What's the right way to deal with admin rights vs. software running correctly?

[superboyac]

I'm sure a lot of us have experienced the classic struggle between having restricted rights on your computer (on a large network) and trying to have software run correctly.  Is it possible to restrict access to users, yet have everything functioning properly?  I know, for the most part, all of the major software applications will function fine in a restricted rights environment, like Microsoft Office, etc.  However, all those little programs that we powerusers like to use will not necessarily work fine, and it becomes a big headache for the IT to try to fix all of your little problems with, say, programs like FARR or Direct Folders, or other little gadgets.

Of course, with full Admin Rights, there would be no problem.  With the restrictions, however, there are usually restrictions to writing and/or modifying files in certain locations like the "Program Files" directory.  And, I know, settings should be in the Documents and Settings location, but sometimes they are not.  My question is, what is the best way to have all these little programs working fine, not giving IT a headache, and still have restrictions on your computer?  What about updates?  I have to call for support every time a program releases a minor update?  The response will be the update is no big deal, so don't install it.  But that's stupid, I like to keep my programs updated.

I bring this up because this problem keeps coming up at work.  We beg to have certain productivity tools installed in our computer.  But IT doesn't want to approve it because they don't know if it's a "good" program or not...but the real reason is that they just don't want to deal with it.  We finally get our way and get the program.  Then, some things change, let's say the network is updated and that little productivity tool got broken for whatever reason and needs a reinstallation.  Now, the IT will say that "see, we told you it's not a good program."  But that's not really the problem.  If there was full access to the computer, there would be no problem.

I feel this whole admin rights thing gets out of hand.  I mostly feel that IT prefer to not give rights to users because they are lazy.  You see, if they give users full power and flexibility to deal with their computers, they will make mistakes and there will be more errors to fix.  So, instead, they just don't allow anything.

[mouser]

my personal view is this:

i think it makes sense in a work environment to have an IT person who has to "approve" programs before they are installed.  this keeps crazy people from installing stuff that could be dangerous and programs that are clearly going to be trouble -- some spyware adware thing.

but this approval process should be painless and basically amount to checking out the program to make sure its not dangerous, and is reasonably reputable, and then if so, give it admin permissions if it needs it.  i know this doesnt quite meet the definition of a really strict locked down thing, but in my view, security on windows is not high enough to prevent really evil programs from doing damage, so whats the point in being so super restrictive.  i'm of the view that its easy to tell when a program could be evil and modify system files, and when you are talking about a program that is not going to cause harm.

[superboyac]

I agree with that also.  It is pretty easy to tell a good program from a questionable one.  I'm just finding out that a lot of companies, not just mine, but others I'm hearing about, are getting super restrictive about rights.  A lot of users don't know the meaning of the restrictions, they just know they can't do certain things.  But for people who use a lot of little tools, like FARR, a third-party file manager, etc. it can really be frustrating.  After all, this is my job, and I need to be as efficient as possible for the sake of the company.
Everyone always focuses on the big programs like Microsoft Office, project management suites, and so forth.  But those little coding snacks and tools (a lot of them are freeware) are really the little things that increase your productivity a lot.  These things are mostly ignored and that's a shame.  Nobody in IT holds meetings to discuss third-party file managers, or email plugins, or open/save dialog replacements.  But they should.

[Dirhael]

@mouser: I think it's very bad practice to require administrative rights after installation of any programs unless it's absolutely impossible to avoid. It's not a question of safe/unsafe software, the problem is that as soon as you run anything with administrative rights it has full access to anything on your system. Should this program then have any vulnerabilities at all, malware have the possiblity to use this vulnerability to gain full access to your system.

I also would like to point out that Windows most certainly is secure enough to prevent "evil" programs from causing any major damage, without any additional security software. The default permissions need some tweaking to really secure the system, but it is no less secure than *nix or OSX if it's setup correctly. Now this isn't to say that you don't need any anti-virus etc. because just as with the other OS's I mentioned, your user data is still open to attack.

A really great document/article to start out with is the following one that I'd recommend anyone to read even if they don't plan on implemementing the suggestions in their own setup

What's the right way to deal with admin rights vs. software running correctly?

Ruin a malware author's whole day with a Software Restriction Policy!

[mediaguycouk]

The only program that I know of in our university that requires admin rights through and through is Microsoft Visual Studio as it has to create virual webservers and the like.

Also laptop owners that take laptops off site get their own rights. IT staff get a seperate account so they run as a limited user on their own computer but can create power when needed.

Applications that require admin rights can normally be installed and then right click the folder in program files and allow authenticated users to write. No need to give admin rights to the whole PC.

In our place I would say I rebuild 4 computers where the user is an admin to 1 computer where the user is a local account. Too many viruses, malware and installing of any old crap, normally illegal from limewire or torrent sites that f**k up the pc.

(Bad grammar is from cider)

[mouser]

http://www.neowin.ne...eless-by-new-exploit

This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista's Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user's machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over."

from http://www.ghacks.net/

[Dirhael]

To quote someone in the comments section of that (very vague) article:

Why do I think that it requires
1. Disable UAC
2. User intervention
to work in the first place.

I really do think that you'd have to be running the browser with administrative rights for this to have any effect.