Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to psloss
Re: XP: Your Very own Low-Rights IE
I agree that non-admin accounts as they are now aren't perfect, and MS has improvements to make, but I don't agree about the whole zero maintenance point. Non-admin accounts as they are now in Windows require some extra work, yes, but just how much extra work is required to constantly sort out malware problems that could have been avoided by not running as admin? According to my own (limited) observations, people actually have to waste less time on maintenance when running as non-admin.
--
And lead me not into temptation - for I can find my way there myself easily enough. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
| Its much less work, my anti-software updates on the system account, and if I really need to I can run as a program to do an admin task. The only real limitation is piss poor programing, anti-software that won't update on the system account, programs which require admin access like games which repeatedly install DRM software which causes problems with everything on your computer, etc...
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| reply to Tuulilapsi
said by Tuulilapsi  :and MS has improvements to make So do software vendors, that is, constant writing to the registry should be done in HKEY_CURRENT_USER and the current user's Application Data folder instead of the program's folder.
So it seems Vista will ask for a password if a program requires more privileges to write somewhere. I fear this only encourages other vendors to continue this vile behavior even if MS recommends it to them as only a solution for legacy or poorly written apps.
--
Microsoft Windows 2000/XP Security: Some Assembly Required. |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| Agreed - software vendors, in particular security software vendors - should both advocate the concept of least privilege and write their programs to work properly with non-admin accounts. What I would like to see is MS getting really rough on anyone who churns out code that breaks with non-admin accounts. If you remember those lovely "This driver has not been certified for XP compatibility" warnings, perhaps something like that would be in order: "Warning: This software is not compatible with (fancy term like 'Windows Protected User Accounts' here). This software is poorly coded and may jeopardize the security of your system, and your socks. Do you still wish to proceed with the installation?" If anyone could get away with doing that, it's MS. What are vendors going to do? Start writing all their apps for other operating systems, as if the majority used them? It would work. 
--
And lead me not into temptation - for I can find my way there myself easily enough. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Tuulilapsi
said by Tuulilapsi :I agree that non-admin accounts as they are now aren't perfect, and MS has improvements to make, but I don't agree about the whole zero maintenance point. Non-admin accounts as they are now in Windows require some extra work, yes, but just how much extra work is required to constantly sort out malware problems that could have been avoided by not running as admin? According to my own (limited) observations, people actually have to waste less time on maintenance when running as non-admin. Absolutely, I agree with you that it's less time consuming and less of a hassle to prevent problems rather than to fix them. And logically, it's a no-brainer.
But that's a "pay me now or pay me later" choice; a lot of people choose the latter, even if they aren't aware that they are making a choice.
Regarding what Microsoft has to do with non-admin accounts, I think Microsoft is mostly addressing third party applications that don't work. If it was just Microsoft apps, they could have fixed the individual apps without having to make many of the changes that are going into Vista. (They may be fixing them, anyway.) Day to day use of non-admin accounts has been possible on "managed" NT desktops for a long time.
In a way, the changes going into Vista are just another set of compatibility "shims" that Microsoft has to put into Windows to accommodate odd conventions in third party programming. In some cases, I believe those conventions were at least partly the result of a lack of documentation or "under documentation" of best practices for using some Win32 API functions.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
