Topic: Security

Should "Standard User" be the default in Windows 7?

Summary: It seems clear to me that combining an Admin accounts with Windows 7's "low nag" User Account Control (UAC) setting is a bad idea. Problem is, Admin accounts and "low nag" UAC settings will be the default for millions of people buying Windows 7-based PCs.

By Adrian Kingsley-Hughes for Hardware 2.0 | June 11, 2009 -- 07:29 GMT (00:29 PDT)

Follow @the_pc_doc

It seems clear to me that combining an Admin accounts with Windows 7's "low nag" User Account Control (UAC) setting is a bad idea. Problem is, Admin accounts and "low nag" UAC settings will be the default for millions of people buying Windows 7-based PCs.

The problem with systems running with these two settings is that it's possible to use a code-injection vulnerability to silently run code or other applications with administrative privileges behind the user's back. Even Windows super-guru Mark Russinovich acknowledges that a problem exists:

Several people have observed that it's possible for third-party software running in a PA account with standard user rights to take advantage of auto-elevation to gain administrative rights. For example, the software can use the WriteProcessMemory API to inject code into Explorer and the CreateRemoteThread API to execute that code, a technique called DLL injection. Since the code is executing in Explorer, which is a Windows executable, it can leverage the COM objects that auto-elevate, like the Copy/Move/Rename/Delete/Link Object, to modify system registry keys or directories and give the software administrative rights. While true, these steps require deliberate intent, aren't trivial, and therefore are not something we believe legitimate developers would opt for versus fixing their software to run with standard user rights. In fact, we recommend against any application developer taking a dependency on the elevation behavior in the system and that application developers test their software running in standard user mode.

The follow-up observation is that malware could gain administrative rights using the same techniques. Again, this is true, but as I pointed out earlier, malware can compromise the system via prompted elevations as well. From the perspective of malware, Windows 7's default mode is no more or less secure than the Always Notify mode ("Vista mode"), and malware that assumes administrative rights will still break when run in Windows 7's default mode.

[poll id="469"]

So, a problem exists, and not only is it something that malware authors could use but we could even see software developers using the trick to make their product less naggy than the competition. The solution is to change default settings, something that most people out there in Computer Land won't even know is possible.

Another flaw is to assume that just because someone is running Admin account, they would accept all prompts thrown their way anyway. The problem with this is that the current settings allow a behind-the-scenes code injection to stealthily mess around with a system.

It seems to me that Microsoft has backed itself into a corner. It tried to make UAC less naggy, but by doing so introduced some serious vulnerabilities. The only advice it can offer to counter these vulnerabilities is that users should change default settings. Why not just make these more secure settings the default? Because it would break stuff. Like I said, Microsoft is backed into a corner.

My view is that Microsoft should make Standard user the default user on systems. Sure, it would break some stuff, but eventually something has to change because the current situation can't last forever. It's clear that Admin accounts are a security vulnerability in the hands of those who don't understand what it means to be running Admin accounts.

[UPDATE: Here's a video of the code-injection vulnerability in action:

Bottom line is that this tweaking to the UAC make Windows 7 less safe than Vista. If you think anything else, you are wrong.]

Topics: Security, Malware, Microsoft, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

161 comments

Log in or register to join the discussion

You'll always need the Admin account

Yes, in theory having the default as "Standard User" is ideal. However, the "millions of users" who have no idea of what an admin account is will now be saddled with the requirement to have two accounts on their PC - one they use every day and one they have to use whenever they have to install a new app or do something privileged. Won't that be even more confusing? And I bet you those users will eventually stay in the Admin account all the time so they don't have to flip back and forth.

I think that the Win7 system is a necessary evil and a decent compromise. Users will be _generally_ safer, but can still do admin tasks inline without logging into a second account.

Zathros
11 June, 2009 07:36

Reply Vote
- You're thinking in XP terms
  
  In Vista and Win 7 you can elevate simply by entering the admin account name/password, the admin password, or clicking OK (depending on various setup conditions of your system).
  
  There's no need to log out before installing something, I can't remember the last time I did that in Vista or Win 7.
  
  wolf_z
  11 June, 2009 09:14
  
  Reply Vote
  - Actualy
    
    You can use the runas command in the right click context menu to install apps, and even drivers most of the time.
    
    jdbukis@...
    11 June, 2009 09:22
    
    Reply Vote
  - Yes, you're right
    
    Good point! It still means a second account (username/password). But, having to enter a username and password explicitly will help thwart silent automatic elevations and the user may wonder "why do I need to give the password" in unexpected situations (where malware is trying to trick the user into something).
    
    Zathros
    11 June, 2009 09:34
    
    Reply Vote
    - Unfortunately this is another example of convenience trumping...
      
      ...security. Microsoft focus groups found people were bothered with having to enter their password so they changed the default to a button click instead.
      
      ye
      11 June, 2009 09:44
      
      Reply Vote
      - Not only that
        
        I tried running in a standard account and found I had to enter my password a LOT, and on top of that, the silly thing prompts you if you want to change the authorization so you always have access WITHOUT needing to enter a password. I could see a lot of people doing this and still compromising their systems.
        
        So the standard account won't necessarily save a person. It still comes down to users educating themselves.
        
        Drakaran
        11 June, 2009 14:51
        
        Reply Vote
      - You bet. Something I've advocated.
        
        [i]So the standard account won't necessarily save a person. It still comes
        down to users educating themselves.[/i]
        
        At least the user education part. I don't expect them to do it themselves.
        Unfortunately there are a lot of people who don't want to learn. They're
        perfectly happy being ignorant.
        
        ye
        11 June, 2009 16:08
        
        Reply Vote
      - Why do they offer these options?
        
        Everyone has seen what affects the lack of security can have. Why go through all the effort of UAC if you give a dozen ways to bypass it all?
        
        Explorer shouldn't be elevated to begin with. You should be able to elevate it for perhaps a series of operations but normally it should run with user rights.
        
        Sadly convenience is worth more money. MS has proven you don't need security to be the top dog.
        
        SamCPP
        11 June, 2009 17:19
        
        Reply Vote
      - RE: Why do they offer these options?
        
        *Correction* "affects" -> "effects".
        We return you now to normal programming.
        
        SamCPP
        11 June, 2009 17:20
        
        Reply Vote
      - That's the million dollar question.
        
        And it's the gist behind the Ars Technica article Dietrich linked to.
        
        For all those people who want to know why Microsoft didn't take security seriously convenience is the answer. Despite all the demand Microsoft secure their OS we see people really don't want security if it comes at the expense of convenience.
        
        ye
        12 June, 2009 07:58
        
        Reply Vote
      - That's right
        
        [i]Despite all the demand Microsoft secure their OS we see people really don't want security if it comes at the expense of convenience.[/i]
        
        That's what happens when you have 10+ years of running things in your admin account. They should've introduced something like this way back in 90s.
        
        And you're going to tell people to change their habits at this late date?
        
        Wintel BSOD
        12 June, 2009 08:05
        
        Reply Vote
      - Not buying it
        
        OS X prompts for passwords on a number of actions. I suspect the real
        story is that users were annoyed that they had to enter a password for
        everything, including putting a shortcut on the desktop. It wasn't a user
        problem, like most things Microsoft, it was a usability problem.
        
        frgough
        12 June, 2009 08:38
        
        Reply Vote
      - LOL! Wasn't that a problem in the BETA version?
        
        [i]I suspect the real story is that users were annoyed that they had to enter a password for
        everything, including putting a shortcut on the desktop.[/i]
        
        I don't receive any UAC prompt for placing a shortcut on the desktop. Perhaps if you actually used Vista you would come to learn most of these "issues" are nothing more than FUD.
        
        ye
        12 June, 2009 08:56
        
        Reply Vote
      - all users vs specific user desktop
        
        Making changes to the "all users" destkop requires elevation, changing the current user's desktop does not.
        
        As it should be really.
        
        rtk
        12 June, 2009 09:37
        
        Reply Vote
      - @rtk: That is correct.
        
        However I'm not aware of a way to create a shortcut on the All Users Desktop through the normal means of creating shortcuts (right click, drag and drop, etc). Those methods create it on the users desktop. Though there might be a way as this is not something I've spent any time investigating.
        
        Installers tend to be the means for creating shortcuts on the All Users Desktop. Which means deleting them would require elevation.
        
        ye
        12 June, 2009 12:27
        
        Reply Vote
      - Shortcut on the desktop?
        
        What are you talking about? I've never had to enter a password or gotten any UAC prompt for putting something on the desktop. Now if you're doing that in explorer, one of the desktops (can't ever remember which) generates a UAC prompt (whichever one is affects all accounts)...but that's an exception.
        
        Some of this is MS's fault, but the truth is that the vast majority actions the generate a UAC prompt in vista would require you to sudo in *nix.
        
        The only advantage in *nix is that the sudo lasts for some period of time, so you can run that command again without entering a PW.
        
        For the most part, I don't get that many UACs. I will change the security when I install 7.
        
        notsofast
        12 June, 2009 18:35
        
        Reply Vote
      - U.A.C. is not designed....
        
        ...to block someone who has administrative rights on the computer, now it is technically best practice for one to not use an account with admin priveleges to do your day to day stuff... But by offering the button click, it let's people know that there's something going on that's trying to make some potentially serious changes, and that if they didn't tell something to run then it gives them the chance to stop it...
        
        But, the solution isn't to make "standard user" the default, it's for microsoft to retighten the UAC by default and if you think you're cool enough to run with a weak UAC then you've got to figure it out for yourself.
        
        edwards.wb
        12 June, 2009 10:37
        
        Reply Vote
      - The problem, as I understand it, is...
        
        ...the auto elevation which is available to an administrator but not to a standard user. It's the ability to auto elevate which casues me concern. Thus setting Windows 7 UAC level to be the same as Vista will close all potential attack vectors. If Microsoft doesn't eliminate auto elevation we will see an exploit take advantage of this "feature". It's a huge step backwards. But since it can be worked around by running as a standard user it will not be enough to prevent me from using Windows 7.
        
        ye
        12 June, 2009 12:31
        
        Reply Vote
    - Maybe the UAC prompt
      
      should also say to the user something about malware e.g. a little note down the bottom of the UAC prompt with "Did you activate this prompt for elevation? Or could it be malware?" Something else is that the process that is requesting elevation could be indicated.
      
      SamCPP
      11 June, 2009 17:42
      
      Reply Vote
- Wrong... Ubuntu Linux does without
  
  Ubuntu Linux does without, 'tho' using sudo is a "bit" like the UAC in Vista, except you only use it when you need to change system level stuff. The Administrator account is still there if you really need it, but not as a GUI login. Works for me, 'tho' YMMD.
  
  My own personal opinion is that the Windows file system/security model is irretrievably broken anyway
  
  norm.mcmillan@...
  11 June, 2009 15:40
  
  Reply Vote