Why you don't run as root

[... or administrator, or whatever]

I like Roger Grimes, he's a nice guy, and he generally makes me think about what he has to say. That's a good thing, because otherwise he'd either be part of the same choir as me, or he'd be the sort of guy whose ideas I dismiss with a wave of the paw and a barely audible "Pah."

Today, though, I think he's missing something fundamental - and perhaps you are too.

He writes in the InfoWorld Security Adviser column that "UAC will not work", on the simple basis that malware can still do all the things it wants to do without having to execute under a privileged account.

That's true, and it always will be - the day that a computer can see my attempt to "delete the Johnson account, and forward that instruction to the following addresses", and determine whether it's malicious or appropriate, is the day when the computer can do the whole job for me, by simply choosing all possible actions and seeing which are malicious and which are appropriate.

However, what I can rely on, if the malware has been held out of privileged accounts, is the integrity of the system, and (unless they were prone to activating the same malware) the other users on that system. [By system, I may mean one machine or several networked together to perform a function.]

So while it's true that the old cross-platform virus "forward this message to everyone in your address book, then delete all your data" is still going to function if the user stays out of administrator roles, at least the operation of the system can be restored, as well as whatever data has been backed up.

You don't run as a restricted user to prevent viruses from happening - you run as a restricted user to prevent viruses from happening to the people and systems with whom you work. You run as a restricted user, so that when some system falls over, you can say "it couldn't possibly have been me". You run as a restricted user because if there is a bug in the program you run, its effects will be limited to only that portion of the OS and its data to which you are restricted.

Sure, least privilege is somewhat of an artificial construct - but the alternative is that users get more privileges than they need. That quickly boils down to "everyone can do anything".

I've been on that kind of a network before, and when we found one guy's stash of truly offensive porn (this wasn't the occasional Rubens painting) on the server, we had no way of finding out who it was, let alone punishing them by firing them. The company I worked for was fortunate that whoever found it didn't sue for fostering the creation of a hostile workplace.

So, no, UAC won't stop malware - but then that's not its purpose. It's purely a beneficial, incidental, and temporary side-effect that it will stop much of today's malware.

Published Friday, January 11, 2008 9:03 PM by Alun Jones
Filed under: , , , , ,

Comments

# re: Why you don't run as root

You're clear on what the purpose of UAC isn't, but not so clear on what it is.  :-)

Logging in as Administrator with UAC turned on isn't a safe alternative to logging in as a non-administrator, because it doesn't create a security boundary.

The main benefit I see to UAC is to (hopefully) force software vendors to stop distributing software that simply assumes everybody has admin privilege.

Mark Russinovich discussed this early last year:

<blogs.technet.com/.../638372.aspx>

Sunday, January 13, 2008 1:36 PM by Harry Johnston

# re: Why you don't run as root

You're right - Mark Russinovich discussed this, as did Jesper Johansson in TechNet Magazine, "The Long Term Impact of User Account Control".

From my perspective, yes, it's mostly a great way to persuade software developers to stop doing teh stupid.

It is, as Jesper never tires of telling me, a means to making it easier to spend most of your life as a restricted user. You can be a restricted user for everything you do, and only dip in to an admin account whenever you have to do something administrative. [Far better would be to use Fast User Switching, so that you do have a security boundary, or perhaps quicker, use Terminal Services to connect to another (virtual) machine in which you do your administrative work.]

Running as administrator and reducing your token through UAC doesn't seem quite as robust as the "over the shoulder" elevation, wherein you enter an administrative account and password - but it is more convenient.

Sunday, January 13, 2008 5:40 PM by Alun Jones

# re: Why you don't run as root

I think it's a common misconception to think about UAC strictly in terms of the "protected admin" who can elevate with consent.  I think the bigger impact is on the many end-users in managed organizations who should run as standard user and NEVER elevate.  UAC/elevation is not firm enough to constitute a security boundary (as Mark discussed), but there absolutely is a security boundary between the user and admin/system rights if same-desktop elevation never occurs.

Sunday, January 13, 2008 9:48 PM by Aaron Margosis

# re: Why you don't run as root

That's why I think it's nice to have something like TeaTimer (Something that'll notify you about registry changes) in Spybot to be always present.

But then again it requires you to have certain amount of knowledge on how Windows works to "not mess up by giving wrong instruction".

Sunday, January 13, 2008 10:46 PM by Cheong

Leave a Comment

(required) 
(required) 
(optional)
(required)