On CHOW: His burger will EAT your burger
BNET Business Network:
BNET
TechRepublic
ZDNet

June 12th, 2006

Vista standard users need way to install software

Posted by George Ou @ 7:47 am

Categories: Security, Vista

Tags:

In Focus » See more posts on: Vista

Microsoft Windows Vista will be the first Windows operating system to only assign standard user privileges by default.  While that’s wonderful for security, it will likely run in to serious practical issues for many users who need to be able to install their own software from time to time.  This is especially true of mobile and remote-access users in a business setting or home users An IT department should be able to configure a white-list of software installers from approved companies. where software isn’t centrally managed by an IT staff.  Without the ability to install software, the tendency will be to give more people administrative privileges over their computer which defeats the purpose of limited user rights.

For most mobile and remote-access business users, they occasionally need the ability to install their own software.  Sometimes the IT department needs to be able to distribute software to them via FTP or optical media.  The last thing an IT department wants to do is give that user administrative privileges or use a run-as script where the administrative password is in a clear text format.  Unlike computers on the LAN, you can’t always push software out to mobile and remote telecommuters via something like Active Directory because a permanent connection to the corporate network doesn’t exist and the connection speeds may not be fast enough.

There is absolutely no reason that an IT department shouldn’t be able to configure a white-list of approved software installers from approved companies.  Any software with a valid digital signature matching said white-list should have the ability to install seamlessly without administrative privileges.  This essentially means that IT departments can preconfigure an approved vendor list or just approve all digitally signed Windows logo certified software.  For home users, it would be great if an administrator can give a standard user the ability to install signed Windows logo complaint software.  Even standard users who possess administrative credentials don’t want to have to deal with privilege escalation every time they need to install safe software.

I brought this subject up with Microsoft product managers at WinHEC last month and they admitted that even digitally signed Microsoft updates and patches can’t be manually installed by Vista’s standard users and they were still trying to figure out how to address this issue.  Microsoft told me that standard Vista users already have the ability to install signed device drivers without escalating to administrator, so I asked them why they couldn’t simply apply the same logic to signed software and they thought that was a good point?  After all, this would solve both our problems so it would seem to be the obvious and simple solution.

Giving standard users the ability to install only safe white-listed software would be far more preferable than giving standard users a separate set of administrative credentials.  It would be very unlikely that a malicious software writer will get Windows logo certification and digitally sign his malware since it would make him very easy to track.  Even if such a thing were to occur, it would be very easy to blacklist that malicious person so that any current and future malware from that person would be instantly blocked.  This means mobile and telecommute users can install safe code that’s approved by IT.  Junior can install his own games or software with the approved maturity ratings and Grandma can add her own software without calling someone over to do it for her.

Limited user rights are a great security best practice that unfortunately has limited practicality.  Giving standard users administrative privileges to escalate when needed isn’t always practical because you may not want them to have those privileges and those users may not be savvy enough to always avoid social engineering.  Giving standard users the flexibility to install safe software makes Windows Vista or any other desktop operating system a lot more practical and a whole lot safer.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 53 Talkback(s)
Message has been deleted.
(Read the rest)
Posted by: myfevertoy Posted on: 10/22/06  (Edited: 11/22/06 @ 05:05) You are currently: a Guest | | Terms of Use
Not a bad idea  Michael Kelly | 06/12/06
Run as is NOT a solution  georgeou | 06/12/06
Then why not fix the "Run As" script  Michael Kelly | 06/12/06
I can see a downside to this though...  nucrash | 06/12/06
That's software piracy  georgeou | 06/12/06
why do you need admin privs to install in the first place?  voska | 06/12/06
Installing for "all users" need admin rights  georgeou | 06/12/06
If it's single user software  Michael Kelly | 06/12/06
Why?  30otsix | 06/12/06
Like I said, can't always push  georgeou | 06/12/06
What about with an MSI file?  nucrash | 06/12/06
You'd still need the digital signature  Michael Kelly | 06/12/06
This is a white-list  georgeou | 06/12/06
I hope  Michael Kelly | 06/12/06
You have no business distributing unsigned code  georgeou | 06/12/06
I still don't like it  nucrash | 06/12/06
At the very least  Michael Kelly | 06/12/06
No problem, don't use it  georgeou | 06/13/06
remote family?  30otsix | 06/12/06
Talking about older family members  georgeou | 06/13/06
Who controls the white list?  tic swayback | 06/12/06
Admins should  nucrash | 06/12/06
I agree with that  Michael Kelly | 06/12/06
This could still be a pain for remote users  nucrash | 06/13/06
You should read a little more carefully  mdemuth | 06/12/06
Heed your own advice  tic swayback | 06/12/06
I always do  mdemuth | 06/12/06
Questions must always be asked  tic swayback | 06/13/06
MS changed that cert requirement  georgeou | 06/12/06
The point is, it's ripe for abuse  tic swayback | 06/13/06
You control the white list  georgeou | 06/12/06
I think a better question could be posed?  nucrash | 06/13/06
Easier than updating individual checksums of permitted apps  georgeou | 06/13/06
Does that solve the problem?  tic swayback | 06/13/06
Grandma doesn't get the admin password  georgeou | 06/14/06
What if Grandma doesn't have me to do her IT support?  tic swayback | 06/14/06
Vista does have better documentation  nucrash | 06/14/06
Have you ever dealt with a novice?  tic swayback | 06/14/06
Grandma can't understand Windows...  nucrash | 06/14/06
Don't assume people know Macs either  georgeou | 06/15/06
Some truth here...  tic swayback | 06/15/06
I didn't say everyone has to set their own whitelist  georgeou | 06/15/06
That's where the abuse potential comes in  tic swayback | 06/16/06
My Vista Issue..  Wolfie2K3 | 06/13/06
Your running the wrong BCM happy  dougscrm@... | 06/13/06
But have you managed to stop the evil  Dr.C | 06/13/06
move on  gdstark13 | 06/13/06
I think this is a little silly  jtiner | 06/13/06
I disagree.  linux for me | 06/14/06
are you kidding me?  warezdog | 06/14/06
fyi/Sudo for Windows  D. T. Schmitz | 06/14/06
The best idea for MS to use is one of their own  Xwindowsjunkie | 06/16/06
Message has been deleted.  myfevertoy | 10/22/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
    • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
    • Smart People The best and worst moves in the management and strategy trenches. Learn More