Freigeben über

Why I run as an Admin

  • Artikel

For a long time now, security people have been advocating running as a non-administrator. I have tried this a few times myself, generally for about 10 minutes before I give up. On my home computer, I once changed my account and my wife’s account to be a limited user without telling my wife. Let me tell you, that’s a mistake that I will only make once. Here are the reasons why I can’t see myself running as a limited user anytime soon.

The calendar

This is by far my biggest pet peeve, and until this is fixed, I will never consider running as a non-admin. Double click the clock on the task bar and what do you get? ‘You do not have the proper privilege to change the System Time’. I don’t want to set the time; I want to look at a calendar!

I can’t install _anything_

As a non-admin, it is expected that I shouldn’t be able to install everything. But why can’t I run Windows Update? Do I have a windows installer service running on my machine as localsystem? Yes. Do we have code signing? Yes. Why can’t we put these two together and allow the administrator account to set things up so that setups and updates which are signed by companies that I trust can be installed without needing to log on as an admin? I can dream...

New for XP SP2 – the firewall

The firewall puts up a nice dialog that allows me to open the firewall. This seems to happen surprisingly often. This doesn’t work when I am a non-admin.

Comments

  • Anonymous
    July 29, 2004
  1. Agreed. There are a lot (really a lot) of applications that cannot run an non-admin. This very annoying and should be reported as bugs!
    2. & 3. I don't agree. Installing anything on the system can break it/applications running. As an admin you don't want anyone to install anything. Same goes for firewalls I just don't non-admin users opening ports at will.

    However I think 'Run As User' functionality should be improved to be able to run/install things with minimum interuption.
  • Anonymous
    July 29, 2004
    I Hear you!

    to be honest I think a whole lot of work needs to be done to make it work right.

    I'd love to have the MS developers and the folks who build install programs be the ones to start the process.

    if they had to run as normal users everyday for a year I bet that 99% of the problems would be fixed in that year!

    then the rest of the dev's could use normal accounts with much less pain and pickup the rest of the bugs... which IMHO will mostly be bugs they built and could not see as admin users.
  • Anonymous
    July 29, 2004
    The comment has been removed
  • Anonymous
    July 29, 2004
    The comment has been removed
  • Anonymous
    July 29, 2004
    I had the same issue with #1, and finally figured out how to give my account permissions from the security settings (User Rights Assignment). The "Change the System Time" policy is what you are looking for.

    I'm still looking for a way to allow a certain account permissions to change the power settings (seems that there are machine specific as well as user specific settings, so a regular user can't change them, and running the power settings control panel with RunAs doesn't work either.).
  • Anonymous
    July 29, 2004
    Seems like some MS folks need to get together and talk over what really requires admin priveleges, and what really doesn't.
    The old PowerUser was a pretty good compromise between getting things done and still not jeopardizing the whole system.
    If someone at MS could start a discussion about what really needs to be there everyday, without requiring extraordinary privilege, vs. what should require extraordinary privilege, and do it before Longhorn gets locked, I think a more secure commputing environment for everyone, not just the experts, would be the result.
    For example:
    Calender/Time: everyone
    Windows Updates: everyone, unless disabled by group policy
    Drivers: Devices detected in Device Manager, everyone. Devices added that are not PnP: admin
    Apps, everyone, because system files should now be completely protected from casual app updates.

    These are just some ideas to get a conversation started, but the sooner someone at MS picks up the ball, the sooner the world will have a solution.
  • Anonymous
    July 29, 2004
    The comment has been removed
  • Anonymous
    July 29, 2004
    The comment has been removed