Re: Domain users members of local administrator

Hi Kerry,

I reply here as this is where you placed the extended reply.
You make some good points, and I believe well illustrate the
separation between the perception and the reality.
Since NT 4 beta I have been vocal with Microsoft about the
problems they have had due to the legacy support for the DOS
trained software industry. Starting with Windows 2000 MS
tightened the requirements for a software to be well-designed
for NT, and with each subsequent OS release they have moved
more closely toward what we (some of us with this issues as
a banner item raised with MS since 1997 or 1998) have been
wanting. MS understandable argued back when that they were
not in a position to move to the ultimate solution, that the breaking
of so much of the offerings from the third-party software sector
would be problematic (legally and for the adoption rate of the
new OS version). I recall a massive investment, both prior to
W2k and XP releases, made by MS in assisting the third-party
software vendors (that willingly participated) in getting their devs
and designs up-to-steam to meet the new era's logo requirements.
The investment was in software dev tools cost buy-down, in
training and evangelism, and in manpower working with those
that choose to take part (an many did).
That there are many companies that this did not reach is likely
a statement of how marginal those companies were budgetwise,
or arrogant. The problems with the softwares that force users
to take the easy road and run with admin privs are usually only
small changes that the software design would have needed, yet
the vendors have not made them. Why? I can only guess it is
due to the investment needed in reworking/reversioning their
software when there is no easily demonstrated monetary advantage
that would derive to them from the investment. Truely, for such as
Intuit to have changed apps long, long ago would not have been
a major effort nor one difficult to understand or design. It has
been entirely a motivation issue in so far as I can tell. I certainly
was not due to a lack of cost buydown efforts on the part of
Microsoft attemting to assist them IF they choose to make the
effort.

Now, I agree that working around these junk softwares is not
something the average home user can do with their "I just want
to do what I want to do" skill-level. Believe me, I worked the
windowsxp.security_admin newsgroup for the first couple
years after XP released, while a vast number of people came
over from the Win9x/WinMe world (which had no built-in
security model). We were able to resolve the issues with the
vast majority of problem children - with the residual today
being mostly due to needless, stupid, hardcoded things. Now
mind you, problem children came in many forms: users wanting
software they had bought for Windows 3.11 to continue to run,
major PC vendors with helplines advising to just set Users Full
Control over the entire HKey Local Machine part of the registry
in order to solve problems with their all-in-one print device
drivers, uses accustomed to being "THE" user of the machine,
and on and on. During this I have watched, and I do very, very
much believe, and have often said, that it is the voice of the
consumer (and their buying habits) that ultimately have brought
the change in the resistant vendors. I have seen this many times
(including the latest surprise announcement by Intuit that their
2007 version will work without admin) where change only
comes after a highly visible negetive PR or outrage with web
visibiltiy.


"Kerry Brown" <kerry@xxxxxxxxxxxxxxxxxxx*a*m> wrote in message
news:%23JRVBLESGHA.1688@xxxxxxxxxxxxxxxxxxxxxxx
David Wang [Msft] wrote:
I do not distinguish between enterprise, small business, or
home/family when it comes to this.

At the end of the day, if you keep silent and keep buying the @#%&* ,
then the vendor has no reason/motivation to change.

For example, I have been running as non-admin user for several years
now, and I constantly complain and file bugs against every single
Microsoft product (internal or external) that I install and does not
work as non-admin. Although I often don't get my wish the very first
time, I usually get it the second time - so many of the productivity
programs I use will run perfectly fine as non-admin user. Of course,
this has taken a few years to take effect, and I don't have it for
every MS product, but overall, I am pretty happy with the
improvements to run as non-admin.
Vista is not going to magically solve any of this. Vista just forces
the issue in the vendor's face by making more users run as non-admin
by default. I think it is a gutsy move by Microsoft because when
those legacy applications break on Vista, do you think the users will:
A. complain that the application vendors foisted insecure software on
them in the past
B. complain that Microsoft took steps backwards with Windows Vista
and broke compatibility


Viewed another way -- for years, the customer has failed to push the
vendors to improve quality when it comes to security. Microsoft is
making a gutsy push on the security front and probably will get
complaints from Customers and Vendors... even though the move is the
right one to make... and the customer failed to make the right move
for years. Now, who says that customers are always right? ;-)



Thank you to you and Roger for your insightful analysis. I agree that it
is not a good idea to run with administrator privileges. Where we disagree
somewhat is the root of the problem. I do not blame the end users. I think
most of the blame lies with Microsoft. Microsoft is very late to the
security game. I have many books on programming for and with Microsoft
products. It is only very recently that taking into consideration in any
way that the programmer doesn't have administrator privileges has been
pushed. A whole generation of programmers have learned to program with
this model. For Microsoft to now say the end users should push the vendors
to change their ways is ostrich like behaviour. Microsoft is a major cause
of the problem and Microsoft should be a major part of the solution. I
know Microsoft is making a huge effort to make sure their own programs
follow the current security paradigm. I don't see a great push by
Microsoft to educate either end users or programmers.

The reason I am looking forward to Vista is because it will make end users
more aware and thus put pressure on software vendors. I agree with you
there. I think Microsoft has to be very careful however that your B
scenario doesn't take place. If Microsoft doesn't work with the vendors
and programmers there will be a huge backlash that may cause many end
users to be wary of upgrading. I mostly deal with small business
customers. They are very leery of changing something that is working. They
have neither the time nor the inclination to learn something new just
because it is there. Many small business' are still running DOS based line
of business applications because it works. I realise that this is
seemingly incompatible with security but it is the reality. Microsoft will
have to actively sell the security paradigm and prove to the customers
that it will benefit them. If you leave it to the customers alone to
pressure stubborn vendors then Vista may fail to gain significant market
share in this market. As for your last question. No the customer is not
always right but the customer is the one who pays the bills so you
sometimes have to do things their way even if it is not right. Your only
recourse is to educate them and show them why they are wrong while not
offending them.

As to the average user being able to run as a non admin user I stand by
what I said. With Windows XP most home and small business users simply
won't be able to figure out how to make it work. There are too many
roadblocks in the way and the vast majority will simply take the easy way.
Even Microsoft implicitly recognises this or it would not be the default
to run with administrator privileges. In a structured IT environment it
can be done and all with my customers using Active Directory it is done
and works well. For the rest of the world it doesn't work.

Kerry




.

Relevant Pages

  • Re: NetAdvantage code samples?
    ... Are you asking if I have looked into using Microsoft Access 2003 to write an ... already have a look at Microsoft Office Access if that has already the ... customers your way. ... Fewer college entrants are taking classes to become programmers year ...
    (microsoft.public.dotnet.general)
  • Re: HELP!!!!
    ... if Gateway and Dell can supply decent media that enables ... different manufacturers and vendors?.. ... company wants to give its customers.. ... > bargaining power to stand up to Microsoft. ...
    (microsoft.public.windowsxp.general)
  • Re: HELP!!!!
    ... With ref to Microsoft, they have support, faq etc. ... > deferent rules for different manufacturers and vendors?.. ... > each company wants to give its customers.. ...
    (microsoft.public.windowsxp.general)
  • Re: Domain users members of local administrator
    ... Microsoft product that I install and does not ... vendors to improve quality when it comes to security. ... who says that customers are always right? ... whole generation of programmers have learned to program with this model. ...
    (microsoft.public.security)
  • Call to arms - INFORMATION ANARCHY
    ... A Step Towards Information Anarchy: ... Scott Culp of Microsoft's Security Response Team released the ... Microsoft line of thinking. ... clear and present danger of being stomped out by vendors like Microsoft. ...
    (NT-Bugtraq)