product less naggy than the competition. The solution is to change default settings, something that most people out there in Computer Land won't even know is possible.

Another flaw is to assume that just because someone is running Admin account, they would accept all prompts thrown their way anyway. The problem with this is that the current settings allow a behind-the-scenes code injection to stealthily mess around with a system.

It seems to me that Microsoft has backed itself into a corner. It tried to make UAC less naggy, but by doing so introduced some serious vulnerabilities. The only advice it can offer to counter these vulnerabilities is that users should change default settings. Why not just make these more secure settings the default? Because it would break stuff. Like I said, Microsoft is backed into a corner.

My view is that Microsoft should make Standard user the default user on systems. Sure, it would break some stuff, but eventually something has to change because the current situation can't last forever. It's clear that Admin accounts are a security vulnerability in the hands of those who don't understand what it means to be running Admin accounts.

[UPDATE: Here's a video of the code-injection vulnerability in action:

 

Bottom line is that this tweaking to the UAC make Windows 7 less safe than Vista. If you think anything else, you are wrong.]

Topics: Security, Malware, Microsoft, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

162 comments
Log in or register to join the discussion
  • You'll always need the Admin account

    Yes, in theory having the default as "Standard User" is ideal. However, the "millions of users" who have no idea of what an admin account is will now be saddled with the requirement to have two accounts on their PC - one they use every day and one they have to use whenever they have to install a new app or do something privileged. Won't that be even more confusing? And I bet you those users will eventually stay in the Admin account all the time so they don't have to flip back and forth.

    I think that the Win7 system is a necessary evil and a decent compromise. Users will be _generally_ safer, but can still do admin tasks inline without logging into a second account.
    Zathros
    • You're thinking in XP terms

      In Vista and Win 7 you can elevate simply by entering the admin account name/password, the admin password, or clicking OK (depending on various setup conditions of your system).

      There's no need to log out before installing something, I can't remember the last time I did that in Vista or Win 7.
      wolf_z
      • Actualy

        You can use the runas command in the right click context menu to install apps, and even drivers most of the time.
        jdbukis
      • Yes, you're right

        Good point! It still means a second account (username/password). But, having to enter a username and password explicitly will help thwart silent automatic elevations and the user may wonder "why do I need to give the password" in unexpected situations (where malware is trying to trick the user into something).
        Zathros
        • Unfortunately this is another example of convenience trumping...

          ...security. Microsoft focus groups found people were bothered with having to enter their password so they changed the default to a button click instead.
          ye
          • Not only that

            I tried running in a standard account and found I had to enter my password a LOT, and on top of that, the silly thing prompts you if you want to change the authorization so you always have access WITHOUT needing to enter a password. I could see a lot of people doing this and still compromising their systems.

            So the standard account won't necessarily save a person. It still comes down to users educating themselves.
            Drakaran
          • You bet. Something I've advocated.

            [i]So the standard account won't necessarily save a person. It still comes
            down to users educating themselves.[/i]

            At least the user education part. I don't expect them to do it themselves.
            Unfortunately there are a lot of people who don't want to learn. They're
            perfectly happy being ignorant.
            ye
          • Why do they offer these options?

            Everyone has seen what affects the lack of security can have. Why go through all the effort of UAC if you give a dozen ways to bypass it all?

            Explorer shouldn't be elevated to begin with. You should be able to elevate it for perhaps a series of operations but normally it should run with user rights.

            Sadly convenience is worth more money. MS has proven you don't need security to be the top dog.
            SamCPP
          • RE: Why do they offer these options?

            *Correction* "affects" -> "effects".
            We return you now to normal programming.
            SamCPP
          • impact

            Having to remember RAVEN is why most people use impact instead of affect, its nearly as annoying as OhMyGod
            daduk
          • That's the million dollar question.

            And it's the gist behind the Ars Technica article Dietrich linked to.

            For all those people who want to know why Microsoft didn't take security seriously convenience is the answer. Despite all the demand Microsoft secure their OS we see people really don't want security if it comes at the expense of convenience.
            ye
          • That's right

            [i]Despite all the demand Microsoft secure their OS we see people really don't want security if it comes at the expense of convenience.[/i]

            That's what happens when you have 10+ years of running things in your admin account. They should've introduced something like this way back in 90s.

            And you're going to tell people to change their habits at this late date?
            Wintel BSOD
          • Not buying it

            OS X prompts for passwords on a number of actions. I suspect the real
            story is that users were annoyed that they had to enter a password for
            everything, including putting a shortcut on the desktop. It wasn't a user
            problem, like most things Microsoft, it was a usability problem.
            frgough
          • LOL! Wasn't that a problem in the BETA version?

            [i]I suspect the real story is that users were annoyed that they had to enter a password for
            everything, including putting a shortcut on the desktop.[/i]

            I don't receive any UAC prompt for placing a shortcut on the desktop. Perhaps if you actually used Vista you would come to learn most of these "issues" are nothing more than FUD.
            ye
          • all users vs specific user desktop

            Making changes to the "all users" destkop requires elevation, changing the current user's desktop does not.

            As it should be really.
            rtk
          • @rtk: That is correct.

            However I'm not aware of a way to create a shortcut on the All Users Desktop through the normal means of creating shortcuts (right click, drag and drop, etc). Those methods create it on the users desktop. Though there might be a way as this is not something I've spent any time investigating.

            Installers tend to be the means for creating shortcuts on the All Users Desktop. Which means deleting them would require elevation.
            ye
          • Shortcut on the desktop?

            What are you talking about? I've never had to enter a password or gotten any UAC prompt for putting something on the desktop. Now if you're doing that in explorer, one of the desktops (can't ever remember which) generates a UAC prompt (whichever one is affects all accounts)...but that's an exception.

            Some of this is MS's fault, but the truth is that the vast majority actions the generate a UAC prompt in vista would require you to sudo in *nix.

            The only advantage in *nix is that the sudo lasts for some period of time, so you can run that command again without entering a PW.

            For the most part, I don't get that many UACs. I will change the security when I install 7.
            notsofast
          • U.A.C. is not designed....

            ...to block someone who has administrative rights on the computer, now it is technically best practice for one to not use an account with admin priveleges to do your day to day stuff... But by offering the button click, it let's people know that there's something going on that's trying to make some potentially serious changes, and that if they didn't tell something to run then it gives them the chance to stop it...

            But, the solution isn't to make "standard user" the default, it's for microsoft to retighten the UAC by default and if you think you're cool enough to run with a weak UAC then you've got to figure it out for yourself.
            edwards.wb
          • The problem, as I understand it, is...

            ...the auto elevation which is available to an administrator but not to a standard user. It's the ability to auto elevate which casues me concern. Thus setting Windows 7 UAC level to be the same as Vista will close all potential attack vectors. If Microsoft doesn't eliminate auto elevation we will see an exploit take advantage of this "feature". It's a huge step backwards. But since it can be worked around by running as a standard user it will not be enough to prevent me from using Windows 7.
            ye
        • Maybe the UAC prompt

          should also say to the user something about malware e.g. a little note down the bottom of the UAC prompt with "Did you activate this prompt for elevation? Or could it be malware?" Something else is that the process that is requesting elevation could be indicated.
          SamCPP