Wednesday must be Obtuse Day here. I asked around, and I was the only one surprised. While users may be logging into the domain as restricted users, they are overwhelmingly being set up as administrators of their local systems.
There are a number of reasons why this is so common. There are some everyday, mundane tasks, like adding a printer or changing the system time, that require administrative privileges. (Windows Vista lowers the privilege requirements for some of these, such as changing power management settings or modifying a VPN connection, so that standard users can do them.)
You need administrative privileges to do things like install most software, and to update some. Normal users cant update ActiveX controls or write to the Program Files directory, so the easiest thing is to give them the rights they need.
But the biggest reason enterprises throw up their hands and give normal users administrative privileges is because they have to run applications that require it. And these apps require it for stupid reasons, like they write to the Windows directory or they write to the HKEY_LOCAL_MACHINE registry hive.
Microsofts distant history in this regard is bad, but its more recent history, basically since Bill Gates "Lets Give a Damn About Security from Now On" memo, has been on point, even if it hasnt gotten customers and developers to cooperate. For instance, you cant get the "Designed for Windows XP" logo unless you can run properly as a standard user.
I guess nobody cares about that particular logo because violation of those rules is widespread. Its not exactly an enterprise app, but Intuits QuickBooks was recently named by The SANS Institute as "the first inductee into the Application Security Hall of Shame." The program basically demands administrator privileges (or at least Power User, which isnt much more secure). So all QuickBooks users are that much more vulnerable to malware and cracking, and they have Intuit to thank for it.
Microsofts latest effort in this regard is a serious step forward: UAC (User Account Control) tries to require that all users run as standard users and allows administrative privileges to be applied to narrow circumstances, like that one stupid program. Using a trick originally developed for Terminal Server (one of my favorite products) when a program attempts to write, for example, to the Windows directory, it is given a temp version of that directory. Writes like this are logged by default.
You can use this information to try to fix the programs, or you can designate that those programs run with elevated privileges. And if a program run by an unprivileged user attempts to perform a privileged task, the user will be asked for the administrator password (Mac and Linux users probably have a feeling of deja vu right now).
Some tasks, like installing and updating software, may be addressable by UAC, but they should be managed by domain-based management software. Its not like this option is a new one for enterprises.
The ultimate goal of enterprises using UAC should be to make it so that the user doesnt have administrator credentials at all, or at least that they arent allowed to use them unless the help desk explicitly tells them to. Many social engineering-based attacks will be thwarted, in it will be impossible to trick the user into running an unauthorized program.
UAC is less of a savior for home users, who expect to be able to install software. UAC should alert users to silent installs and programs disguised as documents, but if the user wants to install the fancy browser toolbar thats really adware, then they will provide their administrator password because it makes sense for them to do so.
Of course, thats the sort of social engineering that any operating system is subject to, and thats a lot of what Vista does: Put Windows default security on par with the competition, for the first time ever.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer