RE: Windows user privileges

["Phillip R. Paradis" <prp17 () adelphia net>]

> 1. XP would be more suitable to run as a user if the runas service and
> windows installers were developed to add more complete and easy to use
> privilege elevation techniques outside of active directory and the
> default group policy that gets applied.
...
> 4. The windows install creates the first user account as an
> administrator so that they may install programs and hardware without
> allot of hassle. This is in fact good for business over the
> alternative (which is to hassle most end users beyond their point of
> no return), no matter what the security implications, remember end
> users don't care (even if they should).

A good approach here that would allow the user to be a non-admin by default and
not make things overly difficult would be:

1. When creating the Administrator account's password during setup, remind the
user that they will need it to install software, etc.

2. When the user attempts to do something they have insufficient privileges for
(install something, for instance) the Run As UI should appear automatically,
rather than an error message. The average home user isn't smart enough to right
click and find the Run As command; a great many such users don't even realize
that the right mouse button has a use.

It would also be nice if they'd fix Explorer, etc. to support Run As, and
perhaps add an Open As command to the context menu for folders, to allow opening
a folder with different credentials. While they're at it, they might find some
way of marking the windows of any processes not running as the current user.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html