Tech Analysis: Mac OS and Linux handle privileges more sensibly, but Vista could change that.
Among the challenges that enterprise administrators face when attempting to properly lock down the Windows machines in their care, managing the laundry list of operating system functions that require elevated privileges is a chore that looms large.
Making matters even worse are Windows anemic facilities for allowing rights-limited users who are out of reach of IT support to access these functions, without granting them full administrative rights.
The primary client alternatives to Windows XPApple Computer Inc.s Mac OS X and most of the prominent Linux distributionsmanage user privileges more smoothly than XP does.
But eWEEK Labs believes that Vista, which will replace XP sometime next year, demonstrates that Microsoft Corp. is about to catch up.
Mac OS X
When talking about the various functions of their beloved operating system, Mac stalwarts are fond of remarking, perhaps a bit smugly, that the Mac "just works."
But when it comes to appropriately managing user permissions, Apples OS X definitely merits that phrase. In fact, the Mac boasts the best user rights management of any operating system weve tested.
Mac OS X offers separate user and administrator privilege levels and, more importantly, includes effective facilities for prompting users when rights elevation is required.
For instance, when a regular user attempts to drag something to a restricted system foldersuch as when one installs a Mac application by dragging it to the applications folderOS X refuses to complete the action, but it does offer the user the option of authenticating with admininstrative credentials to complete the operation.
Beyond its simple, effective rights elevation facilities, OS X, when paired with OS X Server, offers good tools for controlling the applications and options to which users have access. This makes the Mac a very good system for lockdown overall.
Linux offers good user rights separation and elevation as well, but the specific way that this is implemented depends on the distribution youre using.
However, in most popular Linux distributions, such as those from Red Hat Inc., Novell Inc.s SUSE or the Debian families, regular users receive prompts for root password authentication for operations that require administrator rights.
These distributions use the command su to become root and allow users to run arbitrary commands.
In addition, Linux distributions usually ship with a handy application called sudo, which enables administrators to grant users permission to run particular commands with root rights by authenticating with the users own password.
Sudo thereby makes it possible to regulate what users do, as well as to generate an audit trailvery useful capabilities when locking down a system.
SELinux also boosts rights separation by mandating more specific permissions over what users and applications are allowed to do on a system. At this point, however, SELinux is mostly server-oriented and will require more implementation polish to be effective for client use.
Weve all heard quite a bit about the flashy hardware-accelerated, three-dimensional features that will accompany Vista when Microsofts new client operating system ships sometime next year.
However, Vista will also include some long-overdue updates to Windows tools for regulating user permissions, enabling the operating system to do so more appropriately than Microsoft has done in any of its Windows releases so far.
We believe that these bits, rather than the flashy user interface, will have the biggest impact on IT upgrade decisions.
Like Mac OS X and most Linux distributions, Vista will prompt users who are running with limited rights to enter administrative credentials when those permissions are required.
Vista will also run Internet Explorer in a reduced-rights mode by default, which will limit the damage that could be done if (or when) the new IE were to be subverted by malicious code.
Finally, Vista will include support for virtualized, per-user system file locations and registry entries.
Virtualized file locations and registry entries are intended to enable applications to function properly even for users without administrative rights.
Were intrigued by the virtualized-system-files concept, and well be keeping a close eye on how this potentially useful, potentially confusing feature shakes out as Vista nears release.
Senior Analyst Jason Brooks can be reached at email@example.com.
Check out eWEEK.coms for Microsoft and Windows news, views and analysis.