Devin Ganger wrote: > Why is it okay for Windows XP to create the first user and give it admin > privileges? It's not okay. This is a flaw in the Windows default > installation for workstations that has been floating around ever since
Okay it isn't but I can tell you why it is done that way. I worked at Microsoft on their network security team at the time and followed much of the debate over that and other security related things with XP. They didn't all go down the way a security person would have decided in a security vacuum but they go down in understandable ways. Why default to admin? Way, way, way too many pieces of software out there when XP was developed wouldn't function if the user had limited rights. Why was that? Windows 9x had no concept of admin/user. Its legacy was a single user, non-networked OS on a *personal* computer. Unix based stuff started out as a shared resource where user restrictions had to exist. Windows started out as a single user OS on a single user computer. Windows XP came into a world dominated by Windows 9x software written for an environment where there was no concept of an admin. Force the user to be a user and most of the software won't run. If most of the software won't run, nobody will switch. If nobody switches, everybody stays in the old zero security Win9x world. Microsoft was caught between two bad choices on this one. Run as admin and get people migrate to an OS that brings the beginning of security or run as a limited user and nobody migrates. Good for the Linux OS perhaps except for the fact that even now it isn't user friendly enough and have enough hardware support for the average user. I happen to like it a lot but am not ready to put most users I know on it. Why not just bite the bullet and force local users and force developers to learn via pain? It wouldn't have worked in the home. Remember the users *own* those computers. After a few weeks of typing their admin passwords to do something a limited user couldn't do, they'd have found one of about a billion Windows tips websites telling them how to make themselves an admin and avoid the problem. These are technically savvy linux users who know better. They are people who we joke about thinking their CD drives are cup holders, who look for "any" keys and wonder why their computers aren't working when the power is off. We joke about it but that's because it's real. We geeks will put up with the pain of sudo and runas because we understand why it is necessary. The average user will not unless forced to by corporate policy. No corporate policies on home computers. This is why even Vista isn't doing LUA in the same way as linux. > Windows NT 3.1. The criticism has been voiced for a long time. Microsoft > employees have vocally wondered the same thing for years. (Note that XP > doesn't do that if you join it to a domain during the installation, so > someone clearly gets that creating new users as admins is inappropriate > in *some* contexts.) If they wonder they weren't around for the discussions or they refuse to consider things outside the tunnel vision of pure technical considerations. As for the difference, how many home networks existed when XP came out? (XP Home can't even join a domain.) A corporate network has computers owned by somebody other than the user. It can set policies about what can and cannot be run. It can stick to software that has been tested and tried with LUA. Home users *own* their computers. They run software not intended for a corporate environment. They run software that is generally among the last to pick up on anything going on in the computer world unless it is is very high end games. They run software they pick up at Wal-mart for $5 that was written five or six years ago before most of the world had any clue what security was and we security folks were fighting to be heard. That's why there is a difference. > Can Windows be run securely under LUA? You and I both know it can, and > we both know the tools and resources to do it. How many of those tools > and resources that we need to figure out which rights a given piece of > software needs in order to run as a non-admin user actually come with > Windows? How many of them come from Microsoft? Why wasn't LUA enforced > back in 2000 when RunAs was introduced with the OS, instead of waiting > years later for Vista? Why is it okay to expect our users to become > security experts in order to protect themselves, instead of expecting > the default install of the OS to make them as secure as possible by > default even when they're installing stand-alone machines? Unlike Linux and most Linux distros that come out with incremental changes fairly often, Windows comes out in frequently. Service packs may or may not introduce major changes and new features. (That went back and forth the six years I was there.) Why wasn't LUA enforced back then? See the explanation above. Most Win9x software wouldnt' work and Win9x software was most of what was out there. Bad decision not to force LUA with XP? In hindsight it is easy to say yes but remember the environment at the time. Many XP design decisions had been made even before Melissa. Broadband meant ISDN and was rare. Always on connections? Pretty much limted to corporate networks. The decision to move people along gradually made more sense back then. The things that XP SP2 broke and the even more Windows 2003 did would not have been possible at the time. Corporate CIOs were not begging for security then. Security professionals were but quite often our own CIOs wouldn't listen to us until a major wake up call came along. Without incremental changes, you cannot go back an undo design decisions made six or seven years ago very easily or gradually. Now we'll accept major breakages in the name of security. Back then the corporate world would not. (Back before Microsoft's corporate focus on security, when we met with other corporate security teams, they often asked why Microsoft wasn't doing more for security. We'd ask them how many of their CIOs and CEOs were asking Gates and Ballmer for security. I don't recall one who could say that was happening.) When I interviewed with the small network security team in 97, every person I interviewed with asked me how I took losing a fight. Six years later when I left in 03, we didn't lose fights. That changed because the environment changed and CIOs and CEOs started to listen to their security folks (as did the Microsoft execs). Since that change, there have been few major releases. Windows 2003 and Windows XP SP2 is about it and even they have designs dating from before the global wake up calls. Even Vista won't be entirely new and it is yet to ship. It's not the way things should be but that largely the way it happened. Debating it now may be intellectually interesting but will have about as much affect on how it happened as debating the fall of the Roman Empire. -- Mike Lyman CISSP [EMAIL PROTECTED] --------------------------------------------------------------------------- ---------------------------------------------------------------------------
